Analysis
-
max time kernel
163s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:29
Static task
static1
Behavioral task
behavioral1
Sample
327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe
Resource
win10v2004-20221111-en
General
-
Target
327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe
-
Size
99KB
-
MD5
aeb001c0ad849f513eeaabf035ad3cdd
-
SHA1
9629daaf2fea86d645b5a09d1d61bbb96bc9cd80
-
SHA256
327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467
-
SHA512
99d49986d7b9d42710ac329d091adabedf7cef38a57a273ee0927b74daf272acce320a610d78fee268d2ae19982f80830a16cb49ccfbc01cb882178ed54b1086
-
SSDEEP
1536:VP/eJjJifnHufeMPykoEU4T7JhHWELKNaeRlriYmljvkWwLobkT+:VP/2NeHufu4T7DHW3XriYmljOLobS+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winlogin.exepid process 5100 winlogin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E winlogin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{2FE8779E-0F7A-4EBF-9B5B-4A8383072.24932E-312R0902NEWGROUP}SOCAAGDT " winlogin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run winlogin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe" winlogin.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 86 api.ipify.org 87 api.ipify.org -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3788 452 WerFault.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.execmd.exedescription pid process target process PID 628 wrote to memory of 3432 628 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 628 wrote to memory of 3432 628 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 628 wrote to memory of 3432 628 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 628 wrote to memory of 4508 628 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 628 wrote to memory of 4508 628 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 628 wrote to memory of 4508 628 327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe cmd.exe PID 4508 wrote to memory of 1812 4508 cmd.exe PING.EXE PID 4508 wrote to memory of 1812 4508 cmd.exe PING.EXE PID 4508 wrote to memory of 1812 4508 cmd.exe PING.EXE PID 4508 wrote to memory of 5100 4508 cmd.exe winlogin.exe PID 4508 wrote to memory of 5100 4508 cmd.exe winlogin.exe PID 4508 wrote to memory of 5100 4508 cmd.exe winlogin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe"C:\Users\Admin\AppData\Local\Temp\327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 452 -ip 4521⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 452 -s 7681⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
99KB
MD5aeb001c0ad849f513eeaabf035ad3cdd
SHA19629daaf2fea86d645b5a09d1d61bbb96bc9cd80
SHA256327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467
SHA51299d49986d7b9d42710ac329d091adabedf7cef38a57a273ee0927b74daf272acce320a610d78fee268d2ae19982f80830a16cb49ccfbc01cb882178ed54b1086
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
99KB
MD5aeb001c0ad849f513eeaabf035ad3cdd
SHA19629daaf2fea86d645b5a09d1d61bbb96bc9cd80
SHA256327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467
SHA51299d49986d7b9d42710ac329d091adabedf7cef38a57a273ee0927b74daf272acce320a610d78fee268d2ae19982f80830a16cb49ccfbc01cb882178ed54b1086
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
99KB
MD5aeb001c0ad849f513eeaabf035ad3cdd
SHA19629daaf2fea86d645b5a09d1d61bbb96bc9cd80
SHA256327faee10eb440a2dfbaed6fc7acb563b364e58aa920f318fcedcb7225e40467
SHA51299d49986d7b9d42710ac329d091adabedf7cef38a57a273ee0927b74daf272acce320a610d78fee268d2ae19982f80830a16cb49ccfbc01cb882178ed54b1086
-
memory/628-132-0x0000000002840000-0x0000000002949000-memory.dmpFilesize
1.0MB
-
memory/1812-136-0x0000000000000000-mapping.dmp
-
memory/3432-133-0x0000000000000000-mapping.dmp
-
memory/4508-135-0x0000000000000000-mapping.dmp
-
memory/5100-137-0x0000000000000000-mapping.dmp
-
memory/5100-140-0x0000000002510000-0x0000000002619000-memory.dmpFilesize
1.0MB