584be5e4d4e098b24ff3843da4e7f92a91a9622cac3f3d0d45a9ea68a300580f

Analysis

max time kernel
138s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26/10/2022, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe
Size

1.0MB
MD5

0f2505b4e2152e859332b9606396099b
SHA1

0c31cea8f55d46b278a128c3429f88171f5b5d13
SHA256

9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29
SHA512

9f8c105e6fad955b04d59d94c2ed237e5978b9fb0c2be32dfe3c40e8ee7cba4d62d41ee5394531eade957ad3a8839e14a5ebeb0e42d440181c1335e8d3e5eecf
SSDEEP

24576:PmUNJyJqb1FcMap2ATT5kmUNJyJqb1FcMap2ATT5kmUNJyJqb1FcMap2ATT5:PmV2ApkmV2ApkmV2Ap

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2040	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1380	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe
1380	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\19e7e999 = ";\x0eu€-‚\x13\x06\x10/ (œdv\b\x14'÷ûšY¤t!§=¾\x11þ$Ÿàl¡TŒ1\u0081é\x0f¤ñ—§Ä‡áö‰)é§t\|n\x1fIo÷\x14¡¤o\x01ôôö7t&üÏ—t¼(\x11L‡Q\x18‰¸"	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\19e7e999 = ";\x0eu€-‚\x13\x06\x10/ (œdv\b\x14'÷ûšY¤t!§=¾\x11þ$Ÿàl¡TŒ1\u0081é\x0f¤ñ—§Ä‡áö‰)é§t\|n\x1fIo÷\x14¡¤o\x01ôôö7t&üÏ—t¼(\x11L‡Q\x18‰¸"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1380	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe
1380	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe
1380	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe
1380	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe
2040	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1380	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2040	1380	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe	27
PID 1380 wrote to memory of 2040	1380	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe	27
PID 1380 wrote to memory of 2040	1380	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe	27
PID 1380 wrote to memory of 2040	1380	9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe	27

C:\Users\Admin\AppData\Local\Temp\9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe
"C:\Users\Admin\AppData\Local\Temp\9cb054034c2521cc8b93cdfaee0de122672af303aafec24565aa7b3ef599fc29.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\svchost.exe

Filesize
1.0MB

MD5
3b507ccd919e270f68359b1d7954d63a

SHA1
8c0f8a13a91005d7b9d35d9e47bb8e72bb0f58f4

SHA256
866228304e39d4698cbb326a661bbb8069008cfc4665f4e595fed7818f38bf28

SHA512
6b4e225cad78a49737d67c190cb58558f73fdd42a4ffac83995922f361efda2eda864d72ea1753919b5e6cea17d7476bca51d5dfbc0c4c4f06dc4f608eab2175

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
1.0MB

MD5
3b507ccd919e270f68359b1d7954d63a

SHA1
8c0f8a13a91005d7b9d35d9e47bb8e72bb0f58f4

SHA256
866228304e39d4698cbb326a661bbb8069008cfc4665f4e595fed7818f38bf28

SHA512
6b4e225cad78a49737d67c190cb58558f73fdd42a4ffac83995922f361efda2eda864d72ea1753919b5e6cea17d7476bca51d5dfbc0c4c4f06dc4f608eab2175

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
1.0MB

MD5
3b507ccd919e270f68359b1d7954d63a

SHA1
8c0f8a13a91005d7b9d35d9e47bb8e72bb0f58f4

SHA256
866228304e39d4698cbb326a661bbb8069008cfc4665f4e595fed7818f38bf28

SHA512
6b4e225cad78a49737d67c190cb58558f73fdd42a4ffac83995922f361efda2eda864d72ea1753919b5e6cea17d7476bca51d5dfbc0c4c4f06dc4f608eab2175

Download Submit
memory/1380-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/2040-61-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/2040-60-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/2040-62-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/2040-64-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/2040-65-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/2040-68-0x0000000002050000-0x00000000020F8000-memory.dmp

Filesize
672KB

Download
memory/2040-69-0x0000000002360000-0x0000000002416000-memory.dmp

Filesize
728KB

Download
memory/2040-70-0x0000000002360000-0x0000000002416000-memory.dmp

Filesize
728KB

Download