65ee8a95c9b257410977d855e967f6a35411833a984ad63ea9e298b31e7d6640

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04be35537e487658cb5499263499abf0N.exe
Size

204KB
MD5

04be35537e487658cb5499263499abf0
SHA1

425c5803311fedd05c6999799b612a31093b3299
SHA256

65ee8a95c9b257410977d855e967f6a35411833a984ad63ea9e298b31e7d6640
SHA512

583574140077432c472f276acf04dc6cd708675f2a184bc0712ef5a3699e5f4df338b39740fa35297d417f0747e01e5ebd948701bdd24d2b154d1dd64eef8356
SSDEEP

3072:GO/6nl92ILkt6i2ox7c39b1a0J86W8xXCKNWOHU/ezYMVWtG4SPUkxbgl:GgFtboVBJtNWyPnYG4fUbk

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1984	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	04be35537e487658cb5499263499abf0N.exe
3032	04be35537e487658cb5499263499abf0N.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c0d30c78 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c0d30c78 = "C:\\Windows\\apppatch\\svchost.exe"	04be35537e487658cb5499263499abf0N.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	04be35537e487658cb5499263499abf0N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	04be35537e487658cb5499263499abf0N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1984	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3032	04be35537e487658cb5499263499abf0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1984	3032	04be35537e487658cb5499263499abf0N.exe	30
PID 3032 wrote to memory of 1984	3032	04be35537e487658cb5499263499abf0N.exe	30
PID 3032 wrote to memory of 1984	3032	04be35537e487658cb5499263499abf0N.exe	30
PID 3032 wrote to memory of 1984	3032	04be35537e487658cb5499263499abf0N.exe	30

C:\Users\Admin\AppData\Local\Temp\04be35537e487658cb5499263499abf0N.exe
"C:\Users\Admin\AppData\Local\Temp\04be35537e487658cb5499263499abf0N.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\gahyqah.com

Filesize
23KB

MD5
b229cd65829a1e8b126e404944ef8731

SHA1
62fcc67dd3bf9612086880df0cf797ce46e664c4

SHA256
14e921f530059cf0abb4177b6c86a3574b71b942833d70deb3e3921dbbed3ce9

SHA512
526132813232595225f708daf6a629683afddd60d0aae752b846c391bf237e07f223c6bb786ed135046234b1688f7a0d3d59b9bbb0c671548fd6db7343b7ff5a

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
42KB

MD5
00697c2b8ad2f93f078ef0324f951b30

SHA1
7faf411fde39c863be94b9fd05e89db57f52ae84

SHA256
068e9983eebd1c38dfa8b4bc1f4d524b7ed805271315ed1b8331ea2479915ebd

SHA512
c3e6e17a8377b7095d44191440aa3268704e122eebbebabad89f8c1b9d21a3b2fba3431d8fe07e6cb722ab93a5c275be0f05eced510a1cb0080c8d05bd75aba0

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
42KB

MD5
8006efa96b607e90a2ecd385e82fbced

SHA1
843a93393f5d4f89167b3eadb7dd00652cfeca8e

SHA256
195b2e98ff77b3de2acce90eedeca42df2c94d0884fed2aee1604dea085cb803

SHA512
7acdcdd671a291a82421ecbcbda5713ab95dbad9044734d8458a4349843cdf18457a1a40b127bd30d2991e4012cd249874f941ccde43e4a646d1e87a5016e0f6

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
204KB

MD5
53881d139b3adb9c4d6b8a058f2314a1

SHA1
4c387a9cddddce9ea269a325775275c8b0bcb2d5

SHA256
7186edccea43966c7eec8a7ef17daf56122fefffef84a89700940229301ecae1

SHA512
bcccf1c5d4ee9c1085bfec60fd3325bffc9d5f35cc23bdc5e18219c0ae1bedb32e2f10c3684b21e2c3f9b877ccf25ea60939c73deb074474d8d8148613afd315

Download Submit
memory/1984-68-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-58-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-19-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1984-20-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1984-26-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/1984-32-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/1984-33-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1984-30-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/1984-24-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/1984-28-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/1984-34-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-36-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-38-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-40-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-48-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-84-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-83-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-82-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-81-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-80-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-79-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-78-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-77-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-76-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-75-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-74-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-73-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-71-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-70-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-69-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-21-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1984-65-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-22-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/1984-67-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-64-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-63-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-62-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-61-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-60-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-59-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-66-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-57-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-56-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-55-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-54-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-53-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-51-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-49-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-47-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-46-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-72-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-45-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-44-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-43-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-42-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-41-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-52-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/1984-50-0x0000000002400000-0x00000000024B1000-memory.dmp

Filesize
708KB

Download
memory/3032-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3032-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3032-1-0x0000000000300000-0x000000000034F000-memory.dmp

Filesize
316KB

Download
memory/3032-17-0x0000000000300000-0x000000000034F000-memory.dmp

Filesize
316KB

Download
memory/3032-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3032-16-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download