Analysis
-
max time kernel
53s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 03:19
Static task
static1
Behavioral task
behavioral1
Sample
a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe
Resource
win10v2004-20221111-en
General
-
Target
a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe
-
Size
109KB
-
MD5
364a4598b51f44332e67e001f1b0803f
-
SHA1
ff42dec2fdddb5d7714b0269afaac3aa5b26a0e3
-
SHA256
a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf
-
SHA512
b601b809182b3a3fc636d3a0ea6daf11b42244b0ce2d0a486353d1aa5913a109daafc4592898e80faa1a5f8e4632b7a09a5e0cbb5e740b7d8a236354bf80c9af
-
SSDEEP
3072:c6vgNUWoU9E2TQacJR4NoupGZQohR2bMX5U:c6vg2LU9E2TGXRQ4R3a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winlogin.exepid process 528 winlogin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E winlogin.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components\05F16C88-71D3-42C1-BB4F-E9BAF7DB4A9E\cfg = "{DD18A49E-5F23-42C5-9D63-3D37D0CA6298}1603 }RYNKSFQE " winlogin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1532 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1532 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogin.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winlogin.exe" winlogin.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 api.ipify.org -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exewinlogin.exepid process 1464 a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe 1464 a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe 528 winlogin.exe 528 winlogin.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.execmd.exedescription pid process target process PID 1464 wrote to memory of 1120 1464 a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe cmd.exe PID 1464 wrote to memory of 1120 1464 a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe cmd.exe PID 1464 wrote to memory of 1120 1464 a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe cmd.exe PID 1464 wrote to memory of 1120 1464 a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe cmd.exe PID 1464 wrote to memory of 1532 1464 a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe cmd.exe PID 1464 wrote to memory of 1532 1464 a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe cmd.exe PID 1464 wrote to memory of 1532 1464 a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe cmd.exe PID 1464 wrote to memory of 1532 1464 a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe cmd.exe PID 1532 wrote to memory of 600 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 600 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 600 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 600 1532 cmd.exe PING.EXE PID 1532 wrote to memory of 528 1532 cmd.exe winlogin.exe PID 1532 wrote to memory of 528 1532 cmd.exe winlogin.exe PID 1532 wrote to memory of 528 1532 cmd.exe winlogin.exe PID 1532 wrote to memory of 528 1532 cmd.exe winlogin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe"C:\Users\Admin\AppData\Local\Temp\a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
109KB
MD5364a4598b51f44332e67e001f1b0803f
SHA1ff42dec2fdddb5d7714b0269afaac3aa5b26a0e3
SHA256a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf
SHA512b601b809182b3a3fc636d3a0ea6daf11b42244b0ce2d0a486353d1aa5913a109daafc4592898e80faa1a5f8e4632b7a09a5e0cbb5e740b7d8a236354bf80c9af
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
109KB
MD5364a4598b51f44332e67e001f1b0803f
SHA1ff42dec2fdddb5d7714b0269afaac3aa5b26a0e3
SHA256a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf
SHA512b601b809182b3a3fc636d3a0ea6daf11b42244b0ce2d0a486353d1aa5913a109daafc4592898e80faa1a5f8e4632b7a09a5e0cbb5e740b7d8a236354bf80c9af
-
C:\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
109KB
MD5364a4598b51f44332e67e001f1b0803f
SHA1ff42dec2fdddb5d7714b0269afaac3aa5b26a0e3
SHA256a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf
SHA512b601b809182b3a3fc636d3a0ea6daf11b42244b0ce2d0a486353d1aa5913a109daafc4592898e80faa1a5f8e4632b7a09a5e0cbb5e740b7d8a236354bf80c9af
-
\Users\Admin\AppData\Roaming\Windows\winlogin.exeFilesize
109KB
MD5364a4598b51f44332e67e001f1b0803f
SHA1ff42dec2fdddb5d7714b0269afaac3aa5b26a0e3
SHA256a22382517b602b256a1243e54868870db35db9c391a991754d3a97737aa5a1cf
SHA512b601b809182b3a3fc636d3a0ea6daf11b42244b0ce2d0a486353d1aa5913a109daafc4592898e80faa1a5f8e4632b7a09a5e0cbb5e740b7d8a236354bf80c9af
-
memory/528-62-0x0000000000000000-mapping.dmp
-
memory/528-65-0x0000000001FB0000-0x000000000211B000-memory.dmpFilesize
1.4MB
-
memory/600-59-0x0000000000000000-mapping.dmp
-
memory/1120-55-0x0000000000000000-mapping.dmp
-
memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmpFilesize
8KB
-
memory/1464-57-0x0000000002000000-0x000000000216B000-memory.dmpFilesize
1.4MB
-
memory/1532-58-0x0000000000000000-mapping.dmp