b1429ceddea5eee992ed98a08c01fc8a66727e8f96894bf7544ce644599a94ce

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f235984c0c19aa63a601752f7b2c640N.exe
Size

205KB
MD5

1f235984c0c19aa63a601752f7b2c640
SHA1

20576692c561f27c0892b30b1ae985476f6e1fd9
SHA256

b1429ceddea5eee992ed98a08c01fc8a66727e8f96894bf7544ce644599a94ce
SHA512

e3b96dab7d0066f5e640a03c1ea7b6fd047792be99e3ac86febebac95260c2564775e63df711039b554f0fa8a9b1a5a27aa532434f943d1078cd51003a1f4669
SSDEEP

3072:b7VD4DUHnNZkfOP6sfIOpJ9C3hPlGxt1UhRkgyankTIzfwAYzWcXCyqT36zhRRKy:VzHnMLm5GNGxHUhtnkdpHqTKzhh8i

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	1f235984c0c19aa63a601752f7b2c640N.exe
2692	1f235984c0c19aa63a601752f7b2c640N.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5c42aa29 = "C:\\Windows\\apppatch\\svchost.exe"	1f235984c0c19aa63a601752f7b2c640N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5c42aa29 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	1f235984c0c19aa63a601752f7b2c640N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	1f235984c0c19aa63a601752f7b2c640N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2704	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2692	1f235984c0c19aa63a601752f7b2c640N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2704	2692	1f235984c0c19aa63a601752f7b2c640N.exe	30
PID 2692 wrote to memory of 2704	2692	1f235984c0c19aa63a601752f7b2c640N.exe	30
PID 2692 wrote to memory of 2704	2692	1f235984c0c19aa63a601752f7b2c640N.exe	30
PID 2692 wrote to memory of 2704	2692	1f235984c0c19aa63a601752f7b2c640N.exe	30

C:\Users\Admin\AppData\Local\Temp\1f235984c0c19aa63a601752f7b2c640N.exe
"C:\Users\Admin\AppData\Local\Temp\1f235984c0c19aa63a601752f7b2c640N.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
41KB

MD5
7ea4eb9176a1e02ccb63401b066be1a7

SHA1
0206e7386763f631df615a4ea88ed9f0adcfc100

SHA256
5515b5f5f0281c3f6f7b9c53a66c9d72f53b6df014b44063907f57daead980a7

SHA512
c5c018b7b1868b733087bf07ac840f07545f551866d5449e505d828b776a86358c36f4ccc6fa63b2a8c062fe41d4e536aa5232ea77c7587c39f1d56db0fc8876

Download Submit
C:\Program Files (x86)\Windows Defender\lysyfyj.com

Filesize
481B

MD5
6cd9fb8867a997b599f91be491bd8d65

SHA1
161eee66c7981dae511dbc6183eb6c9e4950a913

SHA256
432e0fe93b678c9d97976aa3c397dc5d1b920847533f29cbcf198a0ceadbb4be

SHA512
3ac824995e3817b1af5478dfa2cbb1a92c32cbe420a6b176241c12de7e5fbdbe39f01ea264d0c939156ef9fdb86c67f74897df3026bb0addbd6c44add4d7dce4

Download Submit
C:\Program Files (x86)\Windows Defender\pupydeq.com

Filesize
114B

MD5
bfde1e9e9c32c1681a16139450c6909d

SHA1
7e669b927e6a75a10a0ca29e38e58ddcb49b725e

SHA256
e0d020ba1cb6506cee234903a44c747ee0cfa7e2d1e60029e4cd8de9a431512a

SHA512
781fd54f155442dd34f9919b3cd063ee399db411bbfe15f2bdc43d3ab8ac2d04e1011b2c99fab42bebf7b903a94e09aaaef71b7a465d2d04b417f6dad8e8e396

Download Submit
C:\Program Files (x86)\Windows Defender\qetyhyg.com

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK27LCMU\login[3].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
205KB

MD5
2af20702782973ed737b21d4b5257d88

SHA1
b835875b6922db9aff20680b1d31847659a69fb6

SHA256
6a13b4653e89149d4bc07e000e85d3f3c8f5f0356cd0147a98badfa9853567f9

SHA512
cac96bf1d6c93bf7241dda3e65f15998d4149e58a7aa442f12bf2e6d8639c712b48da4c1756e92249da3a062a4659619fa610f77cb4fdc23728d3cacf9090903

Download Submit
memory/2692-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2692-1-0x00000000002B0000-0x00000000002FF000-memory.dmp

Filesize
316KB

Download
memory/2692-2-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2692-18-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2692-17-0x00000000002B0000-0x00000000002FF000-memory.dmp

Filesize
316KB

Download
memory/2692-16-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2704-74-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-66-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-22-0x0000000002320000-0x00000000023C4000-memory.dmp

Filesize
656KB

Download
memory/2704-32-0x0000000002320000-0x00000000023C4000-memory.dmp

Filesize
656KB

Download
memory/2704-33-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2704-34-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-38-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-36-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-43-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-45-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-72-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-84-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-83-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-82-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-81-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-80-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-79-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-78-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-77-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-76-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-75-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-30-0x0000000002320000-0x00000000023C4000-memory.dmp

Filesize
656KB

Download
memory/2704-73-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-28-0x0000000002320000-0x00000000023C4000-memory.dmp

Filesize
656KB

Download
memory/2704-71-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-70-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-69-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-68-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-67-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-26-0x0000000002320000-0x00000000023C4000-memory.dmp

Filesize
656KB

Download
memory/2704-64-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-63-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-62-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-61-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-60-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-59-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-58-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-57-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-56-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-55-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-54-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-53-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-52-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-51-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-50-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-49-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-47-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-46-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-44-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-65-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-42-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-41-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-48-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-40-0x00000000024D0000-0x0000000002582000-memory.dmp

Filesize
712KB

Download
memory/2704-24-0x0000000002320000-0x00000000023C4000-memory.dmp

Filesize
656KB

Download
memory/2704-21-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2704-20-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2704-19-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download