31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
Size

462KB
MD5

be0b4724083c53f7faeca44b6f6f3522
SHA1

95940680c71d8ad0e1d978e02aefa1a2b8565937
SHA256

31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea
SHA512

ce8d8851a50ca270238a8d46c8d13e6d1e01deb677d0b68fe07fd723c68f7d1302ad6776c135541f78968c606d51bdf1bb4fcca3d5ba02e481e400c43dbd33ad
SSDEEP

12288:gmWhND9yJz+b1FcMLmp2ATTSsdiDY4hIq0rBW90N:gmUNJyJqb1FcMap2ATT5gDY4hIq09W9O

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
632	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\99a555ac = "C\x12#ëß\n}Ö{\x1dü²0¶Ãrô\fY4/\"’^æÊ,:ºÛLØñÏ\x04T©\|<\x18F³ùÌ°8ÿôŸ—§©¹ÄÙOÐ¡¸&\x0fq–\x01¦‡\|©ÔùA8Áë€<†`©Áü{t¡$Á\\Q×Ñ¡\u0081Ì"	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\99a555ac = "C\x12#ëß\n}Ö{\x1dü²0¶Ãrô\fY4/\"’^æÊ,:ºÛLØñÏ\x04T©\|<\x18F³ùÌ°8ÿôŸ—§©¹ÄÙOÐ¡¸&\x0fq–\x01¦‡\|©ÔùA8Áë€<†`©Áü{t¡$Á\\Q×Ñ¡\u0081Ì"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe
632	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 632	1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe	85
PID 1452 wrote to memory of 632	1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe	85
PID 1452 wrote to memory of 632	1452	31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe	85

C:\Users\Admin\AppData\Local\Temp\31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe
"C:\Users\Admin\AppData\Local\Temp\31ce272643fda83601e32fbdcc8efaba3316f3034c7e3e2c985f7c54745fe7ea.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1RIAF1U2\login[2].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\17F9.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DD6.tmp

Filesize
22KB

MD5
3cda7a9c9ed6dac73c3c813004c8d28c

SHA1
b9d79c47d91b1f65a46795b06c5edda7eb001bd3

SHA256
32497ad4a21096adb662780647f871110223034c36e0add773e19f72048dbd6b

SHA512
3ef715bdc7127dbb370030d905341ec98ac750af94b781d89b74ab18dd0f3056ccc83bf9f7f56021757eedb1cb733530c3aab58bd1420d7a1f1be6f48326c291

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EDD.tmp

Filesize
2KB

MD5
f1ff396fe144e258b929d9e7dc16f32f

SHA1
e169c202db56d6e587b18bd6d5c54de8657c6f81

SHA256
7408d96494f9e23b602f2c148b0143d535bb00aaf0d1728a0d152ea706f2275e

SHA512
3dd6be6c2014d3ed918cd5cc9709fee8cc0b36322bcc3d5282c2ab5d79f5bd4351ef0532cd6d1ba2fc3dfea5d46912ad5c32acac74ee62f01c0f2d7add8bedad

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BE6.tmp

Filesize
42KB

MD5
5074ea678620e1297ae0c0dd27e3719b

SHA1
c096e65abe65cd8aa2ce4e3fd6732fe8dcd574af

SHA256
b1d1ffbec26e930dd42c0874d6e65d7ff799567cd53a9e63ab305635f27b56e0

SHA512
ec8651c38d17f8f58d10c030ce2338a98a105791d2c8140e8137ddc2536161b717383acaaf6a027653ae6958f2fa6e2e086db1a060ed64232644d3739ba82cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BE6.tmp

Filesize
42KB

MD5
450f6bfcc53a679f874ef5ed5ef8998f

SHA1
4855ab7120ba7e593267f11f83fe08b3a13dd8e5

SHA256
da7686f7732f71f6709a3a29a744c45947470b0481ee2e07416463b4a473af51

SHA512
70d597cf796e9602db6439bd015e4968c13f72ca433ff46c182be78c50dd09559c974cfed9f6806881c945c2eb3c1beb647889320b297145a6a344a7fad4e766

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
462KB

MD5
216a97ef1c5ad9f2d5e483b981b465e5

SHA1
e648e0b427da9427af4144312554b9a95448ccd1

SHA256
5cb6b039f90fadef9c4932ed66948260c364f56c479d124219970d5cabc811e7

SHA512
23bbeacb18db117d754e928e6f22abea1f1b88b2c83ac0f7cb84a2b3fdfaed371342159a4f73ca8c5d6663bcb148b6ada9a61eec3eb28243fd553310f0d38246

Download Submit
memory/632-46-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-57-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-20-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-21-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-22-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-23-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-24-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-25-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-26-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-28-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-30-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-31-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-33-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-32-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-39-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-34-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-36-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-41-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-42-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-18-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-44-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-49-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-53-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-19-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-56-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-51-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-58-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-60-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-61-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-62-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-66-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-68-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-69-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-72-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-74-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-73-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-75-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-76-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-16-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-13-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/632-12-0x0000000002940000-0x00000000029E8000-memory.dmp

Filesize
672KB

Download
memory/632-10-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/632-177-0x0000000002B30000-0x0000000002BE6000-memory.dmp

Filesize
728KB

Download
memory/1452-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1452-11-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download