17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe
Size

211KB
MD5

4bac063010f7d1fd0533da5140835b67
SHA1

17a4a802dc09b433740fe43f4c3c3f5b5b6e7a91
SHA256

17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093
SHA512

9808378dbf5939e88d6ea1601d49385c48aa8ef4f1a55f267f3c0989e007c2d71adfa953965e06b4fbd39da6d32fd6dbd893f27403a5712a12b508f4408d18cf
SSDEEP

6144:KmKVGe1XIpQiU/ma3MB8hH2Tkp6bYnWcZVol0N5TzQ3:M71YpQiU/RcO1VQInVob

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2816	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1088	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe
1088	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5a5d1b01 = "C:\\Windows\\apppatch\\svchost.exe"	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qegyval.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyfus.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyhiz.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2816	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1088	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1088	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe
Token: SeSecurityPrivilege	1088	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe
Token: SeSecurityPrivilege	2816	svchost.exe
Token: SeSecurityPrivilege	2816	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2816	1088	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe	28
PID 1088 wrote to memory of 2816	1088	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe	28
PID 1088 wrote to memory of 2816	1088	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe	28
PID 1088 wrote to memory of 2816	1088	17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe	28

C:\Users\Admin\AppData\Local\Temp\17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe
"C:\Users\Admin\AppData\Local\Temp\17c32ce142873391c8a97127926af2d46f68013d4645ee681dbbf2ccfe2a0093.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
abcd25198fe02734597844a8af23cfc6

SHA1
29e55a6a52c0ac512ffc035142340d310257da8e

SHA256
9e5463a804e08b0a25ae6fa5a82d065c3c19d2e586a86a3d653acf0dc16fd796

SHA512
2d15628ecb9892af7c999e374f620ccfd520398d0ec72a0e7934813c5772d4f80a71242842c44dd8a9b9ed1dfd695d7d9c7edb8fa87d4caafe1b3b63a25051ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\Cab33E0.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Temp\Tar3452.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
211KB

MD5
777e31fcc2bfa87a9c8c5d05d707b680

SHA1
fd9b5f830c68d3f22052c859fd19ea6678c6f610

SHA256
371863282309369cb45670f7e81573537fe41559d5077d0a8c15826bb465736e

SHA512
3433c8dc4a34c40cfcff1a0097cecaf79ebb420f2ef9143086f9f2c66b102cd21f26ac67c458a4b83446e171d80647aeb307c556d20a4c722bcd63bc3b3bab8b

Download Submit
memory/1088-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1088-1-0x00000000002B0000-0x0000000000302000-memory.dmp

Filesize
328KB

Download
memory/1088-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1088-21-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1088-19-0x00000000002B0000-0x0000000000302000-memory.dmp

Filesize
328KB

Download
memory/1088-18-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2816-55-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-50-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-23-0x0000000002620000-0x00000000026CA000-memory.dmp

Filesize
680KB

Download
memory/2816-25-0x0000000002620000-0x00000000026CA000-memory.dmp

Filesize
680KB

Download
memory/2816-34-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2816-31-0x0000000002620000-0x00000000026CA000-memory.dmp

Filesize
680KB

Download
memory/2816-29-0x0000000002620000-0x00000000026CA000-memory.dmp

Filesize
680KB

Download
memory/2816-27-0x0000000002620000-0x00000000026CA000-memory.dmp

Filesize
680KB

Download
memory/2816-33-0x0000000002620000-0x00000000026CA000-memory.dmp

Filesize
680KB

Download
memory/2816-35-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-37-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-40-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-42-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-47-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-60-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-62-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-61-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-63-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-59-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-58-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-57-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-56-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-20-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2816-54-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-53-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-52-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-51-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-22-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2816-49-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-48-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-46-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-45-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-44-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-41-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-43-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-67-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-68-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-71-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-85-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-84-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-83-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-82-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-81-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-80-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-79-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-78-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-76-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-75-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-74-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-73-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-72-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-70-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-69-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download
memory/2816-77-0x00000000026D0000-0x0000000002787000-memory.dmp

Filesize
732KB

Download