6e77add00f2bbb3062fbb7580a631a4d7930adc313c972942dab08edb478969c

General

Target

351650ddc6c955b5360582f26bc8aad0N.exe
Size

338KB
MD5

351650ddc6c955b5360582f26bc8aad0
SHA1

162e801b30f9a4253152ec92863280cbc70998c7
SHA256

6e77add00f2bbb3062fbb7580a631a4d7930adc313c972942dab08edb478969c
SHA512

e8e58403c1d78e7f1e8632946056b9a12f2c73d6981f71275dde6e6ea3b2278b4098ac4b4d152ddb93dd9fa176a32247be66926e183751d8b8fccc3266d085c6
SSDEEP

6144:MExz45lS77IQi8Dq+9fXphN2LfjEcYzaWqr57Q7Xwxc4SQjWvvf:mlS71Dq+pcYWWqtfxvSQj2f

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	351650ddc6c955b5360582f26bc8aad0N.exe
2524	351650ddc6c955b5360582f26bc8aad0N.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\908b14c3 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\908b14c3 = "C:\\Windows\\apppatch\\svchost.exe"	351650ddc6c955b5360582f26bc8aad0N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	351650ddc6c955b5360582f26bc8aad0N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	351650ddc6c955b5360582f26bc8aad0N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2676	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2524	351650ddc6c955b5360582f26bc8aad0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2676	2524	351650ddc6c955b5360582f26bc8aad0N.exe	29
PID 2524 wrote to memory of 2676	2524	351650ddc6c955b5360582f26bc8aad0N.exe	29
PID 2524 wrote to memory of 2676	2524	351650ddc6c955b5360582f26bc8aad0N.exe	29
PID 2524 wrote to memory of 2676	2524	351650ddc6c955b5360582f26bc8aad0N.exe	29

C:\Users\Admin\AppData\Local\Temp\351650ddc6c955b5360582f26bc8aad0N.exe
"C:\Users\Admin\AppData\Local\Temp\351650ddc6c955b5360582f26bc8aad0N.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\AppPatch\svchost.exe

Filesize
338KB

MD5
d14b6f7acc1a8c7a4f8859ce05294085

SHA1
7ffe90688c2f0475c1f44da9d266809b37f22894

SHA256
02312570d8ce6d12adc3795ca576d6ccdaa91d0465c0722072e7f9f1d25f34b0

SHA512
601f7045424ec4abe8646e6fb2c2b368afb24675ac9d630b185bfdf6fef06bd6cd3ab13641b89f37aa1df2b3637bcd94cf4a110ef8dbc2ba4929264fc434b8c6

Download Submit
memory/2524-12-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/2676-16-0x0000000000510000-0x000000000059C000-memory.dmp

Filesize
560KB

Download
memory/2676-24-0x0000000000510000-0x000000000059C000-memory.dmp

Filesize
560KB

Download
memory/2676-22-0x0000000000510000-0x000000000059C000-memory.dmp

Filesize
560KB

Download
memory/2676-20-0x0000000000510000-0x000000000059C000-memory.dmp

Filesize
560KB

Download
memory/2676-18-0x0000000000510000-0x000000000059C000-memory.dmp

Filesize
560KB

Download
memory/2676-14-0x0000000000510000-0x000000000059C000-memory.dmp

Filesize
560KB

Download
memory/2676-28-0x00000000021E0000-0x000000000227B000-memory.dmp

Filesize
620KB

Download
memory/2676-25-0x00000000021E0000-0x000000000227B000-memory.dmp

Filesize
620KB

Download
memory/2676-30-0x00000000021E0000-0x000000000227B000-memory.dmp

Filesize
620KB

Download
memory/2676-76-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2676-75-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2676-73-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2676-72-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2676-69-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2676-68-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2676-66-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2676-65-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2676-62-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2676-61-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2676-59-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2676-58-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2676-54-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2676-52-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2676-51-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2676-48-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2676-47-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2676-45-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2676-44-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2676-41-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2676-40-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2676-38-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2676-37-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2676-36-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2676-34-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2676-97-0x00000000021E0000-0x000000000227B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads