8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71

General

Target

8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71.exe
Size

103KB
MD5

af492f4985b1486f035a2199086921c3
SHA1

748a4865c24eb3c0e21a5b9e6e32a8f9ac2130f0
SHA256

8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71
SHA512

7cb35416aa9e537438158acba7b2bbd9685466800bcfe99429b90e26d80eae598f89c3d8728118aa08e93cf372b0f8bf0c7e5249b695dee7d41506cfd161088a
SSDEEP

3072:DWw/LXWDZ+DxBNb1SpuxJqQRmxrXbLWGO:DWw/DW5uaQRQfY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1600	winlogin.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{2DB91C84-8AB8-4735-A51D-D8500F018273}GR }TMKNGOMU "	winlogin.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E	winlogin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe"	winlogin.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	api.ipify.org
37	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5096	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 1896	4988	8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71.exe	79
PID 4988 wrote to memory of 1896	4988	8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71.exe	79
PID 4988 wrote to memory of 1896	4988	8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71.exe	79
PID 4988 wrote to memory of 5064	4988	8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71.exe	81
PID 4988 wrote to memory of 5064	4988	8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71.exe	81
PID 4988 wrote to memory of 5064	4988	8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71.exe	81
PID 5064 wrote to memory of 5096	5064	cmd.exe	83
PID 5064 wrote to memory of 5096	5064	cmd.exe	83
PID 5064 wrote to memory of 5096	5064	cmd.exe	83
PID 5064 wrote to memory of 1600	5064	cmd.exe	85
PID 5064 wrote to memory of 1600	5064	cmd.exe	85
PID 5064 wrote to memory of 1600	5064	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71.exe
"C:\Users\Admin\AppData\Local\Temp\8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\cmd.exe
  cmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
  2⤵
  PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:5096
- - C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
    "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe

Filesize
103KB

MD5
af492f4985b1486f035a2199086921c3

SHA1
748a4865c24eb3c0e21a5b9e6e32a8f9ac2130f0

SHA256
8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71

SHA512
7cb35416aa9e537438158acba7b2bbd9685466800bcfe99429b90e26d80eae598f89c3d8728118aa08e93cf372b0f8bf0c7e5249b695dee7d41506cfd161088a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe

Filesize
103KB

MD5
af492f4985b1486f035a2199086921c3

SHA1
748a4865c24eb3c0e21a5b9e6e32a8f9ac2130f0

SHA256
8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71

SHA512
7cb35416aa9e537438158acba7b2bbd9685466800bcfe99429b90e26d80eae598f89c3d8728118aa08e93cf372b0f8bf0c7e5249b695dee7d41506cfd161088a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe

Filesize
103KB

MD5
af492f4985b1486f035a2199086921c3

SHA1
748a4865c24eb3c0e21a5b9e6e32a8f9ac2130f0

SHA256
8be655497ded041cc896788e543e5dad24a5dea518f9d869e376948b004c2e71

SHA512
7cb35416aa9e537438158acba7b2bbd9685466800bcfe99429b90e26d80eae598f89c3d8728118aa08e93cf372b0f8bf0c7e5249b695dee7d41506cfd161088a

Download Submit
memory/1600-141-0x0000000002660000-0x0000000002779000-memory.dmp

Filesize
1.1MB

Download
memory/1600-142-0x0000000002660000-0x0000000002779000-memory.dmp

Filesize
1.1MB

Download
memory/4988-132-0x0000000002A40000-0x0000000002B59000-memory.dmp

Filesize
1.1MB

Download
memory/4988-135-0x0000000002A40000-0x0000000002B59000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads