87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4

General

Target

87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe
Size

202KB
MD5

4fcfeb3f0fb33eab0dade7514e0811d7
SHA1

51076e9bf122ac301cca53f82d29bcf35f537f6c
SHA256

87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4
SHA512

2aa4c42b07e4f728ac1e56a65418076911c66e5a7895b9987d32c5c930333adccbb6b9e7c618e466149c8aeec9f43ebc7fa043658d8dffcaa7f3d204a75ea470
SSDEEP

6144:aFP2x9+EkFBOg3S1/hHpa1ZYe0Es/YdDMZjnq4hy9F:a0+C3Hw1ZYe0Es/qMJq4Y9F

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
952	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe
1388	87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\fea1c7a7 = "C:\\Windows\\apppatch\\svchost.exe"	87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\fea1c7a7 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygygin.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyvep.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyvyz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykyc.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\volykyc.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\ganyrys.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ganyzub.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ganyrys.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vopycom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\purypol.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purypol.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymysan.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\ganyzub.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lygygin.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gatyvyz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyvep.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymysan.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vopycom.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
952	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1388	87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 952	1388	87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe	27
PID 1388 wrote to memory of 952	1388	87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe	27
PID 1388 wrote to memory of 952	1388	87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe	27
PID 1388 wrote to memory of 952	1388	87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe	27

C:\Users\Admin\AppData\Local\Temp\87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe
"C:\Users\Admin\AppData\Local\Temp\87d0f9e25d96e49ca45df40b9c535c2cc2a0aca01f200a0df2c9e206bd098db4.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\svchost.exe

Filesize
202KB

MD5
8b7d6e332a6139a3692bd5b383e02c2a

SHA1
64f09a9c7dae5475c440ff5d8a9fc398166e6d5d

SHA256
3023b43e0fb50912194683a3d38d0de3a34ab2b6dacafef98670717b7dd52514

SHA512
903ae82c641d5c543824fa53bb0219eeb15e0300b5c546615855410543484aabbf32e9f483a3e41e89d2270e98f4e4f6fb6aa613e47e9e3007c71046b7274a01

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
202KB

MD5
8b7d6e332a6139a3692bd5b383e02c2a

SHA1
64f09a9c7dae5475c440ff5d8a9fc398166e6d5d

SHA256
3023b43e0fb50912194683a3d38d0de3a34ab2b6dacafef98670717b7dd52514

SHA512
903ae82c641d5c543824fa53bb0219eeb15e0300b5c546615855410543484aabbf32e9f483a3e41e89d2270e98f4e4f6fb6aa613e47e9e3007c71046b7274a01

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
202KB

MD5
8b7d6e332a6139a3692bd5b383e02c2a

SHA1
64f09a9c7dae5475c440ff5d8a9fc398166e6d5d

SHA256
3023b43e0fb50912194683a3d38d0de3a34ab2b6dacafef98670717b7dd52514

SHA512
903ae82c641d5c543824fa53bb0219eeb15e0300b5c546615855410543484aabbf32e9f483a3e41e89d2270e98f4e4f6fb6aa613e47e9e3007c71046b7274a01

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
202KB

MD5
8b7d6e332a6139a3692bd5b383e02c2a

SHA1
64f09a9c7dae5475c440ff5d8a9fc398166e6d5d

SHA256
3023b43e0fb50912194683a3d38d0de3a34ab2b6dacafef98670717b7dd52514

SHA512
903ae82c641d5c543824fa53bb0219eeb15e0300b5c546615855410543484aabbf32e9f483a3e41e89d2270e98f4e4f6fb6aa613e47e9e3007c71046b7274a01

Download Submit
memory/952-69-0x0000000001DD0000-0x0000000001E74000-memory.dmp

Filesize
656KB

Download
memory/952-79-0x0000000001EC0000-0x0000000002B0A000-memory.dmp

Filesize
12.3MB

Download
memory/952-78-0x0000000001CD0000-0x0000000001DE0000-memory.dmp

Filesize
1.1MB

Download
memory/952-77-0x0000000001BC0000-0x0000000001C3B000-memory.dmp

Filesize
492KB

Download
memory/952-64-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/952-66-0x0000000001DD0000-0x0000000001E74000-memory.dmp

Filesize
656KB

Download
memory/952-65-0x0000000001DD0000-0x0000000001E74000-memory.dmp

Filesize
656KB

Download
memory/952-67-0x0000000001DD2000-0x0000000001E22000-memory.dmp

Filesize
320KB

Download
memory/952-76-0x0000000001EC0000-0x0000000002B0A000-memory.dmp

Filesize
12.3MB

Download
memory/952-70-0x0000000001DD0000-0x0000000001E74000-memory.dmp

Filesize
656KB

Download
memory/952-75-0x0000000001CD0000-0x0000000001DE0000-memory.dmp

Filesize
1.1MB

Download
memory/952-73-0x0000000001BC0000-0x0000000001C3B000-memory.dmp

Filesize
492KB

Download
memory/952-74-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1388-55-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1388-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/1388-62-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1388-56-0x0000000000220000-0x000000000026F000-memory.dmp

Filesize
316KB

Download
memory/1388-57-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads