24bd1aa2847e41d4886287054e53e93850256cadb0e1de42c19e41737898c7be

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c70d56e1c3d33b06262e88fd0a22da8.exe
Size

16KB
MD5

0c70d56e1c3d33b06262e88fd0a22da8
SHA1

c8e3ffeec58c5967d374d5cbb0bd295262e655dd
SHA256

24bd1aa2847e41d4886287054e53e93850256cadb0e1de42c19e41737898c7be
SHA512

10ae81a0296c780cb68c2ffa5f31c89a180ad4e107a2314f646acc6d76ec9858390c6ba0f6a872fce59d58414aded1eecb088618deeb84e8fff9d4eccd539ba9
SSDEEP

384:ieiZ1p+qNr1PnOPLeUiQAkxElXpaCyGnoQbcS:lqp1PnsLdhDalXphyGl

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,svchost.xy3"	REG.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2516-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2516-3-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0007000000012284-7.dat	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.xy3	0c70d56e1c3d33b06262e88fd0a22da8.exe
File opened for modification	C:\Windows\SysWOW64\svchost.xy3	0c70d56e1c3d33b06262e88fd0a22da8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2516	0c70d56e1c3d33b06262e88fd0a22da8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2284	2516	0c70d56e1c3d33b06262e88fd0a22da8.exe	28
PID 2516 wrote to memory of 2284	2516	0c70d56e1c3d33b06262e88fd0a22da8.exe	28
PID 2516 wrote to memory of 2284	2516	0c70d56e1c3d33b06262e88fd0a22da8.exe	28
PID 2516 wrote to memory of 2284	2516	0c70d56e1c3d33b06262e88fd0a22da8.exe	28

C:\Users\Admin\AppData\Local\Temp\0c70d56e1c3d33b06262e88fd0a22da8.exe
"C:\Users\Admin\AppData\Local\Temp\0c70d56e1c3d33b06262e88fd0a22da8.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d userinit.exe,svchost.xy3 /f
  2⤵
  - Modifies WinLogon for persistence
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchost.xy3

Filesize
16KB

MD5
0c70d56e1c3d33b06262e88fd0a22da8

SHA1
c8e3ffeec58c5967d374d5cbb0bd295262e655dd

SHA256
24bd1aa2847e41d4886287054e53e93850256cadb0e1de42c19e41737898c7be

SHA512
10ae81a0296c780cb68c2ffa5f31c89a180ad4e107a2314f646acc6d76ec9858390c6ba0f6a872fce59d58414aded1eecb088618deeb84e8fff9d4eccd539ba9

Download Submit
memory/2516-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2516-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download