Analysis

  • max time kernel
    101s
  • max time network
    105s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 03:19

General

  • Target

    3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe

  • Size

    165KB

  • MD5

    83c0b99427c026aad36b0d8204377702

  • SHA1

    76d17eff5dbe5d9129a35c70c31aef5c458827f3

  • SHA256

    3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc

  • SHA512

    c8ceb8ea0ebfaa4e79871893938b5bb0c7864278cc5fafc37bd3312ccb72e95ed745188320ee227693c04415d4751249bd6ea56096532cc317b04da11c52ca0b

  • SSDEEP

    3072:uprxs7OnuUJ3qELyKAYwAg0FuAc4omfKs1Qc2:uprxErE23/AOT8isOJ

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe
    "C:\Users\Admin\AppData\Local\Temp\3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\cmd.exe
      cmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
      2⤵
        PID:1484
      • C:\Windows\SysWOW64\cmd.exe
        cmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit
        2⤵
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:1280
        • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
          "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
          3⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1260

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe

      Filesize

      165KB

      MD5

      83c0b99427c026aad36b0d8204377702

      SHA1

      76d17eff5dbe5d9129a35c70c31aef5c458827f3

      SHA256

      3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc

      SHA512

      c8ceb8ea0ebfaa4e79871893938b5bb0c7864278cc5fafc37bd3312ccb72e95ed745188320ee227693c04415d4751249bd6ea56096532cc317b04da11c52ca0b

    • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe

      Filesize

      165KB

      MD5

      83c0b99427c026aad36b0d8204377702

      SHA1

      76d17eff5dbe5d9129a35c70c31aef5c458827f3

      SHA256

      3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc

      SHA512

      c8ceb8ea0ebfaa4e79871893938b5bb0c7864278cc5fafc37bd3312ccb72e95ed745188320ee227693c04415d4751249bd6ea56096532cc317b04da11c52ca0b

    • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe

      Filesize

      165KB

      MD5

      83c0b99427c026aad36b0d8204377702

      SHA1

      76d17eff5dbe5d9129a35c70c31aef5c458827f3

      SHA256

      3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc

      SHA512

      c8ceb8ea0ebfaa4e79871893938b5bb0c7864278cc5fafc37bd3312ccb72e95ed745188320ee227693c04415d4751249bd6ea56096532cc317b04da11c52ca0b

    • \Users\Admin\AppData\Roaming\Windows\winlogin.exe

      Filesize

      165KB

      MD5

      83c0b99427c026aad36b0d8204377702

      SHA1

      76d17eff5dbe5d9129a35c70c31aef5c458827f3

      SHA256

      3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc

      SHA512

      c8ceb8ea0ebfaa4e79871893938b5bb0c7864278cc5fafc37bd3312ccb72e95ed745188320ee227693c04415d4751249bd6ea56096532cc317b04da11c52ca0b

    • memory/1260-61-0x0000000000000000-mapping.dmp

    • memory/1260-63-0x0000000000240000-0x0000000000260000-memory.dmp

      Filesize

      128KB

    • memory/1260-64-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

      Filesize

      8KB

    • memory/1280-58-0x0000000000000000-mapping.dmp

    • memory/1312-57-0x0000000000000000-mapping.dmp

    • memory/1484-55-0x0000000000000000-mapping.dmp

    • memory/1736-54-0x00000000002B0000-0x00000000002D0000-memory.dmp

      Filesize

      128KB