Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 19:07

General

  • Target

    143e9451e14b212450a8787576580007e6423b2fe211df7801e17aafb53e73f7.exe

  • Size

    201KB

  • MD5

    324f7af12eb64184a320717bf6ab5061

  • SHA1

    bc2c8a7e90964a5263cab3014b20c293593a2abc

  • SHA256

    143e9451e14b212450a8787576580007e6423b2fe211df7801e17aafb53e73f7

  • SHA512

    74db54eaea243ab3764ad823369d4055f25d1d5aa501bab99c6617ec2d7113ff7ed9b87a62cc95ddf5b385f8f85287f8fa4501008f8bcf97bc9867cba3431dcd

  • SSDEEP

    6144:7t++Jbojf5Vq5OC4qZhZcKYhc/ZfUozY:w+cff22qZhZcKYhc/

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in Program Files directory 36 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\143e9451e14b212450a8787576580007e6423b2fe211df7801e17aafb53e73f7.exe
    "C:\Users\Admin\AppData\Local\Temp\143e9451e14b212450a8787576580007e6423b2fe211df7801e17aafb53e73f7.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      PID:2948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Windows Defender\gahyqah.com

          Filesize

          23KB

          MD5

          8fa70b80d16c0a6bb719f5bdf8384843

          SHA1

          0c46ee1da67e695327ee9852fa5edcd2526a2ee8

          SHA256

          948f81a9ccd23adae3da1455534b62d1be21cc3a7dc01f58065866aede2baca8

          SHA512

          209b0a87d0a18037e414947dfcc0f2f9a72bcbe3c91baac635bdf1bce88eb183260b05dd80d6cc35803f95d4d90a7308a69bb55bf190ec9509ea1f0e6981725d

        • C:\Program Files (x86)\Windows Defender\galynuh.com

          Filesize

          593B

          MD5

          926512864979bc27cf187f1de3f57aff

          SHA1

          acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

          SHA256

          b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

          SHA512

          f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

        • C:\Program Files (x86)\Windows Defender\galyqaz.com

          Filesize

          42KB

          MD5

          e0e532d0796528ac7f638369b8201d2f

          SHA1

          c9fedd584bd637ac1069cfb15ecbab9d659ab7b9

          SHA256

          4ef26fd9d150dc356ac9b4a7f8a99f664dd55ca4e94cc6cb321c60e7c1f5e233

          SHA512

          2d917deb53a3732af86345dfc8002d67f4e8aeff930e423d08b61d25bfeee68954bd2f9908cbd72bf12f12c6810d4e6e23f43b199b841e8c007b3e528986a751

        • C:\Program Files (x86)\Windows Defender\lyxynyx.com

          Filesize

          1KB

          MD5

          cc5109317a233f1a09f987b0e7ca9b5c

          SHA1

          aaf3d4ea88b908524dbe78e0a458d085a33981ad

          SHA256

          51267e84ee0a3ee3e9b355f71f750476f9f0c073139810c5a452ff3576b1eeed

          SHA512

          3dbc5d81a2cbe849a4b2cad6ffdf57e415d1b0b63f39538f7c08910ecded8f49937786ca6484163d9bdeecddf85015c9e93060329d4b22de0d9b7515cfc235bc

        • C:\Program Files (x86)\Windows Defender\pupydeq.com

          Filesize

          114B

          MD5

          bfde1e9e9c32c1681a16139450c6909d

          SHA1

          7e669b927e6a75a10a0ca29e38e58ddcb49b725e

          SHA256

          e0d020ba1cb6506cee234903a44c747ee0cfa7e2d1e60029e4cd8de9a431512a

          SHA512

          781fd54f155442dd34f9919b3cd063ee399db411bbfe15f2bdc43d3ab8ac2d04e1011b2c99fab42bebf7b903a94e09aaaef71b7a465d2d04b417f6dad8e8e396

        • C:\Program Files (x86)\Windows Defender\qegyval.com

          Filesize

          457B

          MD5

          531ec87a0b2f9477a52d88b111d0d46a

          SHA1

          50a72e5752075309f91c062e0282a7e7cd1e751e

          SHA256

          4875b451859b1eb8d0d3b040b1bb8d654d212edb6d9c721cf0f4372129579385

          SHA512

          07994963fd76b31ef0ba2c7f418dcb3ee0290f6baca2d8ec63a6e6b861557b13fbc20d2f0a10a66f35c4d72d4d2c1920ac88b96174604f2f8856868912327da1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          9b399d19fbf9b44fcc3a37ac34704b80

          SHA1

          905210ef0c1ececf19bdd530a275737729ef00c2

          SHA256

          8e62cdb3f7666db30e6359b0d3c401c8844e8dbbda055e20df0b8db9ddcb1f2f

          SHA512

          2bc7f0fb7bad941256c7407c3c7626cdc35ed0f35efbbe6418e81638adc9932f482a3c3fca4e42530dcac03119757e8b33887fb8cf86892773cbccd23b4670b0

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          1a0264eb6e996dcc13749429a5a0b10c

          SHA1

          5aa69df41f7b1a733f9af03fb6338ee78b586f00

          SHA256

          e72dd0428e67e3fb3c8219de9cd38f50f68b772d515dfdd4746342be15098b63

          SHA512

          6e416f2bf9f27b4e66c65844641c8c60f0dfb68bea092b23f4423515f4ff5576feef8651551babf000e2ef6abfd7c8058e8eeade53601ccd13f3b636bd9bc9f7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          242B

          MD5

          ef4396aff73b70e32322a36621531969

          SHA1

          787dd3990fd85b0b97c84fe829107f8fd45ae327

          SHA256

          82bd30c9be2bab118872391dcddf774443f23bfedb5852ec1d283fa863b89431

          SHA512

          f2f24b0d0f2e760569e631259b92413216aa606f4f5552988dfd0c161895422d56d8cf9a875458b960f0a86846f1c4fcc0f8891227e635faa84432aef0add73c

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3BN34QJC\login[3].htm

          Filesize

          168B

          MD5

          d57e3a550060f85d44a175139ea23021

          SHA1

          2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

          SHA256

          43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

          SHA512

          0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XPW2LUHA\login[3].htm

          Filesize

          114B

          MD5

          e89f75f918dbdcee28604d4e09dd71d7

          SHA1

          f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

          SHA256

          6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

          SHA512

          8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

        • C:\Users\Admin\AppData\Local\Temp\Tar2A41.tmp

          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • \Windows\AppPatch\svchost.exe

          Filesize

          201KB

          MD5

          411a4f09f0f87d112e85f969e1ad110c

          SHA1

          1ce8ee461b5f33f84c0e6fcb71881ab93598d6b5

          SHA256

          4141e5385f812bc0ea6d17d37ec070c4d78a9e1686a59f4e8d13d62f407647bc

          SHA512

          6c6cb2ac6539eba633a0b2be6814f4283ca535899a678e1ab0aae4e4fc51a13d5c44f94ed440920486558371bdfefbc8224624518d02de14bae7870e408cbcc7

        • memory/2884-17-0x0000000000220000-0x000000000026F000-memory.dmp

          Filesize

          316KB

        • memory/2884-1-0x0000000000220000-0x000000000026F000-memory.dmp

          Filesize

          316KB

        • memory/2884-16-0x0000000000400000-0x0000000000491000-memory.dmp

          Filesize

          580KB

        • memory/2884-18-0x0000000000400000-0x000000000045C000-memory.dmp

          Filesize

          368KB

        • memory/2884-2-0x0000000000400000-0x000000000045C000-memory.dmp

          Filesize

          368KB

        • memory/2884-0-0x0000000000400000-0x0000000000491000-memory.dmp

          Filesize

          580KB

        • memory/2948-61-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-77-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-54-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-84-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-83-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-81-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-80-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-78-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-76-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-74-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-72-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-71-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-69-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-68-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-66-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-64-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-63-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-36-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-59-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-58-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-57-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-56-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-55-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-52-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-51-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-82-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-50-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-79-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-49-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-38-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-75-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-48-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-73-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-47-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-70-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-46-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-67-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-65-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-45-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-62-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-44-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-60-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-43-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-53-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-34-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-24-0x00000000022F0000-0x0000000002394000-memory.dmp

          Filesize

          656KB

        • memory/2948-26-0x00000000022F0000-0x0000000002394000-memory.dmp

          Filesize

          656KB

        • memory/2948-28-0x00000000022F0000-0x0000000002394000-memory.dmp

          Filesize

          656KB

        • memory/2948-33-0x0000000000400000-0x0000000000491000-memory.dmp

          Filesize

          580KB

        • memory/2948-30-0x00000000022F0000-0x0000000002394000-memory.dmp

          Filesize

          656KB

        • memory/2948-32-0x00000000022F0000-0x0000000002394000-memory.dmp

          Filesize

          656KB

        • memory/2948-23-0x00000000022F0000-0x0000000002394000-memory.dmp

          Filesize

          656KB

        • memory/2948-21-0x0000000000400000-0x0000000000491000-memory.dmp

          Filesize

          580KB

        • memory/2948-19-0x0000000000400000-0x0000000000491000-memory.dmp

          Filesize

          580KB

        • memory/2948-20-0x0000000000400000-0x0000000000491000-memory.dmp

          Filesize

          580KB

        • memory/2948-42-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-41-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB

        • memory/2948-40-0x0000000002530000-0x00000000025E2000-memory.dmp

          Filesize

          712KB