Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2024, 21:45
Static task
static1
Behavioral task
behavioral1
Sample
4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe
Resource
win10v2004-20240419-en
General
-
Target
4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe
-
Size
212KB
-
MD5
5e556d0847905125d4c474d153c5ee37
-
SHA1
272b80004a631d63854404ef47e57f9fbd307e70
-
SHA256
4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9
-
SHA512
f2a2aca022ecf559566464ca0c20257a99f0ea5f56dd84b7ce610cae436ea4d9af1fc451753d4aa876d260b7b0ab131dbf03c2cab1c3885f5f3da5d8b44b6da5
-
SSDEEP
6144:zxNqLW6opBZMU/y/JEGjg+op2BSNCCr7/jU:tA6NBT/yEGjWwa7vU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3468 svchost.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9cd8037e = "C:\\Windows\\apppatch\\svchost.exe" 4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe -
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\lyxynyx.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vonypom.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pupydeq.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pupycag.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qexyhuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lysyfyj.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galynuh.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vofycot.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qegyval.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyhyg.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lygyvuj.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vocyzit.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lymyxid.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyfuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galyqaz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gahyqah.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gadyciz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gahyhiz.com svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe File opened for modification C:\Windows\apppatch\svchost.exe 4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings\MuiCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1712 4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 1712 4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe Token: SeSecurityPrivilege 1712 4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe Token: SeSecurityPrivilege 3468 svchost.exe Token: SeSecurityPrivilege 3468 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1712 wrote to memory of 3468 1712 4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe 85 PID 1712 wrote to memory of 3468 1712 4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe 85 PID 1712 wrote to memory of 3468 1712 4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe"C:\Users\Admin\AppData\Local\Temp\4f25521315223fe8def008cedb40073f18f21608d6bb41739d30988eefff4cf9.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5d57e3a550060f85d44a175139ea23021
SHA12c5cb3428a322c9709a34d04dd86fe7628f8f0a6
SHA25643edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c
SHA5120364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063
-
Filesize
167B
MD50104c301c5e02bd6148b8703d19b3a73
SHA17436e0b4b1f8c222c38069890b75fa2baf9ca620
SHA256446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f
SHA51284427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf
-
Filesize
212KB
MD518047627383252c1d9ea697f29c0894e
SHA10b5ec4a96d0a54eebc23110944df6064473a3f44
SHA2561b39a0d09edbcebac7c9ede44002e91a63a6c6983ed80326cc76711d43f1ec94
SHA512b7dc46db0e68d8078045980f70c623ac7929223a69dab7100311a9e87d6559a345ffa6847b857bfc2c0c6dc7832839629ed04ad0060742d440cff563034732d6