135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60

General

Target

135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
Size

218KB
MD5

08ed06e7defad3bb2052fceec8f80975
SHA1

65a6219bf48c8df4b5b6312b419342e8923155aa
SHA256

135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60
SHA512

e1193e191cf9261f8155367d5b7c1cb97104699f78e1d0d3facb959bb59f240efe7662a8e4a9802f032b97456960c25eadd857985146b71380111d42f4b67d0f
SSDEEP

3072:5vm4SZsQrNzPrl6rjGMjp39d4u8iqddCxMIJOb2o5DsBPjim6hwM2H6:N1SyAJp6rjn1gOObn4b6h9h

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3088	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\deecfbec = "@V\u0090cõš>»M\aH\x1bœ#ø]ô\x0fò“8‰WØ[ûx²‡³\tÜ€\bB‡Œ\|„»äŒ¢w(¯O\x03Dgd›Œ,»ì“Ä¯´ô\x04BÔo\x03ÔÏKçOL\"Ä”„ÿ*äg\x14\x03"	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\deecfbec = "@V\u0090cõš>»M\aH\x1bœ#ø]ô\x0fò“8‰WØ[ûx²‡³\tÜ€\bB‡Œ\|„»äŒ¢w(¯O\x03Dgd›Œ,»ì“Ä¯´ô\x04BÔo\x03ÔÏKçOL\"Ä”„ÿ*äg\x14\x03"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
3088	svchost.exe
3088	svchost.exe
3088	svchost.exe
3088	svchost.exe
3088	svchost.exe
3088	svchost.exe
3088	svchost.exe
3088	svchost.exe
3088	svchost.exe
3088	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 3088	4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe	82
PID 4000 wrote to memory of 3088	4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe	82
PID 4000 wrote to memory of 3088	4000	135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe	82

C:\Users\Admin\AppData\Local\Temp\135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe
"C:\Users\Admin\AppData\Local\Temp\135680b96fdf05b58cab4042149b003cdb741df987adebeb2b9ae36d4d57eb60.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
218KB

MD5
a60b30d52646aafb2e4c05f0c55b41cc

SHA1
eb43e6fb3aec6ff8b6c6097ca62d597bd1c5c4e6

SHA256
e556c6f2c3b79fd87eb248beae09b1a0dfbd7bd511166d1830063ac60d97efa1

SHA512
9dcc6238ac9ea46149356abb2a686f70aa663f190f47b01879bc6f41e1128a2c34c5ef526e0a65fabba2723cb1dbfe2a426eaedfd9313abf0fecd1dfa646f86f

Download Submit
memory/3088-16-0x00000000028D0000-0x0000000002978000-memory.dmp

Filesize
672KB

Download
memory/3088-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/3088-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/3088-14-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/3088-18-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/3088-17-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/3088-15-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/4000-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4000-10-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/4000-12-0x0000000002680000-0x00000000026D1000-memory.dmp

Filesize
324KB

Download
memory/4000-0-0x0000000002680000-0x00000000026D1000-memory.dmp

Filesize
324KB

Download
memory/4000-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads