b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2

General

Target

b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe
Size

383KB
MD5

b9f6ef4e098f3fcb4670459e5d88a092
SHA1

954440a2fb861a9fa1783cffdc6cc9fb5ae86f43
SHA256

b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2
SHA512

87322756013a01672c3687f637e4cad8f0e72a42b6da08a263dcfa5167465682947aaec80939a12a483cf9b57a9495c11ab6d1103a1bc16e79a6f3b388d84448
SSDEEP

6144:Dd5afqlpDHA9NtTV3okaEXnMhr1gg5YdEV1l6RXMAcfBOWq3oXY/LBFV7UMXKb3w:Dd5acTP+n25J1sJWWLBF2MXKb5Ol7

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1988-0-0x0000000000400000-0x000000000049D000-memory.dmp	UPX
\Windows\AppPatch\svchost.exe	UPX
behavioral1/memory/1988-15-0x0000000002270000-0x000000000230D000-memory.dmp	UPX
behavioral1/memory/1988-19-0x0000000000400000-0x000000000049D000-memory.dmp	UPX
behavioral1/memory/1812-20-0x0000000000400000-0x000000000049D000-memory.dmp	UPX
behavioral1/memory/1812-44-0x0000000000400000-0x000000000049D000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1812 svchost.exe

pid	process
1812	svchost.exe

Loads dropped DLL 7 IoCs

Processes:

b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exeWerFault.exe

pid	process
1988	b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe
1988	b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe
2840	WerFault.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1988-0-0x0000000000400000-0x000000000049D000-memory.dmp	upx
\Windows\AppPatch\svchost.exe	upx
behavioral1/memory/1988-15-0x0000000002270000-0x000000000230D000-memory.dmp	upx
behavioral1/memory/1988-19-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/1812-20-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/1812-44-0x0000000000400000-0x000000000049D000-memory.dmp	upx

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3f88a7de = "C:\\Windows\\apppatch\\svchost.exe"	b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe

Drops file in Windows directory 2 IoCs

Processes:

b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe

description	ioc	process
File created	C:\Windows\apppatch\svchost.exe	b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2840 1812 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid process

1812 svchost.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe

pid process

1988 b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe

pid	pid_target	process	target process
2840	1812	WerFault.exe	svchost.exe

pid	process
1812	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exesvchost.exe

description	pid	process
Token: SeSecurityPrivilege	1988	b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe
Token: SeSecurityPrivilege	1988	b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe
Token: SeSecurityPrivilege	1812	svchost.exe
Token: SeSecurityPrivilege	1812	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exesvchost.exe

description	pid	process	target process
PID 1988 wrote to memory of 1812	1988	b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe	svchost.exe
PID 1988 wrote to memory of 1812	1988	b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe	svchost.exe
PID 1988 wrote to memory of 1812	1988	b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe	svchost.exe
PID 1988 wrote to memory of 1812	1988	b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe	svchost.exe
PID 1812 wrote to memory of 2840	1812	svchost.exe	WerFault.exe
PID 1812 wrote to memory of 2840	1812	svchost.exe	WerFault.exe
PID 1812 wrote to memory of 2840	1812	svchost.exe	WerFault.exe
PID 1812 wrote to memory of 2840	1812	svchost.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe
"C:\Users\Admin\AppData\Local\Temp\b521f8d89b62a0b5f7e1df8d6e81bc4709b6ce867f877bcc8879e7895cde3af2.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 424
3⤵
- Loads dropped DLL
- Program crash
PID:2840

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\AppPatch\svchost.exe
Filesize
383KB

MD5
8f9aef102a47c60789a961935bb8ca5c

SHA1
7008054997f18ba373b2f90a8be731a70d99d418

SHA256
8ee99343a3fe02936e9e6aa1a0394fe27b4f35cf0b8cc163eb845803938c04ea

SHA512
52ffc519a6215a8d5d7fd4ad2211efe1710dcb565c8dcf26108d37337d0f5982cd67cba15688aed00960c8f55b33018134c6c57afa4a396f486ad7e65b3955ef

Download Submit
memory/1812-32-0x0000000002430000-0x00000000024E7000-memory.dmp

Filesize
732KB

Download
memory/1812-31-0x00000000021D0000-0x000000000227A000-memory.dmp

Filesize
680KB

Download
memory/1812-44-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1812-38-0x0000000002430000-0x00000000024E7000-memory.dmp

Filesize
732KB

Download
memory/1812-23-0x00000000021D0000-0x000000000227A000-memory.dmp

Filesize
680KB

Download
memory/1812-27-0x00000000021D0000-0x000000000227A000-memory.dmp

Filesize
680KB

Download
memory/1812-35-0x0000000002430000-0x00000000024E7000-memory.dmp

Filesize
732KB

Download
memory/1812-25-0x00000000021D0000-0x000000000227A000-memory.dmp

Filesize
680KB

Download
memory/1812-20-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1812-21-0x00000000021D0000-0x000000000227A000-memory.dmp

Filesize
680KB

Download
memory/1812-29-0x00000000021D0000-0x000000000227A000-memory.dmp

Filesize
680KB

Download
memory/1812-34-0x0000000002430000-0x00000000024E7000-memory.dmp

Filesize
732KB

Download
memory/1988-0-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1988-15-0x0000000002270000-0x000000000230D000-memory.dmp

Filesize
628KB

Download
memory/1988-17-0x0000000002270000-0x000000000230D000-memory.dmp

Filesize
628KB

Download
memory/1988-19-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads