Analysis

  • max time kernel
    144s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2023 20:39

General

  • Target

    spug64.exe

  • Size

    201KB

  • MD5

    af29a38b6f5daf91fc870a963df19326

  • SHA1

    ec97bde09deca0e88679cf356b6fcd5d8dd7f8a6

  • SHA256

    e1376b3c7237ef685ffe4185857ca13dd03f579fb009740b1d70225a04900734

  • SHA512

    bf7d9fbb84dc81080fc09397a0d42807931da8d050534a8d758286f38d6909c91f60ee298b183d7b3dc0657a64f848ff84b923e8c8e1439191b62f0725c7a51d

  • SSDEEP

    6144:Xt++Jbojf5Vq5OC4qZhZcKYhc/ZfUozY:c+cff22qZhZcKYhc/

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Program Files directory 34 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\spug64.exe
    "C:\Users\Admin\AppData\Local\Temp\spug64.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      PID:2512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Windows Defender\lyrysor.com

    Filesize

    1KB

    MD5

    5d0497aface1685d9ed40f2d9b32186b

    SHA1

    e2bea2d40a31907c7de3676f877997264421126d

    SHA256

    67b37970f3e594fb5b07f9060d1a8c36c97114fa89f130fa9ecbac8b20ca7014

    SHA512

    2d6f33df1f742c1c88db749ae97e7467bcd71716946d9824ad522a02c901d4ab4f054e3fdb6389e8a7bb1b1cfe1edd2f25907fba0148af9ead097d2ba24f6a33

  • C:\Program Files (x86)\Windows Defender\purylev.com

    Filesize

    2KB

    MD5

    a8fdd0012e6998420474a0c0669327c4

    SHA1

    aa0b687e766c259a247c16677f4c631ce542fc6e

    SHA256

    85a0119ffb919c7b1157dabbc8e40897f97ce6544f89931e503564966057d5d6

    SHA512

    bd834b7119f51ef0c741d2c0696e449e13a003140ad631f5e272130cac2d30f8cb25a5e76cc415ddf6208ee920efed6c7c33519b8f1bd02dd4ae8d3f39e926f5

  • C:\Program Files (x86)\Windows Defender\qetyhyg.com

    Filesize

    593B

    MD5

    926512864979bc27cf187f1de3f57aff

    SHA1

    acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

    SHA256

    b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

    SHA512

    f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

  • C:\Program Files (x86)\Windows Defender\qexyhuv.com

    Filesize

    300B

    MD5

    09603519f4ce9bd46e677c6e909adfcb

    SHA1

    4a895247e6ee77f994b4c309884da76536e5fc3f

    SHA256

    7c68dc8b412cccbce2530905d81e25bd9defcb87ff8ef445f2a24c6fb0edb093

    SHA512

    5417c14974ff294fda050e4c20eb093b1cb018bc73ee180f5ddc537be1a16de244d2e925165e31be39a5793ff79ad2c7757dca6fdd872efa19b627a080d28a14

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    ef3c83ea5c1ceb23e823dea50db155a1

    SHA1

    3f6cf86b2f5ca8f1ea126b17ca29b446d5d85b2e

    SHA256

    8d6f6db5a26b9f1fd556a7b2dd904552e6fa8a1b6858c82a44a7699c5714c8f6

    SHA512

    bf22df0b52b48bcfd5d8aeda637e1be08d482b19beddf6df816c5e1861bfaa96cc5350241bb4159bfcea5a1fc1fdab85ed5332ed8c11cb6b75d4c769572bbcec

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    1dfedfa31daa34b4ffbe5da2bb6f7375

    SHA1

    be832c10f58c9e9a8153a5f4cfcc277ef97ddc54

    SHA256

    514e3c33e1caa090292fe7223d4f46b8df19d6b2aa0c19850f529e9a4d49f487

    SHA512

    157f3aec6b608706c7e95b65aba7ba6b954b751bef1dc38665ae08afeb1b2e95f0331285f7f1b622087a4c3ba134e87985c2548c5dcc96f093a3de08541ef1cd

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4K0WM73A\login[3].htm

    Filesize

    168B

    MD5

    d57e3a550060f85d44a175139ea23021

    SHA1

    2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

    SHA256

    43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

    SHA512

    0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

  • C:\Users\Admin\AppData\Local\Temp\CabF25C.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\TarF481.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • C:\Windows\AppPatch\svchost.exe

    Filesize

    27KB

    MD5

    96648d0186865435500f9e304c4483fb

    SHA1

    3599b385df49514f8c49ce62ea89fb9c970cff45

    SHA256

    1cb27253df2c4da7046ceaa8f386cf64823a77eb2acbe473f311bafa07899550

    SHA512

    89e46287f8554259675d9e5f296c501686346f17b2518bdd57b12d1835d16fdbdfda09867245f1fdf5d2691073469c41e9ad614de493e32d2099bcf2be23b1c5

  • C:\Windows\AppPatch\svchost.exe

    Filesize

    19KB

    MD5

    bbd8ab445ce128a50168468eceeaa271

    SHA1

    143afc82c99a8bf732d5177efd69c11a7494ac9d

    SHA256

    2f9f6bd3532e4559973144b287de99c2ce5225e5b19f905676a89ffea12c5410

    SHA512

    8656010d09f2ad644162d600e34fb4acea0230ddabfba40c0383b952496f4f5dc4fead8b2eff11357fa1eb28f16482908cf7cdc5e64cb36bea83e375f1c97020

  • C:\Windows\apppatch\svchost.exe

    Filesize

    109KB

    MD5

    6711e96e36b7558acab10e4354356454

    SHA1

    61f01391c77f0c1fb231469ccc36597dbeb93074

    SHA256

    a93c2c9bc7efb399788a445db658559297bd765129be33d66110d7d05aedb6dd

    SHA512

    7a5e84c8f472498cf63b62d7506f85f95ed1db6c8647dd0d7b7c5511bc75c886f06c127a3b59aee1820efda90fe1cdce5a9cdc4070b89f369730621929c73883

  • \Windows\AppPatch\svchost.exe

    Filesize

    201KB

    MD5

    58b22db2cc3e8bc05c5a783f00e5995a

    SHA1

    4ee7b2914256a741402ef87230a2073d42358cf5

    SHA256

    c1e6dece4b4e5dc063f4f73bf93ed90c3408e63d3af05229f33ecefe623734b7

    SHA512

    7533dc2c9eda3f1b8b32bc505125347a5249ef09180b6c452ce73c38d4d1bd40699cc4d6ca6b109bcb100ce75a405662c21c3f179756e386a957f4b09c48f1ad

  • memory/2096-0-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

  • memory/2096-16-0x00000000003B0000-0x00000000003FF000-memory.dmp

    Filesize

    316KB

  • memory/2096-18-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

  • memory/2096-2-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

  • memory/2096-1-0x00000000003B0000-0x00000000003FF000-memory.dmp

    Filesize

    316KB

  • memory/2512-70-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-71-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-43-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-47-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-53-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-56-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-58-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-60-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-62-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-61-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-63-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-59-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-57-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-55-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-54-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-64-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-52-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-67-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-68-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-69-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-35-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-74-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-75-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-77-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-79-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-78-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-76-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-73-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-72-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-33-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-81-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-82-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-80-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-66-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-65-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-51-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-50-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-49-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-45-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-48-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-46-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-44-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-42-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-41-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-40-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-38-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-39-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-37-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-188-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

  • memory/2512-206-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-31-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2512-26-0x00000000021D0000-0x0000000002274000-memory.dmp

    Filesize

    656KB

  • memory/2512-30-0x00000000021D0000-0x0000000002274000-memory.dmp

    Filesize

    656KB

  • memory/2512-28-0x00000000021D0000-0x0000000002274000-memory.dmp

    Filesize

    656KB

  • memory/2512-24-0x00000000021D0000-0x0000000002274000-memory.dmp

    Filesize

    656KB

  • memory/2512-20-0x00000000021D0000-0x0000000002274000-memory.dmp

    Filesize

    656KB

  • memory/2512-22-0x00000000021D0000-0x0000000002274000-memory.dmp

    Filesize

    656KB

  • memory/2512-19-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB

  • memory/2512-17-0x0000000000400000-0x0000000000491000-memory.dmp

    Filesize

    580KB