7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318.exe
Size

205KB
MD5

3f09dd853dd62d494aef22d8986b1fb5
SHA1

fc57d05184220ee8681fde8eda7da40df38ea82a
SHA256

7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318
SHA512

9b8164af1787938c679ad44d4730a138d531fbd5764b4a0b57961eea468792d2ba7d285cfca027618702353b56de779c0bfdb1bdb1ec00a03df31851b32576d5
SSDEEP

3072:r7VD4DUHnNZkfOP6sfIOpJ9C3hPlGxt1UhRkgyankTIzfwAYzWcXCyqT36zhRRKy:lzHnMLm5GNGxHUhtnkdpHqTKzhh8i

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
408	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\596fd5bb = "C:\\Windows\\apppatch\\svchost.exe"	7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\596fd5bb = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\volykit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
408	svchost.exe
408	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4632	7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 408	4632	7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318.exe	89
PID 4632 wrote to memory of 408	4632	7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318.exe	89
PID 4632 wrote to memory of 408	4632	7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318.exe	89

C:\Users\Admin\AppData\Local\Temp\7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318.exe
"C:\Users\Admin\AppData\Local\Temp\7799b8a83ebaf56f0ef947a59b9b1a30d887d006aa18e2f65d4c01d169481318.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\gahyqah.com

Filesize
22KB

MD5
5bc08dc33bf3da5ae8ec3f1e2348355b

SHA1
910484632987957748237d5cfd4db0ffcbe2f146

SHA256
96584c52cd49d4f8dabcae86e734ed191455ac60b3a7dc84dc3574681602208d

SHA512
5db256fede72d17e4b7e5964ad66f6348e3c64be0306ba41c348d9ecd4f20350c70103c802c923eba0e5fd730357256e48b66ec7069c9ced1addea78a20a7131

Download Submit
C:\Program Files (x86)\Windows Defender\galynuh.com

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Program Files (x86)\Windows Defender\volykit.com

Filesize
2KB

MD5
4ea840e63ccd1da472a68acd756b7d0f

SHA1
f6bd5edd19285b4aa49a710dbae5da93d6ad7374

SHA256
0e50ca03f2808aa185223162b7c334100ae96c5cfb7912deb1fe6802bf50b55f

SHA512
0eb733bceb30df2159102bef9b31877b8553af1861a204f2818e421dfff6bab58dd24e3f0e9dca976d4feeff2d351f90e3e0106e3ec49d163328ade930e33485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PL0BY74L\login[4].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
205KB

MD5
5d1503bad27f71e008e18834a637b093

SHA1
19be88c1c9d297011d809776a5d663e5e3fdfd89

SHA256
fb596d5f2a1e4427e790d32d08c22b684fc2df314569b66aa85570de4c59a37c

SHA512
d04d081249823e2acc2e83de4801a13c5b51e113e5a1fe0c9d45c90c7aa38a2f3698678813b7c9edc799aa035f9cff5892a671890fb9b658c7523b215ac6e437

Download Submit
memory/408-41-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-188-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/408-21-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-22-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-24-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-23-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-25-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-26-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-27-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-28-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-29-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-31-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-30-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-32-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-34-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-33-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-35-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-36-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-37-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-38-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-40-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-13-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/408-43-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-42-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-15-0x0000000002A10000-0x0000000002AB4000-memory.dmp

Filesize
656KB

Download
memory/408-50-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-49-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-45-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-55-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-56-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-60-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-64-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-63-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-62-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-61-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-59-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-58-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-65-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-71-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-57-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-19-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-52-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-189-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/408-16-0x0000000002C00000-0x0000000002CB2000-memory.dmp

Filesize
712KB

Download
memory/4632-1-0x0000000002240000-0x000000000228F000-memory.dmp

Filesize
316KB

Download
memory/4632-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4632-2-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4632-11-0x0000000002240000-0x000000000228F000-memory.dmp

Filesize
316KB

Download
memory/4632-14-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download