66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe
Size

213KB
MD5

b8d6d21fa35df5e7f8c2609e6fc07fae
SHA1

3848009b61d41b8d02ea4ac509d9efccac22bbf3
SHA256

66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4
SHA512

c9b7110e7516408761ff53e2168f51c2cc8073b2c187ed2d49b1253dfca78a2678f43b01b015815b9e936a77739a53b126a978b36c0e1ef3f7f76bb884fd78f4
SSDEEP

6144:f7++Jbojf5Vq5OC4qZhZcKYhc/ZfUozY:q+cff22qZhZcKYhc/

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3600 svchost.exe

pid	process
3600	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2ac3a61e = "C:\\Windows\\apppatch\\svchost.exe"	66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2ac3a61e = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 36 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qegyval.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyhiz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gatyfus.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyhiz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qegyval.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyfus.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe

description	ioc	process
File created	C:\Windows\apppatch\svchost.exe	66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

3600 svchost.exe
3600 svchost.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe

pid process

2148 66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe

pid	process
3600	svchost.exe
3600	svchost.exe

pid	process
2148	66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe

description	pid	process	target process
PID 2148 wrote to memory of 3600	2148	66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe	svchost.exe
PID 2148 wrote to memory of 3600	2148	66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe	svchost.exe
PID 2148 wrote to memory of 3600	2148	66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe
"C:\Users\Admin\AppData\Local\Temp\66a34d4bb9c95651d95dd43e870024d2235a233183bfc45105052cded1a926f4.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\gahyqah.com

Filesize
22KB

MD5
05ea2b8d89859264ddcb83fd6504d2a9

SHA1
486f28d578e88e8375d4069659bf2325d14f636f

SHA256
2808dc5facc6d7feea05c0e890477be8ecc3ed43e848a0f74dc70f03456b857a

SHA512
97f169c15bc00b2d85ec07c0450a07e9602bf17acca56fc94341153237e1c9d095f28b6eb884b4744cfc7bd9f6620bb1726c1db46cc6793538c792a073fd424e

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
41KB

MD5
0021c2c1d4317bc971b540a1e9ca047d

SHA1
399074a28f35986ae212e422d0acc3e78816f2d9

SHA256
e529bdbc0c1dfa9a9f595ee6341a1edae05e48d5079d6410801af05da1f94975

SHA512
7e3ec10dc05e2ffbda0f6f9c4887f67490d8a80f2baf582f0ef19f31c8987d410978887d33511641fbbfcc08468b8e072e67c27376ccc97f75338f43701641c4

Download Submit
C:\Program Files (x86)\Windows Defender\lyxynyx.com

Filesize
1KB

MD5
21d92b6aa4f6e60a96eb211bdb27a10c

SHA1
d14a7a80fa3e9e7ab7e262a3d1351f042d3a9ce0

SHA256
6222f825dce38ceedf75362bc154f487f7e1a4df51b583efa4ab64dcd8ce146c

SHA512
32d1f4a09e33ef029498864c8a0d48d6a0acc7c6461ff6a004668c2946716925ec5ca8758a58aca960216d792042cae48eac577b9a23c9d49d8c274311d17b38

Download Submit
C:\Program Files (x86)\Windows Defender\pupydeq.com

Filesize
114B

MD5
bfde1e9e9c32c1681a16139450c6909d

SHA1
7e669b927e6a75a10a0ca29e38e58ddcb49b725e

SHA256
e0d020ba1cb6506cee234903a44c747ee0cfa7e2d1e60029e4cd8de9a431512a

SHA512
781fd54f155442dd34f9919b3cd063ee399db411bbfe15f2bdc43d3ab8ac2d04e1011b2c99fab42bebf7b903a94e09aaaef71b7a465d2d04b417f6dad8e8e396

Download Submit
C:\Program Files (x86)\Windows Defender\qetyhyg.com

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\login[3].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
213KB

MD5
33d385a541df121b93cedeec73855421

SHA1
594af937fb713e0585d2152500570f3dadd371d2

SHA256
e5389ae354c9fd92125c5d70b424d1b488efe48b63d3e6e9b2aff29081bd4e41

SHA512
13cf1ffe6de8be4589acc39389cfd6573942c980533e0a772639124afcaa04a7fed61055224f301d908a7cb89a7f75b06be30cc001ed232c492f4accafa03abf

Download Submit
memory/2148-1-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2148-17-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2148-18-0x0000000002230000-0x000000000227F000-memory.dmp

Filesize
316KB

Download
memory/2148-19-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2148-3-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2148-2-0x0000000002230000-0x000000000227F000-memory.dmp

Filesize
316KB

Download
memory/2148-0-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3600-61-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-53-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-27-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-25-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-34-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-35-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-81-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-82-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-80-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-79-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-78-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-77-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-76-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-75-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-74-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-73-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-72-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-71-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-70-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-68-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-67-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-66-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-64-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-62-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-22-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3600-60-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-59-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-57-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-56-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-55-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-54-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-23-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-52-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-51-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-50-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-49-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-47-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-46-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-45-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-44-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-42-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-41-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-40-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-39-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-37-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-36-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-33-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-32-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-29-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-69-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-65-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-63-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-58-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-48-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-43-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-38-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-31-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-30-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download
memory/3600-21-0x0000000002A40000-0x0000000002AE4000-memory.dmp

Filesize
656KB

Download
memory/3600-20-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3600-15-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3600-14-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3600-12-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3600-28-0x0000000002BF0000-0x0000000002CA2000-memory.dmp

Filesize
712KB

Download