Analysis
-
max time kernel
104s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 16:16
Static task
static1
Behavioral task
behavioral1
Sample
e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe
Resource
win10v2004-20220901-en
General
-
Target
e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe
-
Size
89KB
-
MD5
6bb3b23ff3e736d499775120aa8d6ae2
-
SHA1
f52f40f5a65230670db355cff2845c285ef2b25c
-
SHA256
e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31
-
SHA512
3c8aa855e7fd401577657315f8db34bf383d0565e4a3f47395750616f80a41025a96d42165df03ef8e620f73dd839444887e8e505ab6a445877a60200d458af4
-
SSDEEP
1536:O67JRV1jaC09gnjhCX92tSklfO97YII3JwjR0b2iFyO/pDUBY:fln1jaC1njPZtIyuR0bnFyORGY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winlogin.exepid process 1728 winlogin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E winlogin.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{3127FF11-907B-4F3B-90C7-795ECC517482}GR }ORXGKKZC " winlogin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1116 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1116 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe" winlogin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogin.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 api.ipify.org -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.execmd.exedescription pid process target process PID 2024 wrote to memory of 896 2024 e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe cmd.exe PID 2024 wrote to memory of 896 2024 e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe cmd.exe PID 2024 wrote to memory of 896 2024 e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe cmd.exe PID 2024 wrote to memory of 896 2024 e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe cmd.exe PID 2024 wrote to memory of 1116 2024 e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe cmd.exe PID 2024 wrote to memory of 1116 2024 e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe cmd.exe PID 2024 wrote to memory of 1116 2024 e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe cmd.exe PID 2024 wrote to memory of 1116 2024 e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe cmd.exe PID 1116 wrote to memory of 1732 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1732 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1732 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1732 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 1728 1116 cmd.exe winlogin.exe PID 1116 wrote to memory of 1728 1116 cmd.exe winlogin.exe PID 1116 wrote to memory of 1728 1116 cmd.exe winlogin.exe PID 1116 wrote to memory of 1728 1116 cmd.exe winlogin.exe PID 1116 wrote to memory of 1728 1116 cmd.exe winlogin.exe PID 1116 wrote to memory of 1728 1116 cmd.exe winlogin.exe PID 1116 wrote to memory of 1728 1116 cmd.exe winlogin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe"C:\Users\Admin\AppData\Local\Temp\e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
89KB
MD56bb3b23ff3e736d499775120aa8d6ae2
SHA1f52f40f5a65230670db355cff2845c285ef2b25c
SHA256e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31
SHA5123c8aa855e7fd401577657315f8db34bf383d0565e4a3f47395750616f80a41025a96d42165df03ef8e620f73dd839444887e8e505ab6a445877a60200d458af4
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
89KB
MD56bb3b23ff3e736d499775120aa8d6ae2
SHA1f52f40f5a65230670db355cff2845c285ef2b25c
SHA256e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31
SHA5123c8aa855e7fd401577657315f8db34bf383d0565e4a3f47395750616f80a41025a96d42165df03ef8e620f73dd839444887e8e505ab6a445877a60200d458af4
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
89KB
MD56bb3b23ff3e736d499775120aa8d6ae2
SHA1f52f40f5a65230670db355cff2845c285ef2b25c
SHA256e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31
SHA5123c8aa855e7fd401577657315f8db34bf383d0565e4a3f47395750616f80a41025a96d42165df03ef8e620f73dd839444887e8e505ab6a445877a60200d458af4
-
\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
89KB
MD56bb3b23ff3e736d499775120aa8d6ae2
SHA1f52f40f5a65230670db355cff2845c285ef2b25c
SHA256e1c3ee486d23903dc87e69d85904a1b7d3ad2d0b272ae4eec6ad33077ab7fe31
SHA5123c8aa855e7fd401577657315f8db34bf383d0565e4a3f47395750616f80a41025a96d42165df03ef8e620f73dd839444887e8e505ab6a445877a60200d458af4
-
memory/896-55-0x0000000000000000-mapping.dmp
-
memory/1116-58-0x0000000000000000-mapping.dmp
-
memory/1728-62-0x0000000000000000-mapping.dmp
-
memory/1728-64-0x0000000001F30000-0x00000000020AE000-memory.dmpFilesize
1.5MB
-
memory/1728-65-0x0000000074D81000-0x0000000074D83000-memory.dmpFilesize
8KB
-
memory/1728-66-0x0000000001F30000-0x00000000020AE000-memory.dmpFilesize
1.5MB
-
memory/1732-59-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x0000000001F30000-0x00000000020AE000-memory.dmpFilesize
1.5MB
-
memory/2024-57-0x0000000001F30000-0x00000000020AE000-memory.dmpFilesize
1.5MB