4d7c229c22ac534569f6b3dd2a419bd99fa0f42635430e237be17c76473bed2c

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f7902e3711c689cb5b8874e3f4ffc02_JC.exe
Size

206KB
MD5

9f7902e3711c689cb5b8874e3f4ffc02
SHA1

65ba3c5266bb273610ea82ae931f55bdc0c01a9f
SHA256

4d7c229c22ac534569f6b3dd2a419bd99fa0f42635430e237be17c76473bed2c
SHA512

102c089ab60c3e30b1cf8958ce534981ed19bb8de29b30a739975f66b9a0d5cf0b91ae223202e8531e458b5c02d8287e032fb31f4c4e42c0304705191ca0b772
SSDEEP

3072:unY9tqi07/+8qZip+YRADRddUpBYzkcGSaUyRt6umF4T/L+htRTA5M9Qfcl:uY9P07/O2+UGd0HPRhT/L+hU5wkcl

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1908	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\8bec575a = "C:\\Windows\\apppatch\\svchost.exe"	9f7902e3711c689cb5b8874e3f4ffc02_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\8bec575a = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonyket.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qegyval.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\purypol.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonyket.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pumyjig.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purypol.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexynyp.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pumyjig.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qexynyp.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qegyval.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	9f7902e3711c689cb5b8874e3f4ffc02_JC.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	9f7902e3711c689cb5b8874e3f4ffc02_JC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	svchost.exe
1908	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4440	9f7902e3711c689cb5b8874e3f4ffc02_JC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 1908	4440	9f7902e3711c689cb5b8874e3f4ffc02_JC.exe	86
PID 4440 wrote to memory of 1908	4440	9f7902e3711c689cb5b8874e3f4ffc02_JC.exe	86
PID 4440 wrote to memory of 1908	4440	9f7902e3711c689cb5b8874e3f4ffc02_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\9f7902e3711c689cb5b8874e3f4ffc02_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9f7902e3711c689cb5b8874e3f4ffc02_JC.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\gahyqah.com

Filesize
22KB

MD5
8256aa6ca960a5f6240ae4a0c50790c1

SHA1
ce89edefdd63645d14f2a3ae3e2162287df17443

SHA256
171877eb59aaf3d51d8b49e89d9342028896117b1b4a5c36e11778a647489703

SHA512
4d3f58d115f21087d42fa3c5fcc5a316b1b6ec50d482225f7be43f2ac0d07d391793851e4ba98b6f99db09e93b424bffa0674e13875d0ecd03e42cc6aee60922

Download Submit
C:\Program Files (x86)\Windows Defender\galynuh.com

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Program Files (x86)\Windows Defender\lyrysor.com

Filesize
1KB

MD5
ff4739fe8d3f411c1114f7d7097d5fc5

SHA1
c15b76b5ce6ff4774d973ba8965cdefe32e8ad57

SHA256
137b2f8fb24d056d9b4d7218c9d1c91d9ba07751dc9e9bb544cdcdbdeb519a48

SHA512
3ad0285b59fa9386e8a7b38f30ba473421a8c6048a573c895d46f600df0f6aaaa7b0da238340eb6685dba7729688e917387215bad89aae4f9bc1dd1e44e0c864

Download Submit
C:\Program Files (x86)\Windows Defender\lysyfyj.com

Filesize
481B

MD5
03ff8a6f4087f7e4e1e6c8d9a2487411

SHA1
288cbc25092d1346d3a996a9a3ccad65f5cc9ea1

SHA256
40eb78f5611ba7e37635166a9676bcf6413fa69a7d00a22ffd64c98e4ecd5cc9

SHA512
4434f1cefa9c4d1fa61fcec719f16f9448f296ed91e3dc3096fe7722eaa8538bc9693f488b266aa87b54fde08a702b923eb7e065fca9ec539a8f043cbe3a142b

Download Submit
C:\Program Files (x86)\Windows Defender\lyxynyx.com

Filesize
302B

MD5
d3b33b6d931f30f47e21908d2ea80e23

SHA1
3880a6c1926821149e490995b42b85c9b743c692

SHA256
7e45348d6ebb420cdcfcbdb33b38dda40b5333dec4bf97a5bef08980154c3b7e

SHA512
e040120f50252c9e346a5a73b57a9616316cb95e61e0870f4bc72c22c2306126d34765e971b00413454aa1547e7e75240abc72db3342042f1f272167a71ee935

Download Submit
C:\Program Files (x86)\Windows Defender\purypol.com

Filesize
2KB

MD5
3e13bef1345cad73b852689375c5b637

SHA1
e65e21ac6ae65a6c5a39bc736fdfe84062d3e065

SHA256
e3100d8708388940fc3d8a9cc7a425fbdf4b5a68689d935fa78512c1939e0807

SHA512
ed563d3c3f6faf39fda9ff6f76cd56da020338624be26a35f8cddcb765635a50c9511b0e205428804c7521c546c1eb0c37298baa039cf00965d5334f68d4f8f2

Download Submit
C:\Program Files (x86)\Windows Defender\puzylyp.com

Filesize
2KB

MD5
686319bdd93d497947e8088098a8ef72

SHA1
1a1af24d0e44f4075afff970f5e08799192cb784

SHA256
a1af56d2e5e369182584be7a975ac8f4d3e416fe13205aa839b715be6756e77a

SHA512
9af0438e82abfa7074b65d356d85d668c10e1b9e7a9da2c726a18239e27695c8f09d52fa100dd6852e9b4a850fe69722510d6f398b120c7b8344a80a93de9621

Download Submit
C:\Program Files (x86)\Windows Defender\qexynyp.com

Filesize
302B

MD5
4ce666ef7a718c187215b2dccc0373b4

SHA1
47f0e38de0da8b6717af239eff02a1cfe0acc4f5

SHA256
884f8d4e93c19659410caae3482764775fad300524167b6b41376a3a496e8bd0

SHA512
afce1b468a04eb9733b8ef19cd228a2e02af78e5042c13407549031efaf3d0654dfd44e7723a7322a5c188d633c7a415a65f2a0539e7b061f3bd42b3807cd550

Download Submit
C:\Program Files (x86)\Windows Defender\volykit.com

Filesize
2KB

MD5
dc3e1aa54db92876cdbcbe1d1ccef02a

SHA1
2ff0b152ed379ce56f866454464d748bbf7184f7

SHA256
b75bd423472b466de902e810df0bee6b8e6499364d736cb97607e0b8e3f94ead

SHA512
db9067144086aec94963c9bc2ebeed31133a0244a000c6aacbe40bd1ed80d437d7f8d4faddd013823536ac4974dda8613b342abefa7ba398e902727d21b6cd1d

Download Submit
C:\Program Files (x86)\Windows Defender\vonyket.com

Filesize
302B

MD5
c16cb1b64e29c9517f90a0295b5cc4af

SHA1
1ec90f432d46d6aeb0b0f3100ba52ad69bd1ca22

SHA256
b32260a90267b21ab67d8f72ff09884ffecacf197260e0a761932b8cba9cc62e

SHA512
8e21bd58a4c1c9d76c9a6216029050cb3604fa08701215679792a1eff8c85bfdaf1dea98b126c463bbb2def36da7fed71b68fbc10609228d8f34dfa5ac78fc75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HNGI42RJ\login[3].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
206KB

MD5
fafbdb54e7d9d049d77991c10336ef5b

SHA1
16c3f24bbff4581604d073f88a5b9f873a5b8434

SHA256
78360a15d5525d5156fd9007d75c7ef19947982236daad0c62b11822b67da63d

SHA512
01d5d715383134be9f7876989bc2a2b1bb3f156e9ffb0a71410d9589ea73c30596d0dee53359872f7b32bfa31805715bd65ff463bc7c375f7ebcfb7009edef31

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
206KB

MD5
fafbdb54e7d9d049d77991c10336ef5b

SHA1
16c3f24bbff4581604d073f88a5b9f873a5b8434

SHA256
78360a15d5525d5156fd9007d75c7ef19947982236daad0c62b11822b67da63d

SHA512
01d5d715383134be9f7876989bc2a2b1bb3f156e9ffb0a71410d9589ea73c30596d0dee53359872f7b32bfa31805715bd65ff463bc7c375f7ebcfb7009edef31

Download Submit
memory/1908-47-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-55-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-27-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-28-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-29-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-30-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-32-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-31-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-33-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-36-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-37-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-39-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-40-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-43-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-42-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-44-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-45-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-46-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-38-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-25-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-48-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-49-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-50-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-51-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-52-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-53-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-54-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-26-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-56-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-57-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-58-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-59-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-60-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-61-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-62-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-63-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-64-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-65-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-23-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-24-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-66-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-22-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-176-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1908-178-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-21-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-19-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/1908-12-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1908-15-0x0000000002A00000-0x0000000002AA4000-memory.dmp

Filesize
656KB

Download
memory/1908-17-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/4440-0-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4440-1-0x0000000000770000-0x00000000007BF000-memory.dmp

Filesize
316KB

Download
memory/4440-2-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4440-13-0x0000000000770000-0x00000000007BF000-memory.dmp

Filesize
316KB

Download
memory/4440-14-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download