a6320d82830e7f5e29a80342019dc44272096f8473afec272dfd1bfc5c4d80a0

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b35e1b1fa32a323b029b01b9cf136309.exe
Size

209KB
MD5

b35e1b1fa32a323b029b01b9cf136309
SHA1

1e2ce20398031c3ca7af5bc37e8db72210c3eae8
SHA256

a6320d82830e7f5e29a80342019dc44272096f8473afec272dfd1bfc5c4d80a0
SHA512

a136fe87a6941056117328056bd80bab2b8e653d57dc4a76e5998bf6ad253aaa3e01536a78cf4194f3b97e496cbb9d42beaa2eb428a34a8dc77c9ed820b70690
SSDEEP

6144:YOB8K/S3r3FfK3yDrjQVEzUIVhK+2aZyRO:YBKKzFfKCbQVEzNz4R

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2288	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1164	b35e1b1fa32a323b029b01b9cf136309.exe
1164	b35e1b1fa32a323b029b01b9cf136309.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\8b9d3528 = "C:\\Windows\\apppatch\\svchost.exe"	b35e1b1fa32a323b029b01b9cf136309.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	b35e1b1fa32a323b029b01b9cf136309.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	b35e1b1fa32a323b029b01b9cf136309.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2288	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1164	b35e1b1fa32a323b029b01b9cf136309.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1164	b35e1b1fa32a323b029b01b9cf136309.exe
Token: SeSecurityPrivilege	1164	b35e1b1fa32a323b029b01b9cf136309.exe
Token: SeSecurityPrivilege	2288	svchost.exe
Token: SeSecurityPrivilege	2288	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 2288	1164	b35e1b1fa32a323b029b01b9cf136309.exe	28
PID 1164 wrote to memory of 2288	1164	b35e1b1fa32a323b029b01b9cf136309.exe	28
PID 1164 wrote to memory of 2288	1164	b35e1b1fa32a323b029b01b9cf136309.exe	28
PID 1164 wrote to memory of 2288	1164	b35e1b1fa32a323b029b01b9cf136309.exe	28

C:\Users\Admin\AppData\Local\Temp\b35e1b1fa32a323b029b01b9cf136309.exe
"C:\Users\Admin\AppData\Local\Temp\b35e1b1fa32a323b029b01b9cf136309.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c6e087a2328e7fe4cbe101fec21301a

SHA1
423187b9d16b0edd81971c830ff30d73460fffc7

SHA256
5ba09091d5ebd96b34d3559a7cb2f328430bfd70f9cb50b3ece1b83a7010f37e

SHA512
1153975420bbba567ab4845123b2f1deef17603f7301a343eb33a64500025d5a97a283369a013f5a5376533d2f95a02af4223dbeb9d6e00393c9c7b95c9f6570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94ea2c013ad31941c815d74a139f0c79

SHA1
a55a6902426b633df777efedfe96627496053bc5

SHA256
71fdb0b4f05a657230c43ca188db5b88b7745df9347a2047524dae34a9ecf06f

SHA512
4e24439e2c16a7c46fa1958f13161c2e56d4ddd4aac19588e1d072ac08432026feac8778c49235d0fc1735e3cb45335b1d204cfd68ef82a77544d360d335570a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
38f37d4af045bb5233699532d0500fac

SHA1
d26f31660252e8fe6df0d0e0b0e1c3506a84f237

SHA256
6d533bef0ad5c6b837661ce1707dce95b13116119f42c28418d8f530c49c431b

SHA512
ba995e3a19546da35762e323f9988577d0356480e74585c166326db1ac7f32b3ef0166f8a40d5e667df799b090cca43089ba4ea4e51914ee84c10cc6c4e321b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\CabC0C4.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\TarC0E7.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
209KB

MD5
6181e52c87d360ad309ca8a68ba8450f

SHA1
a4a41409ca822daa9e8256d30adabf3fbbe6939a

SHA256
7095178a056665adbacb8e546f181dcb57de2764c70f6e8612218ebd066a90ab

SHA512
297de26fc1892608b631ce5c1b41cdac9d4671a531305a86889964c38181a55f141cd60211cacfea169f1658d502564b805e458ebf21b02c67eca2f86ddc1b45

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
209KB

MD5
6181e52c87d360ad309ca8a68ba8450f

SHA1
a4a41409ca822daa9e8256d30adabf3fbbe6939a

SHA256
7095178a056665adbacb8e546f181dcb57de2764c70f6e8612218ebd066a90ab

SHA512
297de26fc1892608b631ce5c1b41cdac9d4671a531305a86889964c38181a55f141cd60211cacfea169f1658d502564b805e458ebf21b02c67eca2f86ddc1b45

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
209KB

MD5
6181e52c87d360ad309ca8a68ba8450f

SHA1
a4a41409ca822daa9e8256d30adabf3fbbe6939a

SHA256
7095178a056665adbacb8e546f181dcb57de2764c70f6e8612218ebd066a90ab

SHA512
297de26fc1892608b631ce5c1b41cdac9d4671a531305a86889964c38181a55f141cd60211cacfea169f1658d502564b805e458ebf21b02c67eca2f86ddc1b45

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
209KB

MD5
6181e52c87d360ad309ca8a68ba8450f

SHA1
a4a41409ca822daa9e8256d30adabf3fbbe6939a

SHA256
7095178a056665adbacb8e546f181dcb57de2764c70f6e8612218ebd066a90ab

SHA512
297de26fc1892608b631ce5c1b41cdac9d4671a531305a86889964c38181a55f141cd60211cacfea169f1658d502564b805e458ebf21b02c67eca2f86ddc1b45

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
209KB

MD5
6181e52c87d360ad309ca8a68ba8450f

SHA1
a4a41409ca822daa9e8256d30adabf3fbbe6939a

SHA256
7095178a056665adbacb8e546f181dcb57de2764c70f6e8612218ebd066a90ab

SHA512
297de26fc1892608b631ce5c1b41cdac9d4671a531305a86889964c38181a55f141cd60211cacfea169f1658d502564b805e458ebf21b02c67eca2f86ddc1b45

Download Submit
memory/1164-20-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1164-18-0x0000000000290000-0x00000000002E2000-memory.dmp

Filesize
328KB

Download
memory/1164-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1164-1-0x0000000000290000-0x00000000002E2000-memory.dmp

Filesize
328KB

Download
memory/1164-0-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2288-54-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-64-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-35-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-32-0x0000000001E40000-0x0000000001EEA000-memory.dmp

Filesize
680KB

Download
memory/2288-38-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-39-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-40-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-41-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-42-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-43-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-45-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-44-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-46-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-47-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-48-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-49-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-50-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-52-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-53-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-51-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-30-0x0000000001E40000-0x0000000001EEA000-memory.dmp

Filesize
680KB

Download
memory/2288-55-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-56-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-57-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-58-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-59-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-60-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-61-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-62-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-33-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-63-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-65-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-66-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-68-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-67-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-69-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-70-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-71-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-72-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-73-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-75-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-74-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-76-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-77-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-79-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-81-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-80-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-83-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-84-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-184-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2288-28-0x0000000001E40000-0x0000000001EEA000-memory.dmp

Filesize
680KB

Download
memory/2288-26-0x0000000001E40000-0x0000000001EEA000-memory.dmp

Filesize
680KB

Download
memory/2288-24-0x0000000001E40000-0x0000000001EEA000-memory.dmp

Filesize
680KB

Download
memory/2288-350-0x0000000001F40000-0x0000000001FF7000-memory.dmp

Filesize
732KB

Download
memory/2288-22-0x0000000001E40000-0x0000000001EEA000-memory.dmp

Filesize
680KB

Download
memory/2288-21-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2288-19-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download