Analysis
-
max time kernel
95s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:30
Static task
static1
Behavioral task
behavioral1
Sample
7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe
Resource
win10v2004-20220812-en
General
-
Target
7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe
-
Size
142KB
-
MD5
2f8697713eeec7784863c1bf21e00d08
-
SHA1
be7506a336bbc08e65c4fbb006a56826e5411da9
-
SHA256
7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004
-
SHA512
ebe0b892f8816a5c38a874b442a9e9f8dd81969b94ef63a611fe8b1bf0af6ff59c78065cce48d3e07bc2d844c0609823e61068acd576cb5b4a4338705ce1f2e3
-
SSDEEP
1536:BseyxDJOye1B5t64B8VzI7CKok/3e97SNsLUyq3B8l9wntZTBbEDSrX95fR:BseytJOygmqpo97SwlSnvTBbv
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winlogin.exepid process 4496 winlogin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E winlogin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{CE46193A-1D7C-407F-AFD0-6AD008EEC710}SERV }XZIOFAVD " winlogin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run winlogin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe" winlogin.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 36 api.ipify.org 35 api.ipify.org -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.execmd.exedescription pid process target process PID 792 wrote to memory of 1324 792 7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe cmd.exe PID 792 wrote to memory of 1324 792 7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe cmd.exe PID 792 wrote to memory of 1324 792 7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe cmd.exe PID 792 wrote to memory of 320 792 7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe cmd.exe PID 792 wrote to memory of 320 792 7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe cmd.exe PID 792 wrote to memory of 320 792 7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe cmd.exe PID 320 wrote to memory of 384 320 cmd.exe PING.EXE PID 320 wrote to memory of 384 320 cmd.exe PING.EXE PID 320 wrote to memory of 384 320 cmd.exe PING.EXE PID 320 wrote to memory of 4496 320 cmd.exe winlogin.exe PID 320 wrote to memory of 4496 320 cmd.exe winlogin.exe PID 320 wrote to memory of 4496 320 cmd.exe winlogin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe"C:\Users\Admin\AppData\Local\Temp\7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\cmd.execmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"2⤵PID:1324
-
C:\Windows\SysWOW64\cmd.execmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\7a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:384 -
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
142KB
MD52f8697713eeec7784863c1bf21e00d08
SHA1be7506a336bbc08e65c4fbb006a56826e5411da9
SHA2567a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004
SHA512ebe0b892f8816a5c38a874b442a9e9f8dd81969b94ef63a611fe8b1bf0af6ff59c78065cce48d3e07bc2d844c0609823e61068acd576cb5b4a4338705ce1f2e3
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
142KB
MD52f8697713eeec7784863c1bf21e00d08
SHA1be7506a336bbc08e65c4fbb006a56826e5411da9
SHA2567a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004
SHA512ebe0b892f8816a5c38a874b442a9e9f8dd81969b94ef63a611fe8b1bf0af6ff59c78065cce48d3e07bc2d844c0609823e61068acd576cb5b4a4338705ce1f2e3
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
142KB
MD52f8697713eeec7784863c1bf21e00d08
SHA1be7506a336bbc08e65c4fbb006a56826e5411da9
SHA2567a2984a582274d97b3eb24b6548865f3549813c606982610a121292671aa5004
SHA512ebe0b892f8816a5c38a874b442a9e9f8dd81969b94ef63a611fe8b1bf0af6ff59c78065cce48d3e07bc2d844c0609823e61068acd576cb5b4a4338705ce1f2e3
-
memory/320-136-0x0000000000000000-mapping.dmp
-
memory/384-137-0x0000000000000000-mapping.dmp
-
memory/792-132-0x0000000002410000-0x0000000002511000-memory.dmpFilesize
1.0MB
-
memory/792-135-0x0000000002410000-0x0000000002511000-memory.dmpFilesize
1.0MB
-
memory/1324-133-0x0000000000000000-mapping.dmp
-
memory/4496-138-0x0000000000000000-mapping.dmp
-
memory/4496-141-0x0000000002430000-0x0000000002531000-memory.dmpFilesize
1.0MB
-
memory/4496-142-0x0000000002430000-0x0000000002531000-memory.dmpFilesize
1.0MB