b3d37e0b0eb1590c0be8a86e15c9e57010bfdf91185ee48ef693656f3122e60f

Analysis

max time kernel
112s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9804c27dfce4623fc81998eaeee83190N.exe
Size

218KB
MD5

9804c27dfce4623fc81998eaeee83190
SHA1

90bd33709c12f9d47700fc22978c442d94232c63
SHA256

b3d37e0b0eb1590c0be8a86e15c9e57010bfdf91185ee48ef693656f3122e60f
SHA512

c15d53d8b4e85fed5b9c2d7a370bb0c152a8442c9d0a00a53b73ba510244e2c49ac79af6915f2559d7b3e2e6640193748c79afff1872f3764eb6902fbbe446cf
SSDEEP

3072:ovm4SZsQrNzPrl6rjGMjp39d4u8iqddCxMIJOb2o5DsBPjim6hwM2H6:m1SyAJp6rjn1gOObn4b6h9h

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4604	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1eb3222d = "›^˜\x1ba†zÐ_-\x7fÕ\x03A°7õ\x03Ž<º¥]Äï\x1b´\x01v\x7f\u00ad\x14©Ü\x1c\x10üà9ÑA,Æ\u008fH\x19xÉ©»\x18\u0081ƒÀdgƒ>DO^á$ÈÇC®4ào\|[9Ñ™;xF\x03œ\\aDœf±¬»"	9804c27dfce4623fc81998eaeee83190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1eb3222d = "›^˜\x1ba†zÐ_-\x7fÕ\x03A°7õ\x03Ž<º¥]Äï\x1b´\x01v\x7f\u00ad\x14©Ü\x1c\x10üà9ÑA,Æ\u008fH\x19xÉ©»\x18\u0081ƒÀdgƒ>DO^á$ÈÇC®4ào\|[9Ñ™;xF\x03œ\\aDœf±¬»"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	9804c27dfce4623fc81998eaeee83190N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	9804c27dfce4623fc81998eaeee83190N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3424	9804c27dfce4623fc81998eaeee83190N.exe
3424	9804c27dfce4623fc81998eaeee83190N.exe
3424	9804c27dfce4623fc81998eaeee83190N.exe
3424	9804c27dfce4623fc81998eaeee83190N.exe
3424	9804c27dfce4623fc81998eaeee83190N.exe
3424	9804c27dfce4623fc81998eaeee83190N.exe
3424	9804c27dfce4623fc81998eaeee83190N.exe
3424	9804c27dfce4623fc81998eaeee83190N.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe
4604	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3424	9804c27dfce4623fc81998eaeee83190N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 4604	3424	9804c27dfce4623fc81998eaeee83190N.exe	86
PID 3424 wrote to memory of 4604	3424	9804c27dfce4623fc81998eaeee83190N.exe	86
PID 3424 wrote to memory of 4604	3424	9804c27dfce4623fc81998eaeee83190N.exe	86

C:\Users\Admin\AppData\Local\Temp\9804c27dfce4623fc81998eaeee83190N.exe
"C:\Users\Admin\AppData\Local\Temp\9804c27dfce4623fc81998eaeee83190N.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1DWO314\login[1].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D06.tmp

Filesize
41KB

MD5
a8500e83c7e4e8012d208b76e4b08bb5

SHA1
e8713ba3f79f3a90249b9a778e82fa41aa3bb6f8

SHA256
0ed2b5bef974688df021aae3af2e7d0b920744ea6f77941b9729682e1377ea9a

SHA512
18efb4be2ff43a7fd1b4d07ed25abcdf3248c4cf4e8c63ca6b42d44210362e9166bc8def4ca319d9c035438fae3853cbfb4134abd06db96bb9b57d5c403e5ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\67DE.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
218KB

MD5
de091955c2561c169d66da59729e7320

SHA1
115682519f40a04d527e50cb987665bbe578419e

SHA256
f4b81c45e4f2a8d62ad426f48d086ffdcbe5d8593f4440c4d849949498be539d

SHA512
dca5adc2c8a4b6be756ec34e21d38bf28be11755df950a8bc75dc5328710e2ab31fa99e5784e7a12c4961072c78d82ff9e363bbd24eab02fea5a22f2fbe01e8e

Download Submit
memory/3424-0-0x00000000022F0000-0x0000000002341000-memory.dmp

Filesize
324KB

Download
memory/3424-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3424-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3424-12-0x00000000022F0000-0x0000000002341000-memory.dmp

Filesize
324KB

Download
memory/3424-11-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/4604-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-16-0x00000000028D0000-0x0000000002978000-memory.dmp

Filesize
672KB

Download
memory/4604-17-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/4604-18-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-14-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/4604-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-15-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/4604-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download
memory/4604-23-0x0000000002D00000-0x0000000002DB6000-memory.dmp

Filesize
728KB

Download