Analysis
-
max time kernel
168s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:30
Static task
static1
Behavioral task
behavioral1
Sample
5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe
Resource
win10v2004-20220812-en
General
-
Target
5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe
-
Size
219KB
-
MD5
d9fc38c11b88c277922a1af48cdaebf6
-
SHA1
12630cf78f29e2c81a3b757cbc48b95793f05301
-
SHA256
5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd
-
SHA512
a9d4a93a8546eda7003ec45ec903e01701e457aeefa6d0fd9ce6a9d4638f05d4e5fe76fd40c3b070a6d513cb817a4344574bb78c26ece80efe6ee1ed9b0d8b6a
-
SSDEEP
6144:oAI9wC8bgvTAPGAAGWd1AOeo+m1D/cY8VDfy0:oABDgvTA+AAGWd14zm5/cYeq0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winlogin.exepid process 2328 winlogin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E winlogin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{97505399-5769-4930-8D6C-1BB5A93E429C}SERV }TMKNGOMU " winlogin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run winlogin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe" winlogin.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 api.ipify.org 27 api.ipify.org -
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 winlogin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e winlogin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.execmd.exedescription pid process target process PID 4496 wrote to memory of 5108 4496 5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe cmd.exe PID 4496 wrote to memory of 5108 4496 5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe cmd.exe PID 4496 wrote to memory of 5108 4496 5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe cmd.exe PID 4496 wrote to memory of 5004 4496 5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe cmd.exe PID 4496 wrote to memory of 5004 4496 5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe cmd.exe PID 4496 wrote to memory of 5004 4496 5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe cmd.exe PID 5004 wrote to memory of 4532 5004 cmd.exe PING.EXE PID 5004 wrote to memory of 4532 5004 cmd.exe PING.EXE PID 5004 wrote to memory of 4532 5004 cmd.exe PING.EXE PID 5004 wrote to memory of 2328 5004 cmd.exe winlogin.exe PID 5004 wrote to memory of 2328 5004 cmd.exe winlogin.exe PID 5004 wrote to memory of 2328 5004 cmd.exe winlogin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe"C:\Users\Admin\AppData\Local\Temp\5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\cmd.execmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"2⤵PID:5108
-
C:\Windows\SysWOW64\cmd.execmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:4532 -
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Modifies system certificate store
PID:2328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
219KB
MD5d9fc38c11b88c277922a1af48cdaebf6
SHA112630cf78f29e2c81a3b757cbc48b95793f05301
SHA2565cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd
SHA512a9d4a93a8546eda7003ec45ec903e01701e457aeefa6d0fd9ce6a9d4638f05d4e5fe76fd40c3b070a6d513cb817a4344574bb78c26ece80efe6ee1ed9b0d8b6a
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
219KB
MD5d9fc38c11b88c277922a1af48cdaebf6
SHA112630cf78f29e2c81a3b757cbc48b95793f05301
SHA2565cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd
SHA512a9d4a93a8546eda7003ec45ec903e01701e457aeefa6d0fd9ce6a9d4638f05d4e5fe76fd40c3b070a6d513cb817a4344574bb78c26ece80efe6ee1ed9b0d8b6a
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
219KB
MD5d9fc38c11b88c277922a1af48cdaebf6
SHA112630cf78f29e2c81a3b757cbc48b95793f05301
SHA2565cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd
SHA512a9d4a93a8546eda7003ec45ec903e01701e457aeefa6d0fd9ce6a9d4638f05d4e5fe76fd40c3b070a6d513cb817a4344574bb78c26ece80efe6ee1ed9b0d8b6a
-
memory/2328-138-0x0000000000000000-mapping.dmp
-
memory/2328-141-0x0000000002590000-0x00000000026B5000-memory.dmpFilesize
1.1MB
-
memory/4496-132-0x0000000002760000-0x0000000002885000-memory.dmpFilesize
1.1MB
-
memory/4496-133-0x0000000002760000-0x0000000002885000-memory.dmpFilesize
1.1MB
-
memory/4532-137-0x0000000000000000-mapping.dmp
-
memory/5004-136-0x0000000000000000-mapping.dmp
-
memory/5108-134-0x0000000000000000-mapping.dmp