162d39f277d19f7692d6b420640502debe9327573bdc1d8402d127d94bd98e69

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 11:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a238546ba438a42789cf5d6bd08a03f.exe
Size

284KB
MD5

7a238546ba438a42789cf5d6bd08a03f
SHA1

1bb68ee98e317203f4df9b2195533350f58cd0be
SHA256

162d39f277d19f7692d6b420640502debe9327573bdc1d8402d127d94bd98e69
SHA512

be80c3fce348b918dfae6788725869204d4b1d4511b1dded700fa0abd09e88997daa1e968569a7edb42cb648841da6bc9149c6d6ffae9e62b0cf5f4050684977
SSDEEP

3072:ztM6vm1mgc3EPAJjCE/o2LA4qcw5bGIT5eNXy:5E1mgc3EPAJ2L0qZbGINely

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	7a238546ba438a42789cf5d6bd08a03f.exe

Executes dropped EXE 7 IoCs

pid	Process
4072	winlogon.exe
384	winlogon.exe
1428	winlogon.exe
1856	winlogon.exe
2076	winlogon.exe
4428	winlogon.exe
3464	winlogon.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2068-0-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/2068-3-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/2068-4-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/2068-15-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/384-28-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/384-34-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/384-40-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/384-46-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/384-52-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4032 set thread context of 2068	4032	7a238546ba438a42789cf5d6bd08a03f.exe	89
PID 4072 set thread context of 384	4072	winlogon.exe	94
PID 384 set thread context of 1428	384	winlogon.exe	95
PID 384 set thread context of 1856	384	winlogon.exe	107
PID 384 set thread context of 2076	384	winlogon.exe	110
PID 384 set thread context of 4428	384	winlogon.exe	113
PID 384 set thread context of 3464	384	winlogon.exe	116

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
724	1428	WerFault.exe	95
4436	1856	WerFault.exe	107
4172	2076	WerFault.exe	110
4716	4428	WerFault.exe	113
4028	3464	WerFault.exe	116

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2068	7a238546ba438a42789cf5d6bd08a03f.exe
384	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 4932	4032	7a238546ba438a42789cf5d6bd08a03f.exe	87
PID 4032 wrote to memory of 4932	4032	7a238546ba438a42789cf5d6bd08a03f.exe	87
PID 4032 wrote to memory of 4932	4032	7a238546ba438a42789cf5d6bd08a03f.exe	87
PID 4032 wrote to memory of 2068	4032	7a238546ba438a42789cf5d6bd08a03f.exe	89
PID 4032 wrote to memory of 2068	4032	7a238546ba438a42789cf5d6bd08a03f.exe	89
PID 4032 wrote to memory of 2068	4032	7a238546ba438a42789cf5d6bd08a03f.exe	89
PID 4032 wrote to memory of 2068	4032	7a238546ba438a42789cf5d6bd08a03f.exe	89
PID 4032 wrote to memory of 2068	4032	7a238546ba438a42789cf5d6bd08a03f.exe	89
PID 4032 wrote to memory of 2068	4032	7a238546ba438a42789cf5d6bd08a03f.exe	89
PID 4032 wrote to memory of 2068	4032	7a238546ba438a42789cf5d6bd08a03f.exe	89
PID 4032 wrote to memory of 2068	4032	7a238546ba438a42789cf5d6bd08a03f.exe	89
PID 2068 wrote to memory of 4072	2068	7a238546ba438a42789cf5d6bd08a03f.exe	92
PID 2068 wrote to memory of 4072	2068	7a238546ba438a42789cf5d6bd08a03f.exe	92
PID 2068 wrote to memory of 4072	2068	7a238546ba438a42789cf5d6bd08a03f.exe	92
PID 4072 wrote to memory of 1808	4072	winlogon.exe	93
PID 4072 wrote to memory of 1808	4072	winlogon.exe	93
PID 4072 wrote to memory of 1808	4072	winlogon.exe	93
PID 4072 wrote to memory of 384	4072	winlogon.exe	94
PID 4072 wrote to memory of 384	4072	winlogon.exe	94
PID 4072 wrote to memory of 384	4072	winlogon.exe	94
PID 4072 wrote to memory of 384	4072	winlogon.exe	94
PID 4072 wrote to memory of 384	4072	winlogon.exe	94
PID 4072 wrote to memory of 384	4072	winlogon.exe	94
PID 4072 wrote to memory of 384	4072	winlogon.exe	94
PID 4072 wrote to memory of 384	4072	winlogon.exe	94
PID 384 wrote to memory of 1428	384	winlogon.exe	95
PID 384 wrote to memory of 1428	384	winlogon.exe	95
PID 384 wrote to memory of 1428	384	winlogon.exe	95
PID 384 wrote to memory of 1428	384	winlogon.exe	95
PID 384 wrote to memory of 1428	384	winlogon.exe	95
PID 384 wrote to memory of 1428	384	winlogon.exe	95
PID 384 wrote to memory of 1428	384	winlogon.exe	95
PID 384 wrote to memory of 1428	384	winlogon.exe	95
PID 384 wrote to memory of 1856	384	winlogon.exe	107
PID 384 wrote to memory of 1856	384	winlogon.exe	107
PID 384 wrote to memory of 1856	384	winlogon.exe	107
PID 384 wrote to memory of 1856	384	winlogon.exe	107
PID 384 wrote to memory of 1856	384	winlogon.exe	107
PID 384 wrote to memory of 1856	384	winlogon.exe	107
PID 384 wrote to memory of 1856	384	winlogon.exe	107
PID 384 wrote to memory of 1856	384	winlogon.exe	107
PID 384 wrote to memory of 2076	384	winlogon.exe	110
PID 384 wrote to memory of 2076	384	winlogon.exe	110
PID 384 wrote to memory of 2076	384	winlogon.exe	110
PID 384 wrote to memory of 2076	384	winlogon.exe	110
PID 384 wrote to memory of 2076	384	winlogon.exe	110
PID 384 wrote to memory of 2076	384	winlogon.exe	110
PID 384 wrote to memory of 2076	384	winlogon.exe	110
PID 384 wrote to memory of 2076	384	winlogon.exe	110
PID 384 wrote to memory of 4428	384	winlogon.exe	113
PID 384 wrote to memory of 4428	384	winlogon.exe	113
PID 384 wrote to memory of 4428	384	winlogon.exe	113
PID 384 wrote to memory of 4428	384	winlogon.exe	113
PID 384 wrote to memory of 4428	384	winlogon.exe	113
PID 384 wrote to memory of 4428	384	winlogon.exe	113
PID 384 wrote to memory of 4428	384	winlogon.exe	113
PID 384 wrote to memory of 4428	384	winlogon.exe	113
PID 384 wrote to memory of 3464	384	winlogon.exe	116
PID 384 wrote to memory of 3464	384	winlogon.exe	116
PID 384 wrote to memory of 3464	384	winlogon.exe	116
PID 384 wrote to memory of 3464	384	winlogon.exe	116
PID 384 wrote to memory of 3464	384	winlogon.exe	116
PID 384 wrote to memory of 3464	384	winlogon.exe	116
PID 384 wrote to memory of 3464	384	winlogon.exe	116

C:\Users\Admin\AppData\Local\Temp\7a238546ba438a42789cf5d6bd08a03f.exe
"C:\Users\Admin\AppData\Local\Temp\7a238546ba438a42789cf5d6bd08a03f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:4932
- C:\Users\Admin\AppData\Local\Temp\7a238546ba438a42789cf5d6bd08a03f.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:1808
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Executes dropped EXE
        
        PID:1428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 12
        6⤵
        Program crash
        
        PID:724
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Executes dropped EXE
        
        PID:1856
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 12
        6⤵
        Program crash
        
        PID:4436
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Executes dropped EXE
        
        PID:2076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 12
        6⤵
        Program crash
        
        PID:4172
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Executes dropped EXE
        
        PID:4428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 12
        6⤵
        Program crash
        
        PID:4716
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Executes dropped EXE
        
        PID:3464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 12
        6⤵
        Program crash
        
        PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 1428
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1856 -ip 1856
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2076 -ip 2076
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4428 -ip 4428
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3464 -ip 3464
1⤵
PID:560

Network

DNS

whos.amung.us

winlogon.exe

Remote address:

8.8.8.8:53

Request

whos.amung.us

IN A

Response

whos.amung.us

IN A

104.22.74.171

whos.amung.us

IN A

104.22.75.171

whos.amung.us

IN A

172.67.8.141
GET

http://whos.amung.us/swidget/26n2qf7pnk0x

winlogon.exe

Remote address:

104.22.74.171:80

Request

GET /swidget/26n2qf7pnk0x HTTP/1.1
Host: whos.amung.us

Response

HTTP/1.1 307 Temporary Redirect

Date: Sat, 27 Jan 2024 11:38:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: no-cache, no-store, must-revalidate
location: http://widgets.amung.us/small/00/1.png
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 84c0b57e6e3466c2-AMS
alt-svc: h3=":443"; ma=86400
DNS

widgets.amung.us

winlogon.exe

Remote address:

8.8.8.8:53

Request

widgets.amung.us

IN A

Response

widgets.amung.us

IN A

104.22.75.171

widgets.amung.us

IN A

172.67.8.141

widgets.amung.us

IN A

104.22.74.171
GET

http://widgets.amung.us/small/00/1.png

winlogon.exe

Remote address:

104.22.75.171:80

Request

GET /small/00/1.png HTTP/1.1
Host: widgets.amung.us
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 27 Jan 2024 11:38:22 GMT
Content-Type: image/png
Content-Length: 308
Connection: keep-alive
last-modified: Sun, 13 Jun 2010 09:48:29 GMT
etag: "4c14a96d-134"
expires: Wed, 24 Jan 2024 21:56:36 GMT
cache-control: max-age=2678400
access-control-allow-origin: *
CF-Cache-Status: HIT
Age: 308506
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 84c0b57fbcc7b7e5-AMS
alt-svc: h3=":443"; ma=86400
DNS

yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com

IN A

Response

yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com

IN A

107.178.223.183

yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com

IN A

104.155.138.21
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

171.74.22.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.74.22.104.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

171.75.22.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.75.22.104.in-addr.arpa

IN PTR

Response
GET

http://yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com/

winlogon.exe

Remote address:

107.178.223.183:80

Request

GET / HTTP/1.1
User-Agent: ��Ī��׼��¥��֡��ư��ä�ο��ʪ
Host: yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com

Response

HTTP/1.1 200 OK

Content-Length: 0
DNS

riho1h9mzkciynnu51367qe7n4uxp6.ipgreat.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

riho1h9mzkciynnu51367qe7n4uxp6.ipgreat.com

IN A

Response
DNS

183.223.178.107.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.223.178.107.in-addr.arpa

IN PTR

Response

183.223.178.107.in-addr.arpa

IN PTR

183223178107bcgoogleusercontentcom
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com

IN A

Response

r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com

IN A

104.155.138.21

r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com

IN A

107.178.223.183
GET

http://r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com/

winlogon.exe

Remote address:

104.155.138.21:80

Request

GET / HTTP/1.1
User-Agent: ��Ī��׼��¥��֡��ư��ä�ο��ʪ
Host: r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com

Response

HTTP/1.1 200 OK

Content-Length: 0
DNS

vmjejw073ty4g05i0a833do0c7gk7x.ipgreat.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

vmjejw073ty4g05i0a833do0c7gk7x.ipgreat.com

IN A

Response
DNS

21.138.155.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.138.155.104.in-addr.arpa

IN PTR

Response

21.138.155.104.in-addr.arpa

IN PTR

21138155104bcgoogleusercontentcom
DNS

4e05d391n96r44epv47823eqr1co6l.ipcheker.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

4e05d391n96r44epv47823eqr1co6l.ipcheker.com

IN A

Response

4e05d391n96r44epv47823eqr1co6l.ipcheker.com

IN A

104.155.138.21

4e05d391n96r44epv47823eqr1co6l.ipcheker.com

IN A

107.178.223.183
GET

http://4e05d391n96r44epv47823eqr1co6l.ipcheker.com/

winlogon.exe

Remote address:

104.155.138.21:80

Request

GET / HTTP/1.1
User-Agent: ��Ī��׼��¥��֡��ư��ä�ο��ʪ
Host: 4e05d391n96r44epv47823eqr1co6l.ipcheker.com

Response

HTTP/1.1 200 OK

Content-Length: 0
DNS

01wt91nuik663607x58poo40a310ko.ipgreat.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

01wt91nuik663607x58poo40a310ko.ipgreat.com

IN A

Response
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

u0283735v77liifx77436423s623v1.ipcheker.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

u0283735v77liifx77436423s623v1.ipcheker.com

IN A

Response

u0283735v77liifx77436423s623v1.ipcheker.com

IN A

107.178.223.183

u0283735v77liifx77436423s623v1.ipcheker.com

IN A

104.155.138.21
GET

http://u0283735v77liifx77436423s623v1.ipcheker.com/

winlogon.exe

Remote address:

107.178.223.183:80

Request

GET / HTTP/1.1
User-Agent: ��Ī��׼��¥��֡��ư��ä�ο��ʪ
Host: u0283735v77liifx77436423s623v1.ipcheker.com

Response

HTTP/1.1 200 OK

Content-Length: 0
DNS

7203680j351poe6iu934a47o03dpq2.ipgreat.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

7203680j351poe6iu934a47o03dpq2.ipgreat.com

IN A

Response
DNS

14.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.173.189.20.in-addr.arpa

IN PTR

Response
DNS

17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

IN A

Response

17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

IN A

107.178.223.183

17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

IN A

104.155.138.21
DNS

17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

IN A

Response

17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

IN A

107.178.223.183

17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

IN A

104.155.138.21
GET

http://17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com/

winlogon.exe

Remote address:

107.178.223.183:80

Request

GET / HTTP/1.1
User-Agent: ��Ī��׼��¥��֡��ư��ä�ο��ʪ
Host: 17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

Response

HTTP/1.1 200 OK

Content-Length: 0
DNS

pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com

IN A

Response
DNS

pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com

winlogon.exe

Remote address:

8.8.8.8:53

Request

pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com

IN A

Response

104.22.74.171:80

http://whos.amung.us/swidget/26n2qf7pnk0x

http

winlogon.exe

335 B
549 B
6
4

HTTP Request

GET http://whos.amung.us/swidget/26n2qf7pnk0x

HTTP Response

307
104.22.75.171:80

http://widgets.amung.us/small/00/1.png

http

winlogon.exe

356 B
915 B
6
4

HTTP Request

GET http://widgets.amung.us/small/00/1.png

HTTP Response

200
107.178.223.183:80

http://yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com/

http

winlogon.exe

733 B
530 B
13
12

HTTP Request

GET http://yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com/

HTTP Response

200
104.155.138.21:80

http://r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com/

http

winlogon.exe

411 B
250 B
6
5

HTTP Request

GET http://r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com/

HTTP Response

200
104.155.138.21:80

http://4e05d391n96r44epv47823eqr1co6l.ipcheker.com/

http

winlogon.exe

457 B
290 B
7
6

HTTP Request

GET http://4e05d391n96r44epv47823eqr1co6l.ipcheker.com/

HTTP Response

200
107.178.223.183:80

http://u0283735v77liifx77436423s623v1.ipcheker.com/

http

winlogon.exe

457 B
290 B
7
6

HTTP Request

GET http://u0283735v77liifx77436423s623v1.ipcheker.com/

HTTP Response

200
107.178.223.183:80

http://17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com/

http

winlogon.exe

365 B
210 B
5
4

HTTP Request

GET http://17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com/

HTTP Response

200

8.8.8.8:53

whos.amung.us

dns

winlogon.exe

59 B
107 B
1
1

DNS Request

whos.amung.us

DNS Response

104.22.74.171

104.22.75.171

172.67.8.141
8.8.8.8:53

widgets.amung.us

dns

winlogon.exe

62 B
110 B
1
1

DNS Request

widgets.amung.us

DNS Response

104.22.75.171

172.67.8.141

104.22.74.171
8.8.8.8:53

yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com

dns

winlogon.exe

89 B
121 B
1
1

DNS Request

yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com

DNS Response

107.178.223.183

104.155.138.21
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

171.74.22.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

171.74.22.104.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

171.75.22.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

171.75.22.104.in-addr.arpa
8.8.8.8:53

riho1h9mzkciynnu51367qe7n4uxp6.ipgreat.com

dns

winlogon.exe

88 B
161 B
1
1

DNS Request

riho1h9mzkciynnu51367qe7n4uxp6.ipgreat.com
8.8.8.8:53

183.223.178.107.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

183.223.178.107.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com

dns

winlogon.exe

89 B
121 B
1
1

DNS Request

r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com

DNS Response

104.155.138.21

107.178.223.183
8.8.8.8:53

vmjejw073ty4g05i0a833do0c7gk7x.ipgreat.com

dns

winlogon.exe

88 B
161 B
1
1

DNS Request

vmjejw073ty4g05i0a833do0c7gk7x.ipgreat.com
8.8.8.8:53

21.138.155.104.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

21.138.155.104.in-addr.arpa
8.8.8.8:53

4e05d391n96r44epv47823eqr1co6l.ipcheker.com

dns

winlogon.exe

89 B
121 B
1
1

DNS Request

4e05d391n96r44epv47823eqr1co6l.ipcheker.com

DNS Response

104.155.138.21

107.178.223.183
8.8.8.8:53

01wt91nuik663607x58poo40a310ko.ipgreat.com

dns

winlogon.exe

88 B
161 B
1
1

DNS Request

01wt91nuik663607x58poo40a310ko.ipgreat.com
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

u0283735v77liifx77436423s623v1.ipcheker.com

dns

winlogon.exe

89 B
121 B
1
1

DNS Request

u0283735v77liifx77436423s623v1.ipcheker.com

DNS Response

107.178.223.183

104.155.138.21
8.8.8.8:53

7203680j351poe6iu934a47o03dpq2.ipgreat.com

dns

winlogon.exe

88 B
161 B
1
1

DNS Request

7203680j351poe6iu934a47o03dpq2.ipgreat.com
8.8.8.8:53

14.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.173.189.20.in-addr.arpa
8.8.8.8:53

17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

dns

winlogon.exe

178 B
242 B
2
2

DNS Request

17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

DNS Request

17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

DNS Response

107.178.223.183

104.155.138.21

DNS Response

107.178.223.183

104.155.138.21
8.8.8.8:53

pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com

dns

winlogon.exe

176 B
322 B
2
2

DNS Request

pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com

DNS Request

pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E696D64614\winlogon.exe

Filesize
284KB

MD5
7a238546ba438a42789cf5d6bd08a03f

SHA1
1bb68ee98e317203f4df9b2195533350f58cd0be

SHA256
162d39f277d19f7692d6b420640502debe9327573bdc1d8402d127d94bd98e69

SHA512
be80c3fce348b918dfae6788725869204d4b1d4511b1dded700fa0abd09e88997daa1e968569a7edb42cb648841da6bc9149c6d6ffae9e62b0cf5f4050684977

Download Submit
memory/384-52-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/384-46-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/384-40-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/384-34-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/384-28-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2068-4-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2068-15-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2068-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2068-3-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4032-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4072-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.