598dc8235dab8788f4fd1392d666f21a74043b2ee52e0a03c25d9f74d0f41872

Analysis

max time kernel
183s
max time network
178s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9aa95e6164dc84ce3239ed4113501b3.exe
Size

208KB
MD5

f9aa95e6164dc84ce3239ed4113501b3
SHA1

18c9d51860bfba976c3408460029b7ec2e60362f
SHA256

598dc8235dab8788f4fd1392d666f21a74043b2ee52e0a03c25d9f74d0f41872
SHA512

e9187dd29a13dc1c741a704e8a1deff6a8dda83ef9e4533fbc74bdc2679e39b5743ce69581623450f6cd3d28220dc3c652331ee1318f4d0dc53dc52b98f109e1
SSDEEP

6144:wiuUDq+7K5zL0tM9QaUBSt6X+XrE/fWhvL8Y:Ju0qqKi2QQtsUr+fW9t

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2584	f9aa95e6164dc84ce3239ed4113501b3.exe
2584	f9aa95e6164dc84ce3239ed4113501b3.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b2137e81 = "C:\\Windows\\apppatch\\svchost.exe"	f9aa95e6164dc84ce3239ed4113501b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b2137e81 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	f9aa95e6164dc84ce3239ed4113501b3.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	f9aa95e6164dc84ce3239ed4113501b3.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2600	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2584	f9aa95e6164dc84ce3239ed4113501b3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2600	2584	f9aa95e6164dc84ce3239ed4113501b3.exe	29
PID 2584 wrote to memory of 2600	2584	f9aa95e6164dc84ce3239ed4113501b3.exe	29
PID 2584 wrote to memory of 2600	2584	f9aa95e6164dc84ce3239ed4113501b3.exe	29
PID 2584 wrote to memory of 2600	2584	f9aa95e6164dc84ce3239ed4113501b3.exe	29

C:\Users\Admin\AppData\Local\Temp\f9aa95e6164dc84ce3239ed4113501b3.exe
"C:\Users\Admin\AppData\Local\Temp\f9aa95e6164dc84ce3239ed4113501b3.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
42KB

MD5
cc45f1d590581220cae343dc5d827163

SHA1
f1f8cf343100fb53c956a69e56caed1902892a01

SHA256
4a66f8b72f02652257a049ca502d91f65a0a74577d343a58b8021c261c5c5c26

SHA512
054b30a26dac181e6bdd6439e225b667afe71b4cfcbf52ffa75285e9fc1a227bf5f67cc84120c94fbef8b479fdf2648045b89868379bb977b8e2ac951f09c58f

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
64KB

MD5
9a0f672d8aa705541c4f70a25db31406

SHA1
c1aaa65bf9b5cd27af10daa8b28d1d8b766954ae

SHA256
94eccdba72ac056a3fc41878022b3be8a28c4ae383f7552b3666e83905bf4bd8

SHA512
9df9b529e27f49b1fa5fd19e1ca884b79e5afd26704432ab4ac9f4117b5a46205cb615d6c12277e9e387bbda56eb2dead43d97db4c50b0931b736adce1f79b1f

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
208KB

MD5
6171455101eb2a6ed062b33cd2c30475

SHA1
b7b51f5541e7598d330bcee2b8af20e92e705411

SHA256
f2d328e78579f62fc08b1e2c5a3eebe7a1816cea522fe4d6af5c6020485ab903

SHA512
3bfe0ad76f682a03d65e5051f123a9e9497c2327c67fd0f4fbcd5ff74c4289512ca50bdb2a9ab0dfaa5ad3cbcb96fbc69dc65faa11955dfc27662c03acb1de36

Download Submit
memory/2584-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2584-1-0x0000000000220000-0x000000000026F000-memory.dmp

Filesize
316KB

Download
memory/2584-2-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2584-19-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2584-17-0x0000000000220000-0x000000000026F000-memory.dmp

Filesize
316KB

Download
memory/2600-18-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2600-20-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2600-21-0x0000000001CC0000-0x0000000001D64000-memory.dmp

Filesize
656KB

Download
memory/2600-23-0x0000000001CC0000-0x0000000001D64000-memory.dmp

Filesize
656KB

Download
memory/2600-25-0x0000000001CC0000-0x0000000001D64000-memory.dmp

Filesize
656KB

Download
memory/2600-27-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2600-28-0x0000000001CC0000-0x0000000001D64000-memory.dmp

Filesize
656KB

Download
memory/2600-30-0x0000000001CC0000-0x0000000001D64000-memory.dmp

Filesize
656KB

Download
memory/2600-32-0x0000000001CC0000-0x0000000001D64000-memory.dmp

Filesize
656KB

Download
memory/2600-34-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-36-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-38-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-42-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-43-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-44-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-45-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-49-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-48-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-50-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-47-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-51-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-52-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-46-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-54-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-53-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-55-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-56-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-57-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-59-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-58-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-60-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-62-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-61-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-63-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-67-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-73-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-72-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-75-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-74-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-71-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-81-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-83-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-82-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-80-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-79-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-78-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-76-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-77-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-70-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-69-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-68-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-66-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-64-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-65-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download
memory/2600-211-0x00000000023B0000-0x0000000002462000-memory.dmp

Filesize
712KB

Download