cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
Size

218KB
MD5

76bf977884957ff1624a9c8e6825b27c
SHA1

c71ca66fbed01dc42f9473feeb85d52371f11b09
SHA256

cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67
SHA512

c27310eee7d80625bd1f802a46137052b842b503d9ee73aac29c632b872718f94d4cc4c5f64b55ebbcc9e1582f46942ae899c4fa45e6efc9adfa41cff2e25d58
SSDEEP

3072:Hvm4SZsQrNzPrl6rjGMjp39d4u8iqddCxMIJOb2o5DsBPjim6hwM2H6:P1SyAJp6rjn1gOObn4b6h9h

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
5064	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\91c7a969 = "K3lÏ„‡\u00a0ß*»Øµ¡Õ°\u00a0<×A¥?ŽãÝ‹\x1b,r´\r¤\x1c(ôvà\x11¹\x0ed\u00adÀPˆ\tàÙµ´}p°´Ô!¼yv‰±]ÔÖ\x11Õ©¥ˆ-6ñ)}}¥\\Ù@ô¨\x05°\x05”áÙ(¸\x15¤i,mH!ø˜Yä©ÁùéÐi\x11½pd¥VY\b\\A\x15\u00ad\x11\x18ˆÐö\t\fU„lØL\x06\u009d‘ˆT9”\u00ad!¹y X¡y©h\x19ô\u0090ÜÁ´\u0081ˆÕHüdì±5ØÕDÉõôìyA¨6\x04\x16–IÜÜ©\r!D\u00ad\u0090A~<V\u0090œI\x04˜Œvœh\x18\x11fŽ$låX¤\r\x1d\|pLìÜH¾1`\x19ŽñÌüÁ$á ñ´´\|µÅXÐUù†‰iÈà\u008dý&ñ>ÑpŽ&\u0090dat\x1c”ä\x109¾"	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\91c7a969 = "K3lÏ„‡\u00a0ß*»Øµ¡Õ°\u00a0<×A¥?ŽãÝ‹\x1b,r´\r¤\x1c(ôvà\x11¹\x0ed\u00adÀPˆ\tàÙµ´}p°´Ô!¼yv‰±]ÔÖ\x11Õ©¥ˆ-6ñ)}}¥\\Ù@ô¨\x05°\x05”áÙ(¸\x15¤i,mH!ø˜Yä©ÁùéÐi\x11½pd¥VY\b\\A\x15\u00ad\x11\x18ˆÐö\t\fU„lØL\x06\u009d‘ˆT9”\u00ad!¹y X¡y©h\x19ô\u0090ÜÁ´\u0081ˆÕHüdì±5ØÕDÉõôìyA¨6\x04\x16–IÜÜ©\r!D\u00ad\u0090A~<V\u0090œI\x04˜Œvœh\x18\x11fŽ$låX¤\r\x1d\|pLìÜH¾1`\x19ŽñÌüÁ$á ñ´´\|µÅXÐUù†‰iÈà\u008dý&ñ>ÑpŽ&\u0090dat\x1c”ä\x109¾"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 5064	2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe	83
PID 2076 wrote to memory of 5064	2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe	83
PID 2076 wrote to memory of 5064	2076	cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe	83

C:\Users\Admin\AppData\Local\Temp\cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe
"C:\Users\Admin\AppData\Local\Temp\cb2d34626b89ea865e1e4ca57525fbdeca359aeea19246d646e58b1317269b67.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\login[1].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\58B6.tmp

Filesize
481B

MD5
9a4053d478d3f2c72d3c63a3f49a7be1

SHA1
17c1946eab1d38e0ba9ce23a95bf9fd0f6ac6b09

SHA256
8709b9c16ab65f9cd92657ea29859600e2d4c02388e2c4f1ee2ccbde6120fbe8

SHA512
c2fc53d37989ed8db0b055a31839f3fec6525b6167a65a0416caa2f864b6ad246f423f64f3f348e1970b3b76c61ece66eb34024fd9faa4128b4c93aeccaffa13

Download Submit
C:\Users\Admin\AppData\Local\Temp\58B7.tmp

Filesize
41KB

MD5
58e16753c5abc1e6f6753eacae2c31c0

SHA1
841fcd673ee5d0cbc17a9198a8dd6767a6b42929

SHA256
6bda60645c94d6efdbfddbc6f90f06b61b5af22577061ae277ce4a715c8b3a08

SHA512
2f7262268b5d413eddee639c8ad8cc9a011bfadad8a2cc5518864614d09d6c4f7d82b08e51be4d2325d7fe12331b6fb97c7b327405e2096f451b6972aa9286bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\59BE.tmp

Filesize
23KB

MD5
aa1fe2276be2725dfefe84986f69c5cb

SHA1
755394faafd45a4d20fb0ba3820723325177e614

SHA256
68f9ad12e3d56714fdbea0f2ef4fd38792e5d11a65572c94c4fa9e6877dca46b

SHA512
79a5b688e8242bee1436933378f98b5bd36bf86f6acf60cb535fafd0b93aa6441493fe918858a7e564e485618764aa517de31adb2c38bf52cea60a10d2347478

Download Submit
C:\Users\Admin\AppData\Local\Temp\59FF.tmp

Filesize
481B

MD5
378586c61523e703942da0a7186f2234

SHA1
1c2e35a0c265afc9fd27b6ab73b7fd7f5f064dae

SHA256
7f092a4f52e95bfa9fa3b009631a64d9a4489e92c4c22ecf1b8a925e60a5d5b6

SHA512
254588629d26bf01fa2a039a5485de063ce869ec01b91d727a8f6df5b016574d28acdfa3198019835bc8038e5438ccdc7704e2a1bd15d40b04a7cef4ac809e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A5F.tmp

Filesize
1KB

MD5
f8f5a7ba9d85a72ba4bce49f4680b920

SHA1
a4279dd42993c33e0ba7bb37cf2813537437b68a

SHA256
c094c995b0ddda02c87e0acdf9e784f3b5767080985f50e5a81b11538b4b0737

SHA512
926ddb90f73c35ce676b8b8b04ceef2d96c6e4c45e6ae3b1c72905ba7b567c41020797a1e2689c09b78bf922ecd07302c9e2ab6c3260d621aaaba7c2eecf10e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\694D.tmp

Filesize
593B

MD5
3b03d93d3487806337b5c6443ce7a62d

SHA1
93a7a790bb6348606cbdaf5daeaaf4ea8cf731d0

SHA256
7392749832c70fcfc2d440d7afc2f880000dd564930d95d634eb1199fa15de30

SHA512
770977beaeedafc5c98d0c32edc8c6c850f05e9f363bc9997fa73991646b02e5d40ceed0017b06caeab0db86423844bc4b0a9f0df2d8239230e423a7bfbd4a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\694D.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9BA.tmp

Filesize
457B

MD5
531ec87a0b2f9477a52d88b111d0d46a

SHA1
50a72e5752075309f91c062e0282a7e7cd1e751e

SHA256
4875b451859b1eb8d0d3b040b1bb8d654d212edb6d9c721cf0f4372129579385

SHA512
07994963fd76b31ef0ba2c7f418dcb3ee0290f6baca2d8ec63a6e6b861557b13fbc20d2f0a10a66f35c4d72d4d2c1920ac88b96174604f2f8856868912327da1

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
218KB

MD5
304b94a2773f9849b788079383539370

SHA1
84c3b3378a8925ccf4d9ce4920b7784c06ac37c6

SHA256
50642ee97866b5a22ca18d7e7feabee4325ce9b3e7205faf1af7e112938e6322

SHA512
7412ab8538e926f5eaa3d2a6c7737861b36398a96c89f7cbd9aebf947ad87ceb479183f47cdeb4a2686dd70be9bd146b9227dbc7c0f0971fc0bf1671211e466a

Download Submit
memory/2076-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2076-11-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/2076-12-0x0000000002330000-0x0000000002381000-memory.dmp

Filesize
324KB

Download
memory/2076-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2076-0-0x0000000002330000-0x0000000002381000-memory.dmp

Filesize
324KB

Download
memory/5064-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-18-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/5064-17-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/5064-16-0x00000000028D0000-0x0000000002978000-memory.dmp

Filesize
672KB

Download
memory/5064-15-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/5064-14-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/5064-23-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download