Analysis
-
max time kernel
101s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 03:19
Static task
static1
Behavioral task
behavioral1
Sample
3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe
Resource
win10v2004-20220812-en
General
-
Target
3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe
-
Size
165KB
-
MD5
83c0b99427c026aad36b0d8204377702
-
SHA1
76d17eff5dbe5d9129a35c70c31aef5c458827f3
-
SHA256
3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc
-
SHA512
c8ceb8ea0ebfaa4e79871893938b5bb0c7864278cc5fafc37bd3312ccb72e95ed745188320ee227693c04415d4751249bd6ea56096532cc317b04da11c52ca0b
-
SSDEEP
3072:uprxs7OnuUJ3qELyKAYwAg0FuAc4omfKs1Qc2:uprxErE23/AOT8isOJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1260 winlogin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E winlogin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{0E98BAC7-5DDF-435B-B398-8BF63A298B0B}2403a }ZERMMMDR " winlogin.exe -
Deletes itself 1 IoCs
pid Process 1312 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1312 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe" winlogin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogin.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 6 api.ipify.org 4 api.ipify.org -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1280 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe 1260 winlogin.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe Token: SeSecurityPrivilege 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe Token: SeSecurityPrivilege 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe Token: SeBackupPrivilege 1260 winlogin.exe Token: SeSecurityPrivilege 1260 winlogin.exe Token: SeSecurityPrivilege 1260 winlogin.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1736 wrote to memory of 1484 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe 28 PID 1736 wrote to memory of 1484 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe 28 PID 1736 wrote to memory of 1484 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe 28 PID 1736 wrote to memory of 1484 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe 28 PID 1736 wrote to memory of 1312 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe 30 PID 1736 wrote to memory of 1312 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe 30 PID 1736 wrote to memory of 1312 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe 30 PID 1736 wrote to memory of 1312 1736 3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe 30 PID 1312 wrote to memory of 1280 1312 cmd.exe 32 PID 1312 wrote to memory of 1280 1312 cmd.exe 32 PID 1312 wrote to memory of 1280 1312 cmd.exe 32 PID 1312 wrote to memory of 1280 1312 cmd.exe 32 PID 1312 wrote to memory of 1260 1312 cmd.exe 33 PID 1312 wrote to memory of 1260 1312 cmd.exe 33 PID 1312 wrote to memory of 1260 1312 cmd.exe 33 PID 1312 wrote to memory of 1260 1312 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe"C:\Users\Admin\AppData\Local\Temp\3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\cmd.execmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"2⤵PID:1484
-
-
C:\Windows\SysWOW64\cmd.execmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\3c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:1280
-
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD583c0b99427c026aad36b0d8204377702
SHA176d17eff5dbe5d9129a35c70c31aef5c458827f3
SHA2563c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc
SHA512c8ceb8ea0ebfaa4e79871893938b5bb0c7864278cc5fafc37bd3312ccb72e95ed745188320ee227693c04415d4751249bd6ea56096532cc317b04da11c52ca0b
-
Filesize
165KB
MD583c0b99427c026aad36b0d8204377702
SHA176d17eff5dbe5d9129a35c70c31aef5c458827f3
SHA2563c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc
SHA512c8ceb8ea0ebfaa4e79871893938b5bb0c7864278cc5fafc37bd3312ccb72e95ed745188320ee227693c04415d4751249bd6ea56096532cc317b04da11c52ca0b
-
Filesize
165KB
MD583c0b99427c026aad36b0d8204377702
SHA176d17eff5dbe5d9129a35c70c31aef5c458827f3
SHA2563c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc
SHA512c8ceb8ea0ebfaa4e79871893938b5bb0c7864278cc5fafc37bd3312ccb72e95ed745188320ee227693c04415d4751249bd6ea56096532cc317b04da11c52ca0b
-
Filesize
165KB
MD583c0b99427c026aad36b0d8204377702
SHA176d17eff5dbe5d9129a35c70c31aef5c458827f3
SHA2563c96327c26c0f0d91e048d75c3b7c91f0caddf47d7eb8ab4ec75409deaa70bdc
SHA512c8ceb8ea0ebfaa4e79871893938b5bb0c7864278cc5fafc37bd3312ccb72e95ed745188320ee227693c04415d4751249bd6ea56096532cc317b04da11c52ca0b