744c68306b42089e9aa6521db82dbafca142d642b8c7eb0c9b6747bf68d0b8d3

Analysis

max time kernel
146s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
Size

211KB
MD5

9b51a5efe3ee8ab6d2ce19e4e56d0357
SHA1

35d876a14a3a8f7a15e4f39a7cbbce6b1f35078f
SHA256

744c68306b42089e9aa6521db82dbafca142d642b8c7eb0c9b6747bf68d0b8d3
SHA512

9458551ccd0c57f3de817e8132fc30f0325080a44d2c8eed9065f14419957868a3016f628629e3f81ec6978880a4b9b4399647e45c9611518fec45fcf66d3f31
SSDEEP

3072:0GwPsm1VrwxOsf0juzv8j4P1Hr6krr4IEhx9QZe2gO9mG9UHA30Vt3E/vDjb:0G/iVkO20SFgBhxtW9mG9+Umt3Ezjb

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2364	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\79a06283 = "7\fL\abÙ–I\x1bU¤N>×7>wPˆ`õ%aÏ8\|\x10Õ#‚IÖwv°Pk÷g¦Æë\x13B»–›À«s_0[_Ï£€¬ÃOôÛœ?kÛão¾\x0e²°âS[Óæ§rXß¯CxF\x0f²¤'Ç\u008f£®^\u008f»ç\x7f\x1eúž\x14ú&Œã»‡«Âs7¢N\x03\x14ž\x03"	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\79a06283 = "7\fL\abÙ–I\x1bU¤N>×7>wPˆ`õ%aÏ8\|\x10Õ#‚IÖwv°Pk÷g¦Æë\x13B»–›À«s_0[_Ï£€¬ÃOôÛœ?kÛão¾\x0e²°âS[Óæ§rXß¯CxF\x0f²¤'Ç\u008f£®^\u008f»ç\x7f\x1eúž\x14ú&Œã»‡«Âs7¢N\x03\x14ž\x03"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe
2364	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 2364	3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe	84
PID 3524 wrote to memory of 2364	3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe	84
PID 3524 wrote to memory of 2364	3524	9b51a5efe3ee8ab6d2ce19e4e56d0357.exe	84

C:\Users\Admin\AppData\Local\Temp\9b51a5efe3ee8ab6d2ce19e4e56d0357.exe
"C:\Users\Admin\AppData\Local\Temp\9b51a5efe3ee8ab6d2ce19e4e56d0357.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BUOTXRX9\login[4].htm

Filesize
593B

MD5
3b03d93d3487806337b5c6443ce7a62d

SHA1
93a7a790bb6348606cbdaf5daeaaf4ea8cf731d0

SHA256
7392749832c70fcfc2d440d7afc2f880000dd564930d95d634eb1199fa15de30

SHA512
770977beaeedafc5c98d0c32edc8c6c850f05e9f363bc9997fa73991646b02e5d40ceed0017b06caeab0db86423844bc4b0a9f0df2d8239230e423a7bfbd4a88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K44LV95Q\login[5].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\37DB.tmp

Filesize
2KB

MD5
725409de8fcc3f613155e614e6988910

SHA1
ea3447239f4f3b559464104f979794fd489f5563

SHA256
a83f25eed899d1e2ad725432d9ed15826475a519522a3df8dbadf6a6aa9f50d5

SHA512
d5250a92216115ca900fbbbc5c315820b491901fd040a233ac9b92cf44a5bc865f7a9bb0741d7563a7791f2af53fe71b01ea24cd322c1604ce4d367c60b89bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\733C.tmp

Filesize
1KB

MD5
ee859d7cfdd1c1cb443a268d62a305a1

SHA1
db5c78af22eb4c167a9a1316a72c840e5a5f77bb

SHA256
d47f95699d74aa4eb0a83cb792ff107e94c4a48ca036b9313056d97fce551b18

SHA512
dfaa32a6d29d2a01fb0445a356c9b2546f1685907f05d71ea6d6a559277ae2073d6631a79f47fe3214979ac644a01d54a9bf64c770273ec53478101e7b2632e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FB8.tmp

Filesize
481B

MD5
fdb8e6faa8609a028297daac4eac1eb5

SHA1
3d1416df18a32bea89d30e5e08552a1eac355859

SHA256
d1cbcc8d6fc54d03289bf0e84794b3a0d3ea0517d162bf1733f8ebb7c5110878

SHA512
f9c7bec5ae52d2533b1af18a690214c667bda22f14d9d12dd0d68e235347c5dd33b40f4c6634ec0555e8b65c4361140fe5ddc8bd6f144ee986ffeecf872ff1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\81FA.tmp

Filesize
1KB

MD5
53a93812117015375bddb4d444a41312

SHA1
81dba2476583928f70f0c83be91f1bb5149f66e8

SHA256
1340b12d970b09506bd0af3b1b64d869a95380965900ad275fcb024eaa529a32

SHA512
f8e9d8f98bd47c5b36709b434bd4b3acb4b033c6c35e641762e00ae344481752d94d682419704e1c5d3098a2a2cbb0b03747d50534008b4e39e6fa92226b7aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3E7.tmp

Filesize
22KB

MD5
3d9f0fe82f592fd9409ca76b5baee217

SHA1
f5de8a79988d394b0b85b67c7dc3efcce766ceab

SHA256
3318bdd1a6b29bae7de3286a7933d7704715ec0183475552b61dbe5c652692b9

SHA512
f48dddcabafbb308a3b7442f9323a696876efee4270952f0e3c09549e81fa05b254dcfa3e633f8a99a452a8ae732dff74b9d88534a130c19669370464eb6866d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC18.tmp

Filesize
481B

MD5
c0b97e3b9610017ed7591a997cf706f7

SHA1
16c2254300ed09453204b6f55bc0d305038b2f89

SHA256
15ddaf050fe9763416982fccbf9bba59477efc970da567d217304b7150aa4457

SHA512
6d0acb71eb4ce02d49494c3ee38429a0c738f236a388d33aa94917effee0c2c74a3480f2a459dcc79c689c6e99f090419e66a771a746c1875839f9b96eea8137

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC58.tmp

Filesize
42KB

MD5
db5d0d4fa484a4678be5dd48b8e44f39

SHA1
addcd23cd2c565ec6e0f628d9c97422f09e485d1

SHA256
d774cbcaa48c95ac9146b78f68347eec66eb74b3216410dc6c7fd4a01bafcf64

SHA512
d2739a584045bdc0ddada27424bd884e7444461d4125bb056d40076ac3caca7521215045d72b6283511f5580e2a9a8c17aa2c383b251c7dda8e1a720fa554ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACC6.tmp

Filesize
315B

MD5
b0e58b5c7f1a13dc54919f55661a957e

SHA1
9575c07248ff0257e88e7a053b421e067a6e9f81

SHA256
8167c759b25907ab300486653a68223495399f7b4c5d62c7432e9e000df514f8

SHA512
7e736a9627f84490cdb7ed1adbe3a905a74c2aedbec161cfe800ec6f3fd0ab5263583987e421a703fab1b373d1e7388e34d4d974e7b53518e874a473e061a7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6F0.tmp

Filesize
23KB

MD5
00b0526a190cc145ec9fe8cb31a6352f

SHA1
9dd217e92cb3c6e9082643d977874623784f5053

SHA256
cf90622b16d325528c3b95449fc7b3c30636a52455c16e90b1e71fef39de67fc

SHA512
623b48a1ca1cf3e461835aa3a726ad7ff35eb9e0954f52ba15b2301d4457d4e3e076d17333edd610a1384f1e1a7d2fbba082b708c6ff12f3ec250591783290a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAAA.tmp

Filesize
2KB

MD5
a8fdd0012e6998420474a0c0669327c4

SHA1
aa0b687e766c259a247c16677f4c631ce542fc6e

SHA256
85a0119ffb919c7b1157dabbc8e40897f97ce6544f89931e503564966057d5d6

SHA512
bd834b7119f51ef0c741d2c0696e449e13a003140ad631f5e272130cac2d30f8cb25a5e76cc415ddf6208ee920efed6c7c33519b8f1bd02dd4ae8d3f39e926f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC7C.tmp

Filesize
2KB

MD5
c1a8667b6ac05935847f4fcf6db3237d

SHA1
2dbfe6b587fa663f2a30ff5bf08bd6e000ea13ef

SHA256
e2fbbebe76c439a6831280f3e13858962710f3f7811ff500905a2d5c488294e4

SHA512
aaa6e8b1fc514ea30846acdf7daccadca9a386318c3dd169e76c07f9bdb6e2c9ee57a3ea17169198babe9d5d5c62d7b76ac4e8b3ccb34b04185782fd656b53b1

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
211KB

MD5
3f76aead857771996efdb7a163c2c88d

SHA1
50d6ea8881940b002f2124fa1a88be11f3139197

SHA256
7f3fbab7cbe648a40577110f716a44d94181b247a66a0e4967f826fcf0ea05af

SHA512
7a6d40a153bed6d269c46583fba933732f09c44a974c687b149b6bf8d73f4e86ce2370998ed4e147692511f39bffcdd8a0dd40d9e9541d5dbf7f6f5c561db0fc

Download Submit
memory/2364-54-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-73-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-29-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-30-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-32-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-33-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-35-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-36-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-38-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-42-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-40-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-44-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-47-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-49-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-50-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-27-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-56-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-64-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-26-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-67-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-68-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-69-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-71-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-28-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-75-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-78-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-80-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-81-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-83-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-84-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-25-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-186-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2364-187-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-24-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-23-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-22-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-20-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-18-0x00000000032F0000-0x00000000033A6000-memory.dmp

Filesize
728KB

Download
memory/2364-12-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2364-14-0x0000000002560000-0x00000000025B1000-memory.dmp

Filesize
324KB

Download
memory/2364-16-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2364-17-0x0000000003140000-0x00000000031E8000-memory.dmp

Filesize
672KB

Download
memory/3524-0-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/3524-1-0x0000000002350000-0x00000000023A1000-memory.dmp

Filesize
324KB

Download
memory/3524-2-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/3524-13-0x0000000002350000-0x00000000023A1000-memory.dmp

Filesize
324KB

Download
memory/3524-15-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download