598dc8235dab8788f4fd1392d666f21a74043b2ee52e0a03c25d9f74d0f41872

Analysis

max time kernel
7s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9aa95e6164dc84ce3239ed4113501b3.exe
Size

208KB
MD5

f9aa95e6164dc84ce3239ed4113501b3
SHA1

18c9d51860bfba976c3408460029b7ec2e60362f
SHA256

598dc8235dab8788f4fd1392d666f21a74043b2ee52e0a03c25d9f74d0f41872
SHA512

e9187dd29a13dc1c741a704e8a1deff6a8dda83ef9e4533fbc74bdc2679e39b5743ce69581623450f6cd3d28220dc3c652331ee1318f4d0dc53dc52b98f109e1
SSDEEP

6144:wiuUDq+7K5zL0tM9QaUBSt6X+XrE/fWhvL8Y:Ju0qqKi2QQtsUr+fW9t

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4492	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9892fd04 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9892fd04 = "C:\\Windows\\apppatch\\svchost.exe"	f9aa95e6164dc84ce3239ed4113501b3.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	f9aa95e6164dc84ce3239ed4113501b3.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	f9aa95e6164dc84ce3239ed4113501b3.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3684	4492	WerFault.exe	55

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4492	svchost.exe
4492	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1008	f9aa95e6164dc84ce3239ed4113501b3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 4492	1008	f9aa95e6164dc84ce3239ed4113501b3.exe	55
PID 1008 wrote to memory of 4492	1008	f9aa95e6164dc84ce3239ed4113501b3.exe	55
PID 1008 wrote to memory of 4492	1008	f9aa95e6164dc84ce3239ed4113501b3.exe	55

C:\Users\Admin\AppData\Local\Temp\f9aa95e6164dc84ce3239ed4113501b3.exe
"C:\Users\Admin\AppData\Local\Temp\f9aa95e6164dc84ce3239ed4113501b3.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 3928
    3⤵
    - Program crash
    PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4492 -ip 4492
1⤵
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\gahyqah.com

Filesize
22KB

MD5
0a5bc5f0d2fac6781cba26755c6e1c81

SHA1
8ff7bdbe447327ae80cfeaac03c9af109f66cda2

SHA256
a506c7a466858267726bb09bf48d1c76f24df0c0e913b3ae48cbeea84b2aaf21

SHA512
008914c935c9c0430a90c705d1b50bfd468729641b33145a5f30c055c973ba1b16fdefa79d5137dca896a3a775d9ad540efd25c8d7d6cf9a8bc687b89975e4ee

Download Submit
C:\Program Files (x86)\Windows Defender\galynuh.com

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
9KB

MD5
23ecdaa65e1ba192d8b67ce81e9ecbec

SHA1
03b5bb3b4cefcbf1918f342a567a9cf22a070dcc

SHA256
c05e50de375ef92786759a3aca9be2ae35fd109361a6e964590cb27abd77c854

SHA512
4882545c7de68f6e204a31eb0e9ab6daa1918046ece46ac52ecbfac08c77c255a2c86ffd8eff26cb66df19e7ae0522cdd690218a6eee5c002c430bc55366db40

Download Submit
C:\Program Files (x86)\Windows Defender\lyrysor.com

Filesize
1KB

MD5
6f602afff4e164edbc78917f08436d10

SHA1
9797c256e106811a73e25687aa97e19a732baaef

SHA256
866edd1ecb7a561c3a18431bc3e1f5eb54020221c077e1e8bdf8ca573ff7d1a6

SHA512
c80eaf45b7d7e2e06879777aa3fc21cd1038e07acc05f5ee97fda5d1bfffbcd8d1a8319c5eacc47f29742c47ee9f50949a61020825bd6e7adf73e63cf6c7ab09

Download Submit
C:\Program Files (x86)\Windows Defender\lysyfyj.com

Filesize
481B

MD5
24db7d17687e84ebbfd9c181be00f1a2

SHA1
acaaa7d6e6671332c1efd093e555c6424a2ad5b0

SHA256
f7f13fe4fb7fc002f15c9b3c54020626a4a27817f376a87677fcf99c1f56aebf

SHA512
f56776b894d2ba6e5207e2c45ce3be62f548a86f6caeef50ba253fe1e197ccd9226c4d41a8ca98d54a3e4898f90e475b57e9c3522c3ab162ff4df075426904c6

Download Submit
C:\Program Files (x86)\Windows Defender\purylev.com

Filesize
2KB

MD5
a8fdd0012e6998420474a0c0669327c4

SHA1
aa0b687e766c259a247c16677f4c631ce542fc6e

SHA256
85a0119ffb919c7b1157dabbc8e40897f97ce6544f89931e503564966057d5d6

SHA512
bd834b7119f51ef0c741d2c0696e449e13a003140ad631f5e272130cac2d30f8cb25a5e76cc415ddf6208ee920efed6c7c33519b8f1bd02dd4ae8d3f39e926f5

Download Submit
C:\Program Files (x86)\Windows Defender\volykit.com

Filesize
2KB

MD5
699457d95715adef8b0f6180dbc8c159

SHA1
e85025ee2626565365e7811528b38227ab58df1b

SHA256
ae60e9a99e4ec8fd1bca81b561d2ea30fd098954fd1a27d028d91e97562c454d

SHA512
ea36139392e5dd7abe61b5b8dff5c78c9cf2bd074fc167489809c5ca5c341aba4a1aec2e06b8f1e94e6b988d0dcaccfdd03ce579745bb306a63ca522a0d19707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VH9W14NQ\login[1].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
11KB

MD5
63ed6e760b443c8aab038c34587fe9dc

SHA1
bf521cbffdd86da608201961b56539339293bc06

SHA256
3df95c721db87c276895939f01187fa1ae91d099ebb18ba8c64fa312775b50cc

SHA512
b5a1f10c44ec0535651d051e073796b7beaff4fd4e0c9d6b2a57f3a76e6a248be3be145876337fff9c19b974add3ceb3a4f7096fbba9d1adc08cd81e76647ad6

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
52KB

MD5
87e78595214025d653d35be9c12c8bef

SHA1
0a43b61c8bf271e5b7bed59b9900b10a563feb43

SHA256
a9f9d4578287ac9d9e066c6875c58a156702d04159ba2bfaa03ff9d4b0958a8e

SHA512
26f60ce7609e10ba711e896f372ca7f638fcdc62fd33ff3c68997f2a9fd4caef315335579abcad90cccee4b9e8970ebf723b589145d0338eeba70f7df14080df

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
52KB

MD5
7c006e6c99ebe21a640f708e736ad070

SHA1
3288e6eba176a1a6cd23bd33fcc8569866241b20

SHA256
b529a7158111048868c1f63a186884fdc4d9de3448ea61db8b2fce801b608966

SHA512
8ef2841571243fdbdabcb697f0a82842df683b99ebf9fea3baf870d540cbc897b79305434b001908d4a0ebc2dad6f11420fff79000bc40fdef3fd0653e32c702

Download Submit
memory/1008-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1008-13-0x00000000021F0000-0x000000000223F000-memory.dmp

Filesize
316KB

Download
memory/1008-14-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1008-2-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1008-1-0x00000000021F0000-0x000000000223F000-memory.dmp

Filesize
316KB

Download
memory/4492-58-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-47-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-45-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-53-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-56-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-60-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-65-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-72-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-75-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-77-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-74-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-73-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-71-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-70-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-69-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-68-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-66-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-64-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-62-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-63-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-61-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-37-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-32-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-59-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-54-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-55-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-52-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-51-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-50-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-49-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-48-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-42-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-44-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-41-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-40-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-39-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-27-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-38-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-36-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-34-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-35-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-33-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-31-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-30-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-29-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-28-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-23-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-26-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-25-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-24-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-22-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-21-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-20-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-327-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4492-18-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-16-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-462-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download
memory/4492-15-0x00000000029B0000-0x0000000002A54000-memory.dmp

Filesize
656KB

Download
memory/4492-12-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4492-2173-0x0000000077502000-0x0000000077503000-memory.dmp

Filesize
4KB

Download
memory/4492-2253-0x0000000002BA0000-0x0000000002C52000-memory.dmp

Filesize
712KB

Download