7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3

Analysis

max time kernel
92s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unrepellent.exe
Size

244KB
MD5

71db30d5db50af8adec8fa9c24ce9860
SHA1

78f2eba84b5b61886a2444c47ae42ae89efa02d4
SHA256

7757d34ab16584dd4e8e8493cda9b22a3bb60509392c269081ef71ff0de1d9b3
SHA512

f25a0e756e472471ba7c45f01431d2071743611553298138fa6a674493c0254b7c88f255b952a15531572b61a5cbc328693ddea1480630742c97f3c3016b54da
SSDEEP

6144:9EXlSylvFuWaS54hIAv/QhuA7HY8pPZ0FP6BzxM5EmX:eAylvv5YRwh9HYd61xhmX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1536	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\84c5b52d = "C:\\Windows\\apppatch\\svchost.exe"	unrepellent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\84c5b52d = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	unrepellent.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	unrepellent.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
244	1536	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1536	svchost.exe
1536	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1924	unrepellent.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1536	1924	unrepellent.exe	85
PID 1924 wrote to memory of 1536	1924	unrepellent.exe	85
PID 1924 wrote to memory of 1536	1924	unrepellent.exe	85

C:\Users\Admin\AppData\Local\Temp\unrepellent.exe
"C:\Users\Admin\AppData\Local\Temp\unrepellent.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 784
    3⤵
    - Program crash
    PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1536 -ip 1536
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
244KB

MD5
70b6e320244b029829791de6c43ae688

SHA1
1e9a811cf26edc7b0161d262fa4527282f11139c

SHA256
a86b9e14c3f64cddf58548673a503c73a64f821d7cbdf097c4d70339c92b8185

SHA512
c94bfbb9bc4266442e178b0930da1445fcd3a59ad0e661790b4fa9b65aef8a5a714bc8cd644d68a9c8ed98a276987c332318d0db8283377ba910e7e44decdce2

Download Submit
memory/1536-11-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1536-12-0x00007FFC96A90000-0x00007FFC96C85000-memory.dmp

Filesize
2.0MB

Download
memory/1536-14-0x00000000027A0000-0x00000000027EA000-memory.dmp

Filesize
296KB

Download
memory/1536-15-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/1536-17-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/1536-19-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/1536-28-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1536-22-0x0000000002B40000-0x0000000002B98000-memory.dmp

Filesize
352KB

Download
memory/1924-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1924-1-0x00007FFC96A90000-0x00007FFC96C85000-memory.dmp

Filesize
2.0MB

Download
memory/1924-13-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download