c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070

General

Target

c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe
Size

208KB
MD5

042ec980875566c68517a28da400e697
SHA1

c67fcdc623d07356b4d7e5314f8b55becf98d5ba
SHA256

c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070
SHA512

4d68f8a9d51a1eda082eb00fea6d3f36a9088fa70af3c96a7890f954619db87fd87e73357da440cd1841ab0f4a0800630baba783fdbe096462b8f5c300987060
SSDEEP

3072:kUpRi1s+S52fNiQGUaqcJeGwxruUIiau038t6eTNzW+XERycnR3FPEtprO8OFb5+:S1wuNiQj4hwBEu0MYqVmXBFPEjRiGdz

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1020	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1188	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe
1188	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\667245f = "ùŸŠKôÂ¼agø…\|ÊË\u00a0_àIt¦YµŒB\u0090«¾xÁ©S¥0\x1f\abx\tñ#ìb™¾ ÑÙSHxˆ\u009d¶5#÷k{e\u008f\x0eO\x1a0*Ø\x14@â\aü/IY\x14\\5¬8‹À/DÀ0\x1fYH˜°\x1b\x1a¶½û€0gÞ\x145¥ØN¤k1äO\tV¯~ŽÍ¯¤\u009dU1+Éq\x1ak~l\t˜™Ö\u0081TÀÊ\x0eŽ \\D¤)Oq\x06\bV—\x1c·–¢ÈO&+ \u0081\x0f#F\x0eV‹{)pýí8v¶\x0eA€AA\x04žÆ{ü«U¬\x01Ö°³?³×-¤bŽX\rò1c\x14ë^ÊT\x1cñD ¥\x14>¢\u009dS¶\x1dX+×\x1c\u009dEeÑÍõró#Ã\x0fÐ\x1dé#ªIßX9Ó>¿Õ³¢\\\r#\x14jw\x04·v_‘I"	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1188	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1188	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe
Token: SeSecurityPrivilege	1188	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1020	1188	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe	27
PID 1188 wrote to memory of 1020	1188	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe	27
PID 1188 wrote to memory of 1020	1188	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe	27
PID 1188 wrote to memory of 1020	1188	c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe	27

C:\Users\Admin\AppData\Local\Temp\c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe
"C:\Users\Admin\AppData\Local\Temp\c6c49d2c8455790495e3b0a6b4a07db585f8b75d64f30ea0d6ef57e9c090f070.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\svchost.exe

Filesize
47KB

MD5
cb1447b8ec22d78b009059bc60868c43

SHA1
c27303f011b2699a781af6e367c96f8e2580d620

SHA256
48974b3acad8d0d868828e87500620a29bbdc980bb89faee9c7b1335f7b0889f

SHA512
c60b39807a388bcd8274d7edb13171cb338f113684fe542fd0f7f8c6e032aa5315f9830d8dd05d6b2fb1d8ebc6c46113822464331ffbdbadf6770485d1c608f2

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
7KB

MD5
33d32d6f8f6544da747347959c2d3371

SHA1
2ac567cf3a181b7c226a1a47da76d744dcf55a93

SHA256
7cff365ec9d8d6364579d5b03f44599b5bbcd7da8ac14bdbbf51ada58020fe00

SHA512
292c2b8018c44c5704d14776f6cf0254e78a66a8a5ec5320a89f2da51418120fa0db4b2902fd5c3872511102f694c91f54a7cc051b1569611febe610511bb0dd

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
30KB

MD5
e92289647820c9e716e35ca39e44c2ed

SHA1
ad14df726c43f83d3b36d9c2d082b4d5360f5804

SHA256
a06e8ae2d3eead1d90169c3aa1e0c8e4200a193f032cd6d523402d1cb9089420

SHA512
ed06525f0124fb588feb9c9dd4b5193f0dbb665ad4021293e54733ffa4d13c3b50910788cae48bfe76ef9c847b8cc68fec4073b2a83c230d749f18e2ce6d7c8b

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
21KB

MD5
507a135071bc9369d02798cff20825e9

SHA1
6a22160a3694ba2115da3977d8d09599ce670522

SHA256
817bea028f03aadd0ec63b56a5a194fcdd2c2dbc0c7841246e0194745bc1e791

SHA512
c9b3ade45fbe1f0b7b6efcc91b09a3e2f23d7f8c30ca1cbb2c0fe1fc6571fa8d6bc12fce9d71f7902744eb7fd073f364468ac181e580e619b6db908e61af61c0

Download Submit
memory/1020-70-0x0000000002490000-0x000000000253A000-memory.dmp

Filesize
680KB

Download
memory/1020-67-0x0000000002490000-0x000000000253A000-memory.dmp

Filesize
680KB

Download
memory/1020-62-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/1020-74-0x0000000002490000-0x000000000253A000-memory.dmp

Filesize
680KB

Download
memory/1020-75-0x0000000002640000-0x00000000026F7000-memory.dmp

Filesize
732KB

Download
memory/1020-73-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/1020-66-0x0000000002490000-0x000000000253A000-memory.dmp

Filesize
680KB

Download
memory/1020-65-0x0000000002490000-0x000000000253A000-memory.dmp

Filesize
680KB

Download
memory/1020-69-0x0000000002490000-0x000000000253A000-memory.dmp

Filesize
680KB

Download
memory/1188-63-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/1188-54-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/1188-56-0x0000000000550000-0x00000000005A2000-memory.dmp

Filesize
328KB

Download
memory/1188-57-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/1188-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing