4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 21:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11.exe
Size

244KB
MD5

7d434879979c5529a7b7a6a75c6400ed
SHA1

ed7bbc47344172a2e77c51c34370d6bcadeccd29
SHA256

4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11
SHA512

dae4a04b8b75d68faeca0ae0c6afa50c8ee97c09a1001073b105f2cb1ad5ad32e8fbc3488817d9024b52bf826f033bc709043d88a7b96b896903d25aa01226ef
SSDEEP

6144:eEXlSylvFuWaS54hIAv/QhuA7HY8pPZ0FP6BzxM5EmX:TAylvv5YRwh9HYd61xhmX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4292	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1db3155f = "C:\\Windows\\apppatch\\svchost.exe"	4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1db3155f = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	4292	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4292	svchost.exe
4292	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1620	4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 4292	1620	4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11.exe	84
PID 1620 wrote to memory of 4292	1620	4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11.exe	84
PID 1620 wrote to memory of 4292	1620	4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11.exe	84

C:\Users\Admin\AppData\Local\Temp\4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11.exe
"C:\Users\Admin\AppData\Local\Temp\4f5c352ece7e5c178814d6ba51a78dee093a8b77393286047a67530f942bdf11.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 816
    3⤵
    - Program crash
    PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4292 -ip 4292
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
244KB

MD5
e79809335b442c5ff5391f683c370a54

SHA1
6bef2e9e94c4f4d859c62eaf0af2ce811a04b94f

SHA256
873dc9e17dbe30473dd37309c86f699f0befdea05fb1ea458db31f3d0b5a6603

SHA512
cc1a4420b27f457a4494297eadc7b31a774e03bd9db458b959ca18bc9ea4ca3d41f984634b8491729185669abb43f160f218d52f86d43b0c697469854a71cd52

Download Submit
memory/1620-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1620-1-0x00000000021C0000-0x0000000002228000-memory.dmp

Filesize
416KB

Download
memory/1620-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1620-13-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1620-12-0x00000000021C0000-0x0000000002228000-memory.dmp

Filesize
416KB

Download
memory/4292-16-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4292-15-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4292-17-0x00000000027A0000-0x00000000027EA000-memory.dmp

Filesize
296KB

Download
memory/4292-18-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4292-19-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/4292-23-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/4292-21-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/4292-26-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download