5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd

General

Target

5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe
Size

219KB
MD5

d9fc38c11b88c277922a1af48cdaebf6
SHA1

12630cf78f29e2c81a3b757cbc48b95793f05301
SHA256

5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd
SHA512

a9d4a93a8546eda7003ec45ec903e01701e457aeefa6d0fd9ce6a9d4638f05d4e5fe76fd40c3b070a6d513cb817a4344574bb78c26ece80efe6ee1ed9b0d8b6a
SSDEEP

6144:oAI9wC8bgvTAPGAAGWd1AOeo+m1D/cY8VDfy0:oABDgvTA+AAGWd14zm5/cYeq0

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winlogin.exe

pid process

2328 winlogin.exe

pid	process
2328	winlogin.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E	winlogin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{97505399-5769-4930-8D6C-1BB5A93E429C}SERV }TMKNGOMU "	winlogin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe"	winlogin.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.ipify.org
27 api.ipify.org

flow	ioc
26	api.ipify.org
27	api.ipify.org

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

winlogin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	winlogin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	winlogin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4532 PING.EXE

pid	process
4532	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.execmd.exe

description	pid	process	target process
PID 4496 wrote to memory of 5108	4496	5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe	cmd.exe
PID 4496 wrote to memory of 5108	4496	5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe	cmd.exe
PID 4496 wrote to memory of 5108	4496	5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe	cmd.exe
PID 4496 wrote to memory of 5004	4496	5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe	cmd.exe
PID 4496 wrote to memory of 5004	4496	5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe	cmd.exe
PID 4496 wrote to memory of 5004	4496	5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe	cmd.exe
PID 5004 wrote to memory of 4532	5004	cmd.exe	PING.EXE
PID 5004 wrote to memory of 4532	5004	cmd.exe	PING.EXE
PID 5004 wrote to memory of 4532	5004	cmd.exe	PING.EXE
PID 5004 wrote to memory of 2328	5004	cmd.exe	winlogin.exe
PID 5004 wrote to memory of 2328	5004	cmd.exe	winlogin.exe
PID 5004 wrote to memory of 2328	5004	cmd.exe	winlogin.exe

C:\Users\Admin\AppData\Local\Temp\5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe
"C:\Users\Admin\AppData\Local\Temp\5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
2⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
cmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:4532

C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Modifies system certificate store
PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
Filesize
219KB

MD5
d9fc38c11b88c277922a1af48cdaebf6

SHA1
12630cf78f29e2c81a3b757cbc48b95793f05301

SHA256
5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd

SHA512
a9d4a93a8546eda7003ec45ec903e01701e457aeefa6d0fd9ce6a9d4638f05d4e5fe76fd40c3b070a6d513cb817a4344574bb78c26ece80efe6ee1ed9b0d8b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
Filesize
219KB

MD5
d9fc38c11b88c277922a1af48cdaebf6

SHA1
12630cf78f29e2c81a3b757cbc48b95793f05301

SHA256
5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd

SHA512
a9d4a93a8546eda7003ec45ec903e01701e457aeefa6d0fd9ce6a9d4638f05d4e5fe76fd40c3b070a6d513cb817a4344574bb78c26ece80efe6ee1ed9b0d8b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
Filesize
219KB

MD5
d9fc38c11b88c277922a1af48cdaebf6

SHA1
12630cf78f29e2c81a3b757cbc48b95793f05301

SHA256
5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd

SHA512
a9d4a93a8546eda7003ec45ec903e01701e457aeefa6d0fd9ce6a9d4638f05d4e5fe76fd40c3b070a6d513cb817a4344574bb78c26ece80efe6ee1ed9b0d8b6a

Download Submit
memory/2328-138-0x0000000000000000-mapping.dmp

Download
memory/2328-141-0x0000000002590000-0x00000000026B5000-memory.dmp

Filesize
1.1MB

Download
memory/4496-132-0x0000000002760000-0x0000000002885000-memory.dmp

Filesize
1.1MB

Download
memory/4496-133-0x0000000002760000-0x0000000002885000-memory.dmp

Filesize
1.1MB

Download
memory/4532-137-0x0000000000000000-mapping.dmp

Download
memory/5004-136-0x0000000000000000-mapping.dmp

Download
memory/5108-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads