Analysis
-
max time kernel
193s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 09:00
Static task
static1
Behavioral task
behavioral1
Sample
35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe
Resource
win10v2004-20221111-en
General
-
Target
35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe
-
Size
90KB
-
MD5
db835bba2dafa1729db620b908f5e70f
-
SHA1
5cb5d095875e2d6e46eacc03c12bbc4189c138e2
-
SHA256
35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252
-
SHA512
bcbd75978c152ddbbe72b201e5f68bbd9807690d5f9f839481e53852c36a65cbe804f9845762c363a78cc270eccb6bb5a1a1e7df2800cd205ed0df7dd7c8ca0b
-
SSDEEP
1536:DrhPDpRvH4RqIL8kh3eyT/uWEC7qthGEmOjq5Rj5f:DrBDpRvY+yqqE/j+R
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winlogin.exepid process 3824 winlogin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E winlogin.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{21E8D207-8AB6-493E-9BF7-012F90CEC313}GR }WIJBFSKT " winlogin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run winlogin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe" winlogin.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 71 api.ipify.org 72 api.ipify.org -
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 winlogin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e winlogin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.execmd.exedescription pid process target process PID 3208 wrote to memory of 3896 3208 35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe cmd.exe PID 3208 wrote to memory of 3896 3208 35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe cmd.exe PID 3208 wrote to memory of 3896 3208 35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe cmd.exe PID 3208 wrote to memory of 3112 3208 35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe cmd.exe PID 3208 wrote to memory of 3112 3208 35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe cmd.exe PID 3208 wrote to memory of 3112 3208 35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe cmd.exe PID 3112 wrote to memory of 1572 3112 cmd.exe PING.EXE PID 3112 wrote to memory of 1572 3112 cmd.exe PING.EXE PID 3112 wrote to memory of 1572 3112 cmd.exe PING.EXE PID 3112 wrote to memory of 3824 3112 cmd.exe winlogin.exe PID 3112 wrote to memory of 3824 3112 cmd.exe winlogin.exe PID 3112 wrote to memory of 3824 3112 cmd.exe winlogin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe"C:\Users\Admin\AppData\Local\Temp\35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\cmd.execmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"2⤵PID:3896
-
C:\Windows\SysWOW64\cmd.execmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\35063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:1572 -
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Modifies system certificate store
PID:3824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
90KB
MD5db835bba2dafa1729db620b908f5e70f
SHA15cb5d095875e2d6e46eacc03c12bbc4189c138e2
SHA25635063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252
SHA512bcbd75978c152ddbbe72b201e5f68bbd9807690d5f9f839481e53852c36a65cbe804f9845762c363a78cc270eccb6bb5a1a1e7df2800cd205ed0df7dd7c8ca0b
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
90KB
MD5db835bba2dafa1729db620b908f5e70f
SHA15cb5d095875e2d6e46eacc03c12bbc4189c138e2
SHA25635063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252
SHA512bcbd75978c152ddbbe72b201e5f68bbd9807690d5f9f839481e53852c36a65cbe804f9845762c363a78cc270eccb6bb5a1a1e7df2800cd205ed0df7dd7c8ca0b
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
90KB
MD5db835bba2dafa1729db620b908f5e70f
SHA15cb5d095875e2d6e46eacc03c12bbc4189c138e2
SHA25635063285fbb903f7349685e4263b25d0124fd087ba2a708202f7782de46d8252
SHA512bcbd75978c152ddbbe72b201e5f68bbd9807690d5f9f839481e53852c36a65cbe804f9845762c363a78cc270eccb6bb5a1a1e7df2800cd205ed0df7dd7c8ca0b
-
memory/1572-136-0x0000000000000000-mapping.dmp
-
memory/3112-135-0x0000000000000000-mapping.dmp
-
memory/3208-132-0x0000000002400000-0x0000000002540000-memory.dmpFilesize
1.2MB
-
memory/3824-137-0x0000000000000000-mapping.dmp
-
memory/3824-140-0x0000000002310000-0x0000000002450000-memory.dmpFilesize
1.2MB
-
memory/3896-133-0x0000000000000000-mapping.dmp