a6320d82830e7f5e29a80342019dc44272096f8473afec272dfd1bfc5c4d80a0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b35e1b1fa32a323b029b01b9cf136309.exe
Size

209KB
MD5

b35e1b1fa32a323b029b01b9cf136309
SHA1

1e2ce20398031c3ca7af5bc37e8db72210c3eae8
SHA256

a6320d82830e7f5e29a80342019dc44272096f8473afec272dfd1bfc5c4d80a0
SHA512

a136fe87a6941056117328056bd80bab2b8e653d57dc4a76e5998bf6ad253aaa3e01536a78cf4194f3b97e496cbb9d42beaa2eb428a34a8dc77c9ed820b70690
SSDEEP

6144:YOB8K/S3r3FfK3yDrjQVEzUIVhK+2aZyRO:YBKKzFfKCbQVEzNz4R

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4468	svchost.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\803da75 = "C:\\Windows\\apppatch\\svchost.exe"	b35e1b1fa32a323b029b01b9cf136309.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyhub.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyhiz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\purylev.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	b35e1b1fa32a323b029b01b9cf136309.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	b35e1b1fa32a323b029b01b9cf136309.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe
4468	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3604	b35e1b1fa32a323b029b01b9cf136309.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3604	b35e1b1fa32a323b029b01b9cf136309.exe
Token: SeSecurityPrivilege	3604	b35e1b1fa32a323b029b01b9cf136309.exe
Token: SeSecurityPrivilege	4468	svchost.exe
Token: SeSecurityPrivilege	4468	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4468	3604	b35e1b1fa32a323b029b01b9cf136309.exe	86
PID 3604 wrote to memory of 4468	3604	b35e1b1fa32a323b029b01b9cf136309.exe	86
PID 3604 wrote to memory of 4468	3604	b35e1b1fa32a323b029b01b9cf136309.exe	86

C:\Users\Admin\AppData\Local\Temp\b35e1b1fa32a323b029b01b9cf136309.exe
"C:\Users\Admin\AppData\Local\Temp\b35e1b1fa32a323b029b01b9cf136309.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\IWO3BVS0\login[1].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
209KB

MD5
93e9dbdc032b7697ed742d45dd5cd9fb

SHA1
d5365bb31bb199a0b01dd525fbefbc4ccb07f116

SHA256
c97c14f6722c28c5f4e8705437e970b40fb92dccc066ad081f59852281df821d

SHA512
bd88762b0a7b906f8da6296948f2c4700e0b6fe3b274e87c1e738d8c2c4640c7b443b36879b0c648222eb61d99a9b45ff81204f457e08e97bd1ed7d67321da32

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
209KB

MD5
93e9dbdc032b7697ed742d45dd5cd9fb

SHA1
d5365bb31bb199a0b01dd525fbefbc4ccb07f116

SHA256
c97c14f6722c28c5f4e8705437e970b40fb92dccc066ad081f59852281df821d

SHA512
bd88762b0a7b906f8da6296948f2c4700e0b6fe3b274e87c1e738d8c2c4640c7b443b36879b0c648222eb61d99a9b45ff81204f457e08e97bd1ed7d67321da32

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
209KB

MD5
93e9dbdc032b7697ed742d45dd5cd9fb

SHA1
d5365bb31bb199a0b01dd525fbefbc4ccb07f116

SHA256
c97c14f6722c28c5f4e8705437e970b40fb92dccc066ad081f59852281df821d

SHA512
bd88762b0a7b906f8da6296948f2c4700e0b6fe3b274e87c1e738d8c2c4640c7b443b36879b0c648222eb61d99a9b45ff81204f457e08e97bd1ed7d67321da32

Download Submit
memory/3604-0-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3604-1-0x00000000025D0000-0x0000000002622000-memory.dmp

Filesize
328KB

Download
memory/3604-2-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3604-15-0x00000000025D0000-0x0000000002622000-memory.dmp

Filesize
328KB

Download
memory/3604-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4468-32-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-51-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-18-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-20-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-22-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-23-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-24-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-25-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-26-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-27-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-28-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-30-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-29-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-31-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-33-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-35-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-37-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-14-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4468-39-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-40-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-43-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-46-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-48-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-17-0x0000000002A00000-0x0000000002AAA000-memory.dmp

Filesize
680KB

Download
memory/4468-52-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-49-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-54-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-57-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-58-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-59-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-61-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-62-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-64-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-66-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-69-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-70-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-71-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-72-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-73-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-74-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-75-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-76-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-77-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-78-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download
memory/4468-432-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4468-433-0x0000000002BF0000-0x0000000002CA7000-memory.dmp

Filesize
732KB

Download