6e77add00f2bbb3062fbb7580a631a4d7930adc313c972942dab08edb478969c

General

Target

351650ddc6c955b5360582f26bc8aad0N.exe
Size

338KB
MD5

351650ddc6c955b5360582f26bc8aad0
SHA1

162e801b30f9a4253152ec92863280cbc70998c7
SHA256

6e77add00f2bbb3062fbb7580a631a4d7930adc313c972942dab08edb478969c
SHA512

e8e58403c1d78e7f1e8632946056b9a12f2c73d6981f71275dde6e6ea3b2278b4098ac4b4d152ddb93dd9fa176a32247be66926e183751d8b8fccc3266d085c6
SSDEEP

6144:MExz45lS77IQi8Dq+9fXphN2LfjEcYzaWqr57Q7Xwxc4SQjWvvf:mlS71Dq+pcYWWqtfxvSQj2f

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
932	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\44508738 = "C:\\Windows\\apppatch\\svchost.exe"	351650ddc6c955b5360582f26bc8aad0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\44508738 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	351650ddc6c955b5360582f26bc8aad0N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	351650ddc6c955b5360582f26bc8aad0N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
932	svchost.exe
932	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2808	351650ddc6c955b5360582f26bc8aad0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 932	2808	351650ddc6c955b5360582f26bc8aad0N.exe	84
PID 2808 wrote to memory of 932	2808	351650ddc6c955b5360582f26bc8aad0N.exe	84
PID 2808 wrote to memory of 932	2808	351650ddc6c955b5360582f26bc8aad0N.exe	84

C:\Users\Admin\AppData\Local\Temp\351650ddc6c955b5360582f26bc8aad0N.exe
"C:\Users\Admin\AppData\Local\Temp\351650ddc6c955b5360582f26bc8aad0N.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
338KB

MD5
0b131aec805d9b763941a24ea05dc419

SHA1
4f9bd2b3443c07ab52c0f753414d6df4f583cccd

SHA256
8e2cc717512fb91313a6dac9dddc4e06186edb8b3dab7d8e81e2262488c55ad2

SHA512
8ae8718d9f8f5394437d7fc242d13f3f654d442484e09781790dfc6cdcbf747682e94702684eb09ad1fe5e82ac7f864de8bba3f7a5fc3d0b285c608519125857

Download Submit
memory/932-52-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/932-10-0x0000000002E00000-0x0000000002E8C000-memory.dmp

Filesize
560KB

Download
memory/932-11-0x0000000002F90000-0x000000000302B000-memory.dmp

Filesize
620KB

Download
memory/932-15-0x0000000002F90000-0x000000000302B000-memory.dmp

Filesize
620KB

Download
memory/932-13-0x0000000002F90000-0x000000000302B000-memory.dmp

Filesize
620KB

Download
memory/932-20-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/932-45-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/932-71-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/932-70-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/932-66-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/932-64-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/932-63-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/932-60-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/932-59-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/932-57-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/932-56-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/932-81-0x0000000002F90000-0x000000000302B000-memory.dmp

Filesize
620KB

Download
memory/932-53-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/932-29-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/932-49-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/932-46-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/932-43-0x0000000004060000-0x0000000004061000-memory.dmp

Filesize
4KB

Download
memory/932-42-0x0000000004070000-0x0000000004071000-memory.dmp

Filesize
4KB

Download
memory/932-38-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/932-36-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/932-35-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/932-32-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/932-31-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/932-50-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/932-28-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/932-25-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/932-24-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/932-22-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/932-21-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/932-18-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/2808-8-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads