1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5

General

Target

1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe
Size

205KB
MD5

4412e4403a4d6bad009c048530618305
SHA1

18d075d294a02ed77ae16876ceaccfab30f9170b
SHA256

1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5
SHA512

2cc208eaedcdb91b44aaef1f46aa27bb5540768b549128c8cc362c850fe0ed3199fa62f875c2f991b99e9695299f1c3202d29912bf3c9706a51bca38dd609769
SSDEEP

3072:NcyjuBAS1S8JMMiKApnj2YiOjxT8Tr+88m+V8tF0IxIT08oM+CZUbbpscQ8hjjk:kGS1LJMPpmOlM8m+VYF0OGF9jUScr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
564	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1236	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe
1236	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\software\microsoft\windows\currentversion\run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\run	svchost.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\6da9ba0 = "C:\\Windows\\apppatch\\svchost.exe"	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\lygynud.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykyc.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyvyz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purypol.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyvep.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\ganyrys.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygygin.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\ganyzub.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vopycom.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\svchost.exe	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe
File created	C:\Windows\apppatch\svchost.exe	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
564	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1236	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1236	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe
Token: SeSecurityPrivilege	1236	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe
Token: SeSecurityPrivilege	564	svchost.exe
Token: SeSecurityPrivilege	564	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 564	1236	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe	28
PID 1236 wrote to memory of 564	1236	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe	28
PID 1236 wrote to memory of 564	1236	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe	28
PID 1236 wrote to memory of 564	1236	1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe	28

C:\Users\Admin\AppData\Local\Temp\1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe
"C:\Users\Admin\AppData\Local\Temp\1da884d72c7fcac4d941a59a23108b5aa8868d51a0b137659aff4e4d89550fc5.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\svchost.exe

Filesize
205KB

MD5
9fb3849554a3b2b6caf9d7c9e17fc3fd

SHA1
0ee0a4eca2145982177b39858ba9086f10f21df7

SHA256
e4c261d08930152c4d8bdcca7fff0e93e32d60c1723b1d8fe551b54dcd8067e7

SHA512
1c7f07e38308db061202bf09f6ec8eb0a51f7065cc5ed07c8b9032cdfd0c5c5f35e8960dfab39b7d6915e934e2352cfe736c106a01ee775abf8e47adc3f1ede9

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
205KB

MD5
9fb3849554a3b2b6caf9d7c9e17fc3fd

SHA1
0ee0a4eca2145982177b39858ba9086f10f21df7

SHA256
e4c261d08930152c4d8bdcca7fff0e93e32d60c1723b1d8fe551b54dcd8067e7

SHA512
1c7f07e38308db061202bf09f6ec8eb0a51f7065cc5ed07c8b9032cdfd0c5c5f35e8960dfab39b7d6915e934e2352cfe736c106a01ee775abf8e47adc3f1ede9

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
205KB

MD5
9fb3849554a3b2b6caf9d7c9e17fc3fd

SHA1
0ee0a4eca2145982177b39858ba9086f10f21df7

SHA256
e4c261d08930152c4d8bdcca7fff0e93e32d60c1723b1d8fe551b54dcd8067e7

SHA512
1c7f07e38308db061202bf09f6ec8eb0a51f7065cc5ed07c8b9032cdfd0c5c5f35e8960dfab39b7d6915e934e2352cfe736c106a01ee775abf8e47adc3f1ede9

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
205KB

MD5
9fb3849554a3b2b6caf9d7c9e17fc3fd

SHA1
0ee0a4eca2145982177b39858ba9086f10f21df7

SHA256
e4c261d08930152c4d8bdcca7fff0e93e32d60c1723b1d8fe551b54dcd8067e7

SHA512
1c7f07e38308db061202bf09f6ec8eb0a51f7065cc5ed07c8b9032cdfd0c5c5f35e8960dfab39b7d6915e934e2352cfe736c106a01ee775abf8e47adc3f1ede9

Download Submit
memory/564-66-0x0000000000A00000-0x0000000000AAA000-memory.dmp

Filesize
680KB

Download
memory/564-70-0x0000000000A00000-0x0000000000AAA000-memory.dmp

Filesize
680KB

Download
memory/564-61-0x0000000000000000-mapping.dmp

Download
memory/564-76-0x0000000002100000-0x00000000021B7000-memory.dmp

Filesize
732KB

Download
memory/564-67-0x0000000000A00000-0x0000000000AAA000-memory.dmp

Filesize
680KB

Download
memory/564-65-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/564-74-0x0000000000A00000-0x0000000000AAA000-memory.dmp

Filesize
680KB

Download
memory/564-73-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/564-71-0x0000000000A00000-0x0000000000AAA000-memory.dmp

Filesize
680KB

Download
memory/564-68-0x0000000000A00000-0x0000000000AAA000-memory.dmp

Filesize
680KB

Download
memory/1236-57-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1236-64-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1236-56-0x0000000000310000-0x0000000000362000-memory.dmp

Filesize
328KB

Download
memory/1236-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1236-55-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1236-58-0x0000000000310000-0x0000000000362000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads