12f1371f62eaee96d39e7018699dadda57824ae6bbe53bf9e8410f6a2f4d01c0

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/10/2022, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe
Size

368KB
MD5

22a16aac778046db0211063baf087f01
SHA1

b4b956ed95e827e0f3fa6fb41e339119660121d1
SHA256

8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2
SHA512

8b45b35b593fffda272d361e5f5e1a2c413157e47055de18d3a5a4fc12952e6ffee5419159efb7653373aa7360277034f951ab39a8725c16815ea0ca8e6b281c
SSDEEP

6144:T3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9Ei/:gmWhND9yJz+b1FcMLmp2ATTSsd/

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
976	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1088	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe
1088	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\add86d4a = "\x11\aUä\x03\x17–6\u009dªÇ\b\x16²B\x7fJÝEÚÍd\x11Êeº]7\x16Êû²ÞÊ–Ò»ò!Ö:\u0081ºëÃ\x03éÊ\x16rŠŽ\x16Av\x19ªv\u009dSŽFö¾\x1d³©Õº&þ6y’õ[“Fùöú;±=YŠ©e\x06>ÒšÁ\x052\x033æãñá¹JöŽé\r\tV\x06…¦\x0eÕÁsîËéM›Z–N¢\v\x06ŠN¡F\x02¦ÎÚ\x06ÑézaRñeÂ±ž‚ÒŽÉ\u00adî%\t\vv\x06Õå~92öÊ[Ê\x16\x01vNAKª)Ó•Ê)\u00ad9^Ö\x1bÞæ1êf+>ÕÖ\x19yêö\x19b“†\x139\tUBâýéÁ6¡Ñ1Õžûaö³I‚òNvsâb\u00ad\t\x1bb‹aénæÂ‘¡EÉ‘S¦û;EJú^K¢f.Þ«~J›¦"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\add86d4a = "\x11\aUä\x03\x17–6\u009dªÇ\b\x16²B\x7fJÝEÚÍd\x11Êeº]7\x16Êû²ÞÊ–Ò»ò!Ö:\u0081ºëÃ\x03éÊ\x16rŠŽ\x16Av\x19ªv\u009dSŽFö¾\x1d³©Õº&þ6y’õ[“Fùöú;±=YŠ©e\x06>ÒšÁ\x052\x033æãñá¹JöŽé\r\tV\x06…¦\x0eÕÁsîËéM›Z–N¢\v\x06ŠN¡F\x02¦ÎÚ\x06ÑézaRñeÂ±ž‚ÒŽÉ\u00adî%\t\vv\x06Õå~92öÊ[Ê\x16\x01vNAKª)Ó•Ê)\u00ad9^Ö\x1bÞæ1êf+>ÕÖ\x19yêö\x19b“†\x139\tUBâýéÁ6¡Ñ1Õžûaö³I‚òNvsâb\u00ad\t\x1bb‹aénæÂ‘¡EÉ‘S¦û;EJú^K¢f.Þ«~J›¦"	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\svchost.exe	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe
File created	C:\Windows\apppatch\svchost.exe	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1088	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe
1088	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe
1088	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe
1088	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe
976	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1088	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 976	1088	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe	27
PID 1088 wrote to memory of 976	1088	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe	27
PID 1088 wrote to memory of 976	1088	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe	27
PID 1088 wrote to memory of 976	1088	8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe	27

C:\Users\Admin\AppData\Local\Temp\8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe
"C:\Users\Admin\AppData\Local\Temp\8e9b0007d2d7be49ea53bee869c3ef8b120b25fa92fef4d4b85cb9ed002a4fc2.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\svchost.exe

Filesize
368KB

MD5
2d82bab1c0c2876be58a5e1c7fdffb7f

SHA1
5576852d03cfa62d2127ca36d922a179cd54f2dc

SHA256
5f5f1e5c6ec55fa0fcad9e4772772f675af6c478636ce794a55759f659fe9b49

SHA512
778b4c93f33e277872182067ffa2cd426b46173b37bf8643472184fcd66f8966223689ed33da7253f42688d3cdcf6d77c1c8ac1e5d13fb85dc1313dcc0ca69c6

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
368KB

MD5
2d82bab1c0c2876be58a5e1c7fdffb7f

SHA1
5576852d03cfa62d2127ca36d922a179cd54f2dc

SHA256
5f5f1e5c6ec55fa0fcad9e4772772f675af6c478636ce794a55759f659fe9b49

SHA512
778b4c93f33e277872182067ffa2cd426b46173b37bf8643472184fcd66f8966223689ed33da7253f42688d3cdcf6d77c1c8ac1e5d13fb85dc1313dcc0ca69c6

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
368KB

MD5
2d82bab1c0c2876be58a5e1c7fdffb7f

SHA1
5576852d03cfa62d2127ca36d922a179cd54f2dc

SHA256
5f5f1e5c6ec55fa0fcad9e4772772f675af6c478636ce794a55759f659fe9b49

SHA512
778b4c93f33e277872182067ffa2cd426b46173b37bf8643472184fcd66f8966223689ed33da7253f42688d3cdcf6d77c1c8ac1e5d13fb85dc1313dcc0ca69c6

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
368KB

MD5
2d82bab1c0c2876be58a5e1c7fdffb7f

SHA1
5576852d03cfa62d2127ca36d922a179cd54f2dc

SHA256
5f5f1e5c6ec55fa0fcad9e4772772f675af6c478636ce794a55759f659fe9b49

SHA512
778b4c93f33e277872182067ffa2cd426b46173b37bf8643472184fcd66f8966223689ed33da7253f42688d3cdcf6d77c1c8ac1e5d13fb85dc1313dcc0ca69c6

Download Submit
memory/976-61-0x0000000000350000-0x00000000003F8000-memory.dmp

Filesize
672KB

Download
memory/976-60-0x0000000000350000-0x00000000003F8000-memory.dmp

Filesize
672KB

Download
memory/976-62-0x0000000000350000-0x00000000003F8000-memory.dmp

Filesize
672KB

Download
memory/976-64-0x0000000000350000-0x00000000003F8000-memory.dmp

Filesize
672KB

Download
memory/976-65-0x0000000000350000-0x00000000003F8000-memory.dmp

Filesize
672KB

Download
memory/976-68-0x0000000000350000-0x00000000003F8000-memory.dmp

Filesize
672KB

Download
memory/976-69-0x0000000002310000-0x00000000023C6000-memory.dmp

Filesize
728KB

Download
memory/976-70-0x0000000002310000-0x00000000023C6000-memory.dmp

Filesize
728KB

Download
memory/1088-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download