151ad95544425eab1e2de56b314e732090b48faeb3cfb5ae7b8ebd2660aedfda

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de089ad73233c994b4b6cf58d81e4ae0N.exe
Size

355KB
MD5

de089ad73233c994b4b6cf58d81e4ae0
SHA1

cf9ba994818c9cba0d0b049fb499114f9c21d06b
SHA256

151ad95544425eab1e2de56b314e732090b48faeb3cfb5ae7b8ebd2660aedfda
SHA512

778351179598194b2a89e4c8e46b5c1814f19a52f770ac2f21adc5abbb6b4d9a27ad7d2e1784c03fa04bae9e2d189492b77ebd5592de1697e0f2c35bcfea618b
SSDEEP

6144:q3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9EiS:1mWhND9yJz+b1FcMLmp2ATTSsdS

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2180	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1940	de089ad73233c994b4b6cf58d81e4ae0N.exe
1940	de089ad73233c994b4b6cf58d81e4ae0N.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1930c2a7 = ";‚]P\x18¦M.'l\x1fžo)Ø8\x14ÒÏ4d\u008d”áDckN„8¼yhû0IW0Ã™˜YØ\u00a0øpw‡y\x13q?+yÿh'£y)ßQp'oÉq×É˜\u0090\bHH"	de089ad73233c994b4b6cf58d81e4ae0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1930c2a7 = ";‚]P\x18¦M.'l\x1fžo)Ø8\x14ÒÏ4d\u008d”áDckN„8¼yhû0IW0Ã™˜YØ\u00a0øpw‡y\x13q?+yÿh'£y)ßQp'oÉq×É˜\u0090\bHH"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	de089ad73233c994b4b6cf58d81e4ae0N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	de089ad73233c994b4b6cf58d81e4ae0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1940	de089ad73233c994b4b6cf58d81e4ae0N.exe
1940	de089ad73233c994b4b6cf58d81e4ae0N.exe
1940	de089ad73233c994b4b6cf58d81e4ae0N.exe
1940	de089ad73233c994b4b6cf58d81e4ae0N.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe
2180	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1940	de089ad73233c994b4b6cf58d81e4ae0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2180	1940	de089ad73233c994b4b6cf58d81e4ae0N.exe	30
PID 1940 wrote to memory of 2180	1940	de089ad73233c994b4b6cf58d81e4ae0N.exe	30
PID 1940 wrote to memory of 2180	1940	de089ad73233c994b4b6cf58d81e4ae0N.exe	30
PID 1940 wrote to memory of 2180	1940	de089ad73233c994b4b6cf58d81e4ae0N.exe	30

C:\Users\Admin\AppData\Local\Temp\de089ad73233c994b4b6cf58d81e4ae0N.exe
"C:\Users\Admin\AppData\Local\Temp\de089ad73233c994b4b6cf58d81e4ae0N.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7C47.tmp

Filesize
481B

MD5
34106211a6d4a1e9a4064f26b09f65e0

SHA1
922b1e8ebe6b71303ef37b8e89a3fdc16f79bca6

SHA256
48b59ab0df21888c0aaf1360617914aece727ec38f361f9dbe1f7c3aadc67f74

SHA512
44154e0d47e75c16bfa63467f9d860e1397240efc74612cb98d436302e2a00e51bc553100dc4d36a3e212795687e8de70d04aa1c2230cd2beb478229c7747cc4

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
355KB

MD5
7bc5317022a2ff994a7ae952f23ad7ec

SHA1
d642834ace8571897f0486f912dc89b20a0c69bd

SHA256
903aa6203162fe95ce3f152de719f4f696ce24de21e5768248fed8929d732072

SHA512
a373dca2203043dd381756a662f4ed35ea347447165f0e0c6bbda1729eb29cb7889bdf5fb92c7746c490438afb5f7b6d38b38379952330a76288d6656ab64f5a

Download Submit
memory/1940-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2180-14-0x0000000000340000-0x00000000003E8000-memory.dmp

Filesize
672KB

Download
memory/2180-24-0x0000000000340000-0x00000000003E8000-memory.dmp

Filesize
672KB

Download
memory/2180-22-0x0000000000340000-0x00000000003E8000-memory.dmp

Filesize
672KB

Download
memory/2180-20-0x0000000000340000-0x00000000003E8000-memory.dmp

Filesize
672KB

Download
memory/2180-18-0x0000000000340000-0x00000000003E8000-memory.dmp

Filesize
672KB

Download
memory/2180-16-0x0000000000340000-0x00000000003E8000-memory.dmp

Filesize
672KB

Download
memory/2180-25-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-27-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-29-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-36-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-46-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-64-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-77-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-76-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-75-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-74-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-73-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-72-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-71-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-69-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-68-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-67-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-66-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-65-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-63-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-62-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-61-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-60-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-59-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-58-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-57-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-56-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-55-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-54-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-53-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-52-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-51-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-50-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-49-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-48-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-47-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-70-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-45-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-44-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-43-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-42-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-41-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-40-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-39-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-38-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-37-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-35-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-34-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-33-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-32-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-31-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download
memory/2180-198-0x00000000022C0000-0x0000000002376000-memory.dmp

Filesize
728KB

Download