31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
Size

462KB
MD5

be0b4724083c53f7faeca44b6f6f3522
SHA1

95940680c71d8ad0e1d978e02aefa1a2b8565937
SHA256

31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea
SHA512

ce8d8851a50ca270238a8d46c8d13e6d1e01deb677d0b68fe07fd723c68f7d1302ad6776c135541f78968c606d51bdf1bb4fcca3d5ba02e481e400c43dbd33ad
SSDEEP

12288:gmWhND9yJz+b1FcMLmp2ATTSsdiDY4hIq0rBW90N:gmUNJyJqb1FcMap2ATT5gDY4hIq09W9O

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
2216	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4b195a09 = "Ÿ\u0081rå5‚ÿëQ¯Ò\x17F<œg\"Ml\u0090øu2L±@˜úy›¶ÜKæ\x04ô<Ñ<œ»®vNî‚Á6NF+K6ÞÖ¾\|ž[ªÎKŒTV¦~ê“N¤V‹Þ\u0081œ´^¦„¤î\nùN\|ñŒîöÉ¢^á¡#6«žd¬¾Vcnt«^\x16ëƒŽ£\x0e+$ÞÑDqìV<ú\x0eÖ£´\nÖ[^\fLnœî\x1cN4ù;K\x06™v~\x1b)Föš\x1cŠrDæ\x0ek1£$†3Ã\x13\v\x04\x16táŒaÞá´£’+vnÙqD›„¾\\Tóžbª¹\x16ËfA),Ž\x19æ,l¶Â£šã\x1c\x04\v>¢ün–;‚[RC2D\\™C³cƒ\x02þñ”\x1eK´ìœÆnƒ+«³ü!\\Š\x06V’ÎÓ{ôºž\x13"	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4b195a09 = "Ÿ\u0081rå5‚ÿëQ¯Ò\x17F<œg\"Ml\u0090øu2L±@˜úy›¶ÜKæ\x04ô<Ñ<œ»®vNî‚Á6NF+K6ÞÖ¾\|ž[ªÎKŒTV¦~ê“N¤V‹Þ\u0081œ´^¦„¤î\nùN\|ñŒîöÉ¢^á¡#6«žd¬¾Vcnt«^\x16ëƒŽ£\x0e+$ÞÑDqìV<ú\x0eÖ£´\nÖ[^\fLnœî\x1cN4ù;K\x06™v~\x1b)Föš\x1cŠrDæ\x0ek1£$†3Ã\x13\v\x04\x16táŒaÞá´£’+vnÙqD›„¾\\Tóžbª¹\x16ËfA),Ž\x19æ,l¶Â£šã\x1c\x04\v>¢ün–;‚[RC2D\\™C³cƒ\x02þñ”\x1eK´ìœÆnƒ+«³ü!\\Š\x06V’ÎÓ{ôºž\x13"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
2216	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
2216	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
2216	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2216	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 3016	2216	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe	28
PID 2216 wrote to memory of 3016	2216	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe	28
PID 2216 wrote to memory of 3016	2216	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe	28
PID 2216 wrote to memory of 3016	2216	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe	28

C:\Users\Admin\AppData\Local\Temp\31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
"C:\Users\Admin\AppData\Local\Temp\31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a0335a3e88aaf84e1313a2cbab86bd66

SHA1
0d44d64b045ef0eccc79801f9a410fb9ef741ec6

SHA256
e552483d217899af5a6002c72c083a880dbaa9b6f205f0f362d61cbedac2654d

SHA512
69732f010463db2b915e30c8c3f68fe205097784a9c1d2d6722bc7c106cc5782edd008ede28d87f80b6de0838e1e5937663c275660035c2e4d795ed2765423e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b470f1e13dd11c44d571c8a97d9eb890

SHA1
204064892ad4b8eebb083dc4425b0c2e753897b2

SHA256
f34944101df352e55fca53b533366ddfb9103f2f83b67711f1c57a48a234cfc0

SHA512
1547cf76f414ec9b364db2d3893f129e5c4addec6a10bfc9444150f18c7ad0f4dbb31e0df4ae5ffbb793ec1e0d1c33dd474bf8a1d1c177c3059ca0446aa62bae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
87b21f894add854bab267bc5f71539fa

SHA1
95623e2e5c050f1a14efbc4065fa23d79d2bb1b6

SHA256
8f30e1f821a75ba3fabb9b96122a1c477207fcb6a233153dbf70acb2593efeb0

SHA512
c7f4125024fd5fa187ba4e18385a5db61f73c134c6e9633f7d64d86c1b3aac053625d7cf3d514185df79165d0dcaa110e3f30a7b2b735b70be4a42a304d115f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
fb6bd29746fa487802bea3a1c4a35e47

SHA1
4929ef3265d7fe2ed83cbdf339f116a4b850e517

SHA256
4b73b95db1cd09388366bc7cef44ad25031cf7f61caa191988ea3c5cbb87e65b

SHA512
56b06a95fad6908e48fc1f09c716451e9218c3ed0707b15c9e165a92abeb17918a1897cc2eaae0d2aedb9aedafa5b180c646c163758563f6c36c63c4669170fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\11B9.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3CD0.tmp

Filesize
2KB

MD5
8d4d865f24b8f40d6e9ae03aa58ff6e4

SHA1
cb774651ef8e0d636222ac034f4188b054db72ff

SHA256
b286a78e39a37cf53f449633b96130b62a22048ff2a8de02e55251e164d6c711

SHA512
98ccc8c790e0d0bac3841ced834fdb388141352f8528a7f56badfc55c71dc3c68f2848f57871c0f222ef173b253d7ec681ea542a56dd513d1f6e42b6034e967a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar28A8.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
462KB

MD5
ef140f2535a13cc8f68419b62a0b8d48

SHA1
5a58cc3aa4ce40a7996ba79c3d6bbe064ba18e41

SHA256
a8888dba96708c0044c5d6d8f8c208b7e28423bff01c0a3afdc8f84f14424835

SHA512
f867ae0e5ec8bf97e89e1542bab75d794c17784393e635dcc5040fdf618a5fcf9b35742fb27a607415fb2ad0f40ddfe75e43a53ea458c0b4008e79aa56759244

Download Submit
memory/2216-9-0x0000000000330000-0x000000000039C000-memory.dmp

Filesize
432KB

Download
memory/2216-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2216-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3016-52-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-58-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-31-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-33-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-35-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-36-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-37-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-38-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-39-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-40-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-41-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-42-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-43-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-44-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-45-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-46-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-47-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-48-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-49-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-50-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-51-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-27-0x0000000002010000-0x00000000020B8000-memory.dmp

Filesize
672KB

Download
memory/3016-53-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-54-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-55-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-56-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-57-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-28-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-60-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-61-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-62-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-65-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-67-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-69-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-70-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-74-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-76-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-75-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-78-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-79-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-80-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-81-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-82-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-83-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-85-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-84-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-87-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-86-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download
memory/3016-25-0x0000000002010000-0x00000000020B8000-memory.dmp

Filesize
672KB

Download
memory/3016-23-0x0000000002010000-0x00000000020B8000-memory.dmp

Filesize
672KB

Download
memory/3016-21-0x0000000002010000-0x00000000020B8000-memory.dmp

Filesize
672KB

Download
memory/3016-19-0x0000000002010000-0x00000000020B8000-memory.dmp

Filesize
672KB

Download
memory/3016-17-0x0000000002010000-0x00000000020B8000-memory.dmp

Filesize
672KB

Download
memory/3016-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3016-235-0x0000000002350000-0x0000000002406000-memory.dmp

Filesize
728KB

Download