9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321

Analysis

max time kernel
203s
max time network
75s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe
Size

284KB
MD5

98f42963beb8c87b6e495ba807bc1cb2
SHA1

e5bdf17473779e9884de7818d7ce9c1e39a82015
SHA256

9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321
SHA512

fafd743234d2a91b48899f038552509b5842c1b28a16ac79b79c45cb7e88b477aa9995a2d6cf1c968de75ca2f7691708f7db4071a90793b36492bd4121318f61
SSDEEP

6144:FcL3oOaCI/+6W913yLmanlNj+bVXknpbAbVXknpbAbVXknpbAbVSKM/:yz6W91CLmanlNj+BXE5ABXE5ABXE5ABE

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
544	winlogin.exe
584	winlogin.exe

Loads dropped DLL 3 IoCs

pid	Process
572	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe
572	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe
544	winlogin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlogin.exe"	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1676 set thread context of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 544 set thread context of 584	544	winlogin.exe	30

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe
544	winlogin.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 1676 wrote to memory of 572	1676	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	28
PID 572 wrote to memory of 544	572	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	29
PID 572 wrote to memory of 544	572	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	29
PID 572 wrote to memory of 544	572	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	29
PID 572 wrote to memory of 544	572	9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe	29
PID 544 wrote to memory of 584	544	winlogin.exe	30
PID 544 wrote to memory of 584	544	winlogin.exe	30
PID 544 wrote to memory of 584	544	winlogin.exe	30
PID 544 wrote to memory of 584	544	winlogin.exe	30
PID 544 wrote to memory of 584	544	winlogin.exe	30
PID 544 wrote to memory of 584	544	winlogin.exe	30
PID 544 wrote to memory of 584	544	winlogin.exe	30
PID 544 wrote to memory of 584	544	winlogin.exe	30
PID 544 wrote to memory of 584	544	winlogin.exe	30
PID 544 wrote to memory of 584	544	winlogin.exe	30
PID 544 wrote to memory of 584	544	winlogin.exe	30
PID 544 wrote to memory of 584	544	winlogin.exe	30

C:\Users\Admin\AppData\Local\Temp\9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe
"C:\Users\Admin\AppData\Local\Temp\9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe
  "C:\Users\Admin\AppData\Local\Temp\9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Users\Admin\AppData\Local\Temp\winlogin.exe
    "C:\Users\Admin\AppData\Local\Temp\winlogin.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Users\Admin\AppData\Local\Temp\winlogin.exe
      "C:\Users\Admin\AppData\Local\Temp\winlogin.exe"
      4⤵
      Executes dropped EXE
      PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winlogin.exe

Filesize
284KB

MD5
98f42963beb8c87b6e495ba807bc1cb2

SHA1
e5bdf17473779e9884de7818d7ce9c1e39a82015

SHA256
9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321

SHA512
fafd743234d2a91b48899f038552509b5842c1b28a16ac79b79c45cb7e88b477aa9995a2d6cf1c968de75ca2f7691708f7db4071a90793b36492bd4121318f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlogin.exe

Filesize
284KB

MD5
98f42963beb8c87b6e495ba807bc1cb2

SHA1
e5bdf17473779e9884de7818d7ce9c1e39a82015

SHA256
9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321

SHA512
fafd743234d2a91b48899f038552509b5842c1b28a16ac79b79c45cb7e88b477aa9995a2d6cf1c968de75ca2f7691708f7db4071a90793b36492bd4121318f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlogin.exe

Filesize
284KB

MD5
98f42963beb8c87b6e495ba807bc1cb2

SHA1
e5bdf17473779e9884de7818d7ce9c1e39a82015

SHA256
9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321

SHA512
fafd743234d2a91b48899f038552509b5842c1b28a16ac79b79c45cb7e88b477aa9995a2d6cf1c968de75ca2f7691708f7db4071a90793b36492bd4121318f61

Download Submit
\Users\Admin\AppData\Local\Temp\winlogin.exe

Filesize
284KB

MD5
98f42963beb8c87b6e495ba807bc1cb2

SHA1
e5bdf17473779e9884de7818d7ce9c1e39a82015

SHA256
9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321

SHA512
fafd743234d2a91b48899f038552509b5842c1b28a16ac79b79c45cb7e88b477aa9995a2d6cf1c968de75ca2f7691708f7db4071a90793b36492bd4121318f61

Download Submit
\Users\Admin\AppData\Local\Temp\winlogin.exe

Filesize
284KB

MD5
98f42963beb8c87b6e495ba807bc1cb2

SHA1
e5bdf17473779e9884de7818d7ce9c1e39a82015

SHA256
9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321

SHA512
fafd743234d2a91b48899f038552509b5842c1b28a16ac79b79c45cb7e88b477aa9995a2d6cf1c968de75ca2f7691708f7db4071a90793b36492bd4121318f61

Download Submit
\Users\Admin\AppData\Local\Temp\winlogin.exe

Filesize
284KB

MD5
98f42963beb8c87b6e495ba807bc1cb2

SHA1
e5bdf17473779e9884de7818d7ce9c1e39a82015

SHA256
9b0ea391bbf6e9d432e9db5bfedc3a70dde46858d8db77bab0abac10e1871321

SHA512
fafd743234d2a91b48899f038552509b5842c1b28a16ac79b79c45cb7e88b477aa9995a2d6cf1c968de75ca2f7691708f7db4071a90793b36492bd4121318f61

Download Submit
memory/544-64-0x0000000000000000-mapping.dmp

Download
memory/572-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-59-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/572-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-57-0x0000000000407850-mapping.dmp

Download
memory/572-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/584-71-0x0000000000407850-mapping.dmp

Download
memory/584-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/584-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download