cb911a654c52a48d72d70016a5cea17ca4810373910411a1f3a7a5a87f5a4dbf

Analysis

max time kernel
169s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25c3d1158567521f180fda6fa3918b1f.exe
Size

355KB
MD5

25c3d1158567521f180fda6fa3918b1f
SHA1

e1f8b032f2c3a732acc99db12c53cb662046ad20
SHA256

cb911a654c52a48d72d70016a5cea17ca4810373910411a1f3a7a5a87f5a4dbf
SHA512

2797b837627ab56dcb55e940862dfdf52c4c047f0f8ee412eac139e89c45b566be2421b0d7bf67ddb4ae35fa345feb6a6760b8c64a669b19736fba14377db7e3
SSDEEP

6144:f3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9EiS:cmWhND9yJz+b1FcMLmp2ATTSsdS

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3128	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d46e910c = "NŸx\x13U+P»1\x0fàÌ”\x0e´$)ï¾X®²‡T\u0081\x17b°‘,aÌ]\x05dä¼¥=Üädô]¤Då\x1cÕÕÖd\rþü~ulÔ~\|äd\x16D¤åµl\|6eeå&œ\x04Å”\u008dL”5u,]\x1dT\x15,Æü\x04”lL6>ülT\x05\x05eµM\x05Df\rÎ\x04u”\u00ad\|l½l”ô\u00adî>-\|ÜL„–¼ÆE\|Uí¬Fô\u008d¬]¤D-LD¬œEÔ\fìäü,Í\r\x1c]\x15Ì\r–®¾þ\x164”¶vô&þ6Œî<Å4Ì<ž\x16Tî”v´\x05&œ]\x1cí\x0e¬”6\u008dtäŒÄ\x1cD\x1cÖŒæ\f¥œÍ\x14>\fU\fÔôîÕ\x04\x16¥íœ¶¤\u009dD5„ž5ä\x14>t]¶.\x15=Ln†õýå\x15vD\x1cD\x15ÕD"	25c3d1158567521f180fda6fa3918b1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d46e910c = "NŸx\x13U+P»1\x0fàÌ”\x0e´$)ï¾X®²‡T\u0081\x17b°‘,aÌ]\x05dä¼¥=Üädô]¤Då\x1cÕÕÖd\rþü~ulÔ~\|äd\x16D¤åµl\|6eeå&œ\x04Å”\u008dL”5u,]\x1dT\x15,Æü\x04”lL6>ülT\x05\x05eµM\x05Df\rÎ\x04u”\u00ad\|l½l”ô\u00adî>-\|ÜL„–¼ÆE\|Uí¬Fô\u008d¬]¤D-LD¬œEÔ\fìäü,Í\r\x1c]\x15Ì\r–®¾þ\x164”¶vô&þ6Œî<Å4Ì<ž\x16Tî”v´\x05&œ]\x1cí\x0e¬”6\u008dtäŒÄ\x1cD\x1cÖŒæ\f¥œÍ\x14>\fU\fÔôîÕ\x04\x16¥íœ¶¤\u009dD5„ž5ä\x14>t]¶.\x15=Ln†õýå\x15vD\x1cD\x15ÕD"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	25c3d1158567521f180fda6fa3918b1f.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	25c3d1158567521f180fda6fa3918b1f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	25c3d1158567521f180fda6fa3918b1f.exe
4752	25c3d1158567521f180fda6fa3918b1f.exe
4752	25c3d1158567521f180fda6fa3918b1f.exe
4752	25c3d1158567521f180fda6fa3918b1f.exe
4752	25c3d1158567521f180fda6fa3918b1f.exe
4752	25c3d1158567521f180fda6fa3918b1f.exe
4752	25c3d1158567521f180fda6fa3918b1f.exe
4752	25c3d1158567521f180fda6fa3918b1f.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe
3128	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4752	25c3d1158567521f180fda6fa3918b1f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 3128	4752	25c3d1158567521f180fda6fa3918b1f.exe	90
PID 4752 wrote to memory of 3128	4752	25c3d1158567521f180fda6fa3918b1f.exe	90
PID 4752 wrote to memory of 3128	4752	25c3d1158567521f180fda6fa3918b1f.exe	90

C:\Users\Admin\AppData\Local\Temp\25c3d1158567521f180fda6fa3918b1f.exe
"C:\Users\Admin\AppData\Local\Temp\25c3d1158567521f180fda6fa3918b1f.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26F8.tmp

Filesize
2KB

MD5
7f964e1036a61ed36ac8cc149b7f0d55

SHA1
30582bd613f9449a1243edc94f614734476bfd30

SHA256
502a4e79b32d46392e558283538ecf61515bdd30c314c222dd0a2cfdb6d90cbd

SHA512
857a09521246a7cdc327f804c87eeff4b15e5748854ca9cd9a0c0f213411e7b0a0e4bbd3d06e94e19fa7611e7dcaff2ab14a8d12da865ca1151503fdf8271d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\8244.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8AC5.tmp

Filesize
2KB

MD5
a8fdd0012e6998420474a0c0669327c4

SHA1
aa0b687e766c259a247c16677f4c631ce542fc6e

SHA256
85a0119ffb919c7b1157dabbc8e40897f97ce6544f89931e503564966057d5d6

SHA512
bd834b7119f51ef0c741d2c0696e449e13a003140ad631f5e272130cac2d30f8cb25a5e76cc415ddf6208ee920efed6c7c33519b8f1bd02dd4ae8d3f39e926f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE58.tmp

Filesize
22KB

MD5
148ec1fe0244e01293df8a4bf40a1a43

SHA1
739a19705ac4b1e78ec1dc10025702dae116123a

SHA256
27d0df63ba0c3c8ca125c34d46d5b03e5be7d1762e409b5d6c9c458931613f40

SHA512
7afc6d886858d7938bc0b6b72c58b1a0322f7f90b872a5cd753e82af9560e7d8d4c31343f60af33c392681da1ed51525b6924287a131981c58a7d571680616ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE59.tmp

Filesize
92KB

MD5
3ec4e221f505b50ee504f28feeb924b1

SHA1
ac68a31549043904363ce0149cfac6f135bc28bd

SHA256
2c552fd696f05673ca76118ee72e6c5c4e5efd1e6db238e8290318631880151d

SHA512
5a375f7d940b5180095fdebd711eace0077df2a49438b4c9a098f45025595a84a660feb3a0d9c4c6afc06eb91d27497088ff87ba73413462f0e870920e7dc349

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0CF.tmp

Filesize
481B

MD5
e42ec375d95a0374dd55125136be6611

SHA1
b7ddf8f9d9c918bfe728e5e0549556447d20a3fb

SHA256
5421eecb70efdb73b708076d58dd55ae76c33c37ce96bb881ea3c19adea4c210

SHA512
025b9b7ee39b7be5f5d7a671725e7008f07cba085a7ed8c7d98e17fa01017e273f2cc2b4078478265bb85f4bbccc0dc843a2f0a80b6704532e07c7c5cf7e33a1

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
355KB

MD5
daf15618f08c9c3b2f3f01657dd1b282

SHA1
d4d50c1fdac00527afb8334e9b747787e68795bc

SHA256
fda2e017164f77fad22123e46d90a8965d0dc781da80a17363a8127487258b52

SHA512
baf434c80002ef6b41380d82f236aa5da3673c58b4a9cd5481f4e7ab79b9ced15f0bac06c0021c85e573e4e0b4234ea0af265229c2e5fa6fcc672b681e9821d5

Download Submit
memory/3128-43-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-72-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-12-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-15-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-16-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-17-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-18-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-19-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-20-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-21-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-22-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-25-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-26-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-27-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-24-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-66-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-28-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-29-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-30-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-31-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-32-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-33-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-34-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-37-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-41-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-42-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-44-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-10-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-45-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-50-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-14-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-55-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-23-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-69-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-61-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-71-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-70-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-68-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-67-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-64-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-65-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-63-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-62-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-60-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-58-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-59-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-57-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-56-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-54-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-53-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-52-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-51-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-49-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-48-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-47-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-46-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-40-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-39-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-38-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-36-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-9-0x0000000002940000-0x00000000029E8000-memory.dmp

Filesize
672KB

Download
memory/3128-35-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/3128-170-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download