4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9

General

Target

4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe
Size

217KB
MD5

4ffdea648472f608684dc39dea038660
SHA1

97f7f8d4d654af82f0be820ed7bdc3469a15c238
SHA256

4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9
SHA512

a6f404451850d97b409c7fd9536574d9406f3f64bf3d6c0020c15ea1352ae7d0a6b1727dce60329b82f042e96b44d000bcd5ecca88be3e507f57efa7e1d0b886
SSDEEP

3072:Y9PkrQ3qKG12Aa+u5/GGrgQ2TrhzWiQmzV50qAnz4Wa2vLsNouaiUZO:YAv7yXg5zWiNzV50XwaY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1320	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1044	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe
1044	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\run	svchost.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7118912f = "C:\\Windows\\apppatch\\svchost.exe"	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\purycap.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyniw.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\ganyzub.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\ganyrys.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymysan.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyvyz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykyc.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyvep.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vopycom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygynud.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygygin.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purypol.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\svchost.exe	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe
File created	C:\Windows\apppatch\svchost.exe	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1320	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1044	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1044	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe
Token: SeSecurityPrivilege	1044	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe
Token: SeSecurityPrivilege	1320	svchost.exe
Token: SeSecurityPrivilege	1320	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1320	1044	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe	27
PID 1044 wrote to memory of 1320	1044	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe	27
PID 1044 wrote to memory of 1320	1044	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe	27
PID 1044 wrote to memory of 1320	1044	4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe	27

C:\Users\Admin\AppData\Local\Temp\4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe
"C:\Users\Admin\AppData\Local\Temp\4dc368db69ee776d34e3c2209c626cc72984598ed21ede516451b4de2a43f7f9.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\svchost.exe

Filesize
217KB

MD5
11a2da22e2d356ff2e30c95b31fd55e1

SHA1
6f1ee26477433056fa09c33fca7af81312fc51d4

SHA256
b2208bf472fef4aed5244b081ac62d95e6d7fe130073c94eb51d39ae0cd26fcb

SHA512
0af9aa55f7ccfacb6232d8c8f0d31ed9c50d1594b3dd4361711b3c075081fa1d44f247105834e38c6d10a1fdbad6343d8c71072b25687f810a2e3a5be060e001

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
217KB

MD5
11a2da22e2d356ff2e30c95b31fd55e1

SHA1
6f1ee26477433056fa09c33fca7af81312fc51d4

SHA256
b2208bf472fef4aed5244b081ac62d95e6d7fe130073c94eb51d39ae0cd26fcb

SHA512
0af9aa55f7ccfacb6232d8c8f0d31ed9c50d1594b3dd4361711b3c075081fa1d44f247105834e38c6d10a1fdbad6343d8c71072b25687f810a2e3a5be060e001

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
217KB

MD5
11a2da22e2d356ff2e30c95b31fd55e1

SHA1
6f1ee26477433056fa09c33fca7af81312fc51d4

SHA256
b2208bf472fef4aed5244b081ac62d95e6d7fe130073c94eb51d39ae0cd26fcb

SHA512
0af9aa55f7ccfacb6232d8c8f0d31ed9c50d1594b3dd4361711b3c075081fa1d44f247105834e38c6d10a1fdbad6343d8c71072b25687f810a2e3a5be060e001

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
217KB

MD5
11a2da22e2d356ff2e30c95b31fd55e1

SHA1
6f1ee26477433056fa09c33fca7af81312fc51d4

SHA256
b2208bf472fef4aed5244b081ac62d95e6d7fe130073c94eb51d39ae0cd26fcb

SHA512
0af9aa55f7ccfacb6232d8c8f0d31ed9c50d1594b3dd4361711b3c075081fa1d44f247105834e38c6d10a1fdbad6343d8c71072b25687f810a2e3a5be060e001

Download Submit
memory/1044-62-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1044-55-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1044-57-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1044-56-0x0000000000220000-0x0000000000272000-memory.dmp

Filesize
328KB

Download
memory/1044-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1320-65-0x00000000023E0000-0x000000000248A000-memory.dmp

Filesize
680KB

Download
memory/1320-66-0x00000000023E0000-0x000000000248A000-memory.dmp

Filesize
680KB

Download
memory/1320-60-0x0000000000000000-mapping.dmp

Download
memory/1320-67-0x00000000023E0000-0x000000000248A000-memory.dmp

Filesize
680KB

Download
memory/1320-69-0x00000000023E0000-0x000000000248A000-memory.dmp

Filesize
680KB

Download
memory/1320-70-0x00000000023E0000-0x000000000248A000-memory.dmp

Filesize
680KB

Download
memory/1320-64-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1320-73-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1320-74-0x00000000023E0000-0x000000000248A000-memory.dmp

Filesize
680KB

Download
memory/1320-75-0x00000000025F0000-0x00000000026A7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads