8f3676221f008c33e6c51a0f137c28a483fcc2044e9f304d74a93a35db207292

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.77cdc8f0f3bdface7191d8a9c45c3ce0.exe
Size

202KB
MD5

77cdc8f0f3bdface7191d8a9c45c3ce0
SHA1

48e53b42543477f3cad01cb7b8f5f19bd31f9f72
SHA256

8f3676221f008c33e6c51a0f137c28a483fcc2044e9f304d74a93a35db207292
SHA512

2d9b1cfed245bccd6d9321cb6b7c6047c60625e2d747ba406e3c7274e9aeb7bc3bbbdecc8b190820bfdcb6c179b68a825acb6f9a8fab6ff568d218b85be43a58
SSDEEP

6144:oBdMOv5SuYP/CcNmRmCG9aSebFjhQmarNPemxY:oJ5+dNSmTaplQxBxY

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3632	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\24e8aeeb = "C:\\Windows\\apppatch\\svchost.exe"	NEAS.77cdc8f0f3bdface7191d8a9c45c3ce0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\24e8aeeb = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 46 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\puzylyp.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyvyxor.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pumyjig.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyvyxor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pumyjig.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	NEAS.77cdc8f0f3bdface7191d8a9c45c3ce0.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	NEAS.77cdc8f0f3bdface7191d8a9c45c3ce0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3632	svchost.exe
3632	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1716	NEAS.77cdc8f0f3bdface7191d8a9c45c3ce0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 3632	1716	NEAS.77cdc8f0f3bdface7191d8a9c45c3ce0.exe	89
PID 1716 wrote to memory of 3632	1716	NEAS.77cdc8f0f3bdface7191d8a9c45c3ce0.exe	89
PID 1716 wrote to memory of 3632	1716	NEAS.77cdc8f0f3bdface7191d8a9c45c3ce0.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.77cdc8f0f3bdface7191d8a9c45c3ce0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.77cdc8f0f3bdface7191d8a9c45c3ce0.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\gahyqah.com

Filesize
22KB

MD5
5bcbd02b986bbc24a31f75017c64266a

SHA1
71a051a2ab06d3e8a47ff08d77161c7cbb48cccb

SHA256
efd20b59db7774006873d4988cbb4e5a616515d30d178eb7508c98af02294545

SHA512
0c5d9dc84c93c4cce933b524a23a938862faa9e4b1c664fc4e925f96aa6da2712bc8d1247b67f74a03ce297692fc46455af5e70ca538c8d5e84fff8e1c91d451

Download Submit
C:\Program Files (x86)\Windows Defender\galynuh.com

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
1KB

MD5
6754e6e19de3bae5032e8f26be6d4e7f

SHA1
78e83bf5b9f3b2feda92936f748852efb8c0049f

SHA256
e12f0e9a687a60807ab40d017f315082fc9e0d71d61c636b4083c2f95d9b6d36

SHA512
0904531f88b84e001515d781349b1e76887ce2f9a9eab1c5af746f241ca895b2662e4dec63977df4d1aac191b49b4705f9aac574a8daeba337d1989aeacbeeae

Download Submit
C:\Program Files (x86)\Windows Defender\lyrysor.com

Filesize
1KB

MD5
3586f7b4c6dbe41cfe171c072a3de995

SHA1
ab86dea663803f3ff0dad0fd27f81839ad59fe6a

SHA256
4ca6c34ca68b1899422ab80d324328d285f39d67771ca6890a92401afd2580b2

SHA512
489bbec707ae420438c7d75339fc960d5c2a75618087c877d5404de4a83945b197f9f8ff7d729cefbd37b342ec61b2d1a174ee5429cee175dc0933f5d0a0b873

Download Submit
C:\Program Files (x86)\Windows Defender\lysyfyj.com

Filesize
481B

MD5
be0a5a4ae2d7018c6b5180d54bffeb43

SHA1
740c6310999e05d04866313a9f7ace7cb37984bf

SHA256
f72bcbc6c77e3e8426bcaa49a754b49d7417e740f162a151d0fa122f122c5c65

SHA512
2d535ace166b02459ba914eae8acfd0f168d33d7b88ad9ece2c2d2ff6db8ce30b57a0bd2a7e7968d0e7129fdfcdce98e6f171ee9c3942ef146051d703a3bbd7d

Download Submit
C:\Program Files (x86)\Windows Defender\lyxynyx.com

Filesize
302B

MD5
26f069896df0b6bc1509c74f8f0f48b3

SHA1
5422e00b5fc17bfa09969cea6fdfdcc471dffe15

SHA256
cb2b1f62f6f841a7a7e9a6f4f43192416e333c0bef36b4f7ef9b9f8764602539

SHA512
4da29e5d3128f06050412b1b4649688facdcd3d5116eec62f3d06517321c9872bfa0be416399ddf142b132a161e54cb001af087716a624f1b00fd9ab5d70c87a

Download Submit
C:\Program Files (x86)\Windows Defender\pumyjig.com

Filesize
302B

MD5
20b5bad607397dbe2e6e42472cfa7fb3

SHA1
84817f56b34ebf71fd04f20edf79e91327ec3e71

SHA256
9fb43a1e0c7b4d45fbc4d94b015fb1ee98f40f3669e5291eb941f315a6776d89

SHA512
c20d928207cfa857a1394c349298c9160da9aae749c4246e7a053007b135ee9a32b980193d92d87c13fd14aaf8ed6e3fd881030431307dffd9ba53155823bf4a

Download Submit
C:\Program Files (x86)\Windows Defender\pupydeq.com

Filesize
12KB

MD5
1639705c0468ff5b89d563cc785c9374

SHA1
f6807f616bab661123da67196ca7d5015df9ea82

SHA256
4788bc2f12f5ef35a1e86ba33d4ecd9efcc89446502465d7e8320a36c6a0e25c

SHA512
d50f65b6100586ddda7d62a8d21d013e0c5d4c52a2fc5d53867ba086571116dac992eefd2fb55873196f3516bac91c9cff8da5f4b8f91e5f9c13240e5622d768

Download Submit
C:\Program Files (x86)\Windows Defender\purylev.com

Filesize
2KB

MD5
a8fdd0012e6998420474a0c0669327c4

SHA1
aa0b687e766c259a247c16677f4c631ce542fc6e

SHA256
85a0119ffb919c7b1157dabbc8e40897f97ce6544f89931e503564966057d5d6

SHA512
bd834b7119f51ef0c741d2c0696e449e13a003140ad631f5e272130cac2d30f8cb25a5e76cc415ddf6208ee920efed6c7c33519b8f1bd02dd4ae8d3f39e926f5

Download Submit
C:\Program Files (x86)\Windows Defender\puzylyp.com

Filesize
2KB

MD5
1023b0b889037043754b02db4c7b4afa

SHA1
3ec42bd4b5dcb404cc5a97d176ea1dabe5543939

SHA256
01210358b58fea70bd24b8630fdab3f0d959611ab37848aa65737334ef7e2730

SHA512
ee715fe780fb11e0a790b3a7f3eff40a39c3164fd10542a87a7ad8528915ecb089fa05861a736ff33f3e6b16440dcf34992524a3437af7cc81167b089eb4337b

Download Submit
C:\Program Files (x86)\Windows Defender\vofycot.com

Filesize
302B

MD5
e9f0ea4841e3e95ac5c42e9456d86879

SHA1
e5c84b1d113b42705040b3638c68d910151611bf

SHA256
b2ed2b34413f95437d2ef427d6ae61d41cbbe17a89c8a2e9ff7040cd5d6d7da3

SHA512
ce1d3435742e2b0a29f5f829da817f6d819242b92bbcb306eb33e84368ea41b863c7ad676bc30ea5bd4e405f4bc5c53b52941081c16095b3e6bddd63fdf1a84a

Download Submit
C:\Program Files (x86)\Windows Defender\volykit.com

Filesize
2KB

MD5
3ceb42133e997c3ae2459d114c08c35d

SHA1
089a0f7416165e45cda59bb4be74b3165ba79b01

SHA256
9bdda3d524151896d577735e776724b29cec64e1effa870ac22bf719bddb14e5

SHA512
5fe6afb62760737c8b0aa7fc4b01a941b758a054eecde9d890482ab4cd662ec22408deb6175605863e70d0b0baf5a94d922d782f5ec944f903b8effa327df18e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PVJSO5VT\login[2].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
202KB

MD5
dc9756723381f0997c928db637a31192

SHA1
b623d3aff104d17fd6a6d412efae1c7be6d39f16

SHA256
77dd04b985a38796f543c2be5fcff39859bb009496a458e22511cdac7c0ad650

SHA512
28247b72600a91e561e3a149ad38efe2f1b98776ef1a9c07a8e73f0be83dfb78e99610510d61aaa6fd7c7a2e763f5fed92fc2ea4dbbf851118bf3572c2b3d3bf

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
202KB

MD5
dc9756723381f0997c928db637a31192

SHA1
b623d3aff104d17fd6a6d412efae1c7be6d39f16

SHA256
77dd04b985a38796f543c2be5fcff39859bb009496a458e22511cdac7c0ad650

SHA512
28247b72600a91e561e3a149ad38efe2f1b98776ef1a9c07a8e73f0be83dfb78e99610510d61aaa6fd7c7a2e763f5fed92fc2ea4dbbf851118bf3572c2b3d3bf

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
202KB

MD5
dc9756723381f0997c928db637a31192

SHA1
b623d3aff104d17fd6a6d412efae1c7be6d39f16

SHA256
77dd04b985a38796f543c2be5fcff39859bb009496a458e22511cdac7c0ad650

SHA512
28247b72600a91e561e3a149ad38efe2f1b98776ef1a9c07a8e73f0be83dfb78e99610510d61aaa6fd7c7a2e763f5fed92fc2ea4dbbf851118bf3572c2b3d3bf

Download Submit
memory/1716-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1716-11-0x00000000021E0000-0x000000000222F000-memory.dmp

Filesize
316KB

Download
memory/1716-1-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1716-0-0x00000000021E0000-0x000000000222F000-memory.dmp

Filesize
316KB

Download
memory/3632-46-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-61-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-29-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-31-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-30-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-32-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-33-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-35-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-39-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-42-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-43-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-45-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-27-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-48-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-49-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-51-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-52-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-54-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-57-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-58-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-59-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-60-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-62-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-28-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-63-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-64-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-69-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-66-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-74-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-75-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-76-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-26-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-25-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-24-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-23-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-77-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-122-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3632-337-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-22-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-21-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-20-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-19-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-17-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-15-0x0000000002BB0000-0x0000000002C62000-memory.dmp

Filesize
712KB

Download
memory/3632-13-0x0000000002A00000-0x0000000002AA4000-memory.dmp

Filesize
656KB

Download