38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe
Size

237KB
MD5

8516e0e1c178920303a0633c7a4571cd
SHA1

8a23f7e1cd2768354fe03cadf2cee4401533893d
SHA256

38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d
SHA512

80e0bac9dde31ce185d5fe62ee5cedda23b623e4fa3c74bbcf90b547713320ea3ec6542adfc85ef2581bba83b69e4f243ef124b2acf724fb5587d2089296a266
SSDEEP

6144:nD8okEvTyoZVOgd2QZiw5NLclL5orfQH:DsjCF2QZiOU+4

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
296	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe
2864	38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\47cdd144 = "C:\\Windows\\apppatch\\svchost.exe"	38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\47cdd144 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
296	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2864	38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 296	2864	38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe	28
PID 2864 wrote to memory of 296	2864	38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe	28
PID 2864 wrote to memory of 296	2864	38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe	28
PID 2864 wrote to memory of 296	2864	38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe	28

C:\Users\Admin\AppData\Local\Temp\38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe
"C:\Users\Admin\AppData\Local\Temp\38adb61afc897ac5543d07936cbbdaabfe96181e18ca1b6468e37d65dfbde79d.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\AppPatch\svchost.exe

Filesize
237KB

MD5
29152945c622caeb92b09d092d0c6399

SHA1
525f0a5d452e00d4fd7754da4179f710d4bda3f9

SHA256
96c40da8d52c97d9615d38c3726efcd76b87764b3b5bfaf257eb9c4bf88481fa

SHA512
23c8fb9963f338c34232c45680806b8cbd442bc496256a2505e163dd8bb40705fe90c48d8ef098407b0fb4c51adb5dc48670d1cd66a45d55eb8720e63f017fba

Download Submit
memory/296-79-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/296-30-0x0000000002240000-0x00000000022CC000-memory.dmp

Filesize
560KB

Download
memory/296-40-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/296-78-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download
memory/296-18-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/296-74-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/296-20-0x0000000002240000-0x00000000022CC000-memory.dmp

Filesize
560KB

Download
memory/296-75-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/296-28-0x0000000002240000-0x00000000022CC000-memory.dmp

Filesize
560KB

Download
memory/296-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/296-24-0x0000000002240000-0x00000000022CC000-memory.dmp

Filesize
560KB

Download
memory/296-22-0x0000000002240000-0x00000000022CC000-memory.dmp

Filesize
560KB

Download
memory/296-26-0x0000000002240000-0x00000000022CC000-memory.dmp

Filesize
560KB

Download
memory/296-32-0x0000000002870000-0x000000000290B000-memory.dmp

Filesize
620KB

Download
memory/296-34-0x0000000002870000-0x000000000290B000-memory.dmp

Filesize
620KB

Download
memory/296-36-0x0000000002870000-0x000000000290B000-memory.dmp

Filesize
620KB

Download
memory/296-60-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/296-82-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/296-81-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/296-42-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/296-43-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/296-44-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/296-19-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/296-72-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/296-71-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/296-68-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/296-67-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/296-65-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/296-64-0x0000000003C70000-0x0000000003C71000-memory.dmp

Filesize
4KB

Download
memory/296-58-0x0000000003C30000-0x0000000003C31000-memory.dmp

Filesize
4KB

Download
memory/296-57-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/296-54-0x0000000003C30000-0x0000000003C31000-memory.dmp

Filesize
4KB

Download
memory/296-53-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/296-51-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/296-50-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/296-47-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/296-46-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/2864-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2864-16-0x0000000002180000-0x00000000021E5000-memory.dmp

Filesize
404KB

Download
memory/2864-0-0x0000000002180000-0x00000000021E5000-memory.dmp

Filesize
404KB

Download
memory/2864-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download