151ad95544425eab1e2de56b314e732090b48faeb3cfb5ae7b8ebd2660aedfda

Analysis

max time kernel
117s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de089ad73233c994b4b6cf58d81e4ae0N.exe
Size

355KB
MD5

de089ad73233c994b4b6cf58d81e4ae0
SHA1

cf9ba994818c9cba0d0b049fb499114f9c21d06b
SHA256

151ad95544425eab1e2de56b314e732090b48faeb3cfb5ae7b8ebd2660aedfda
SHA512

778351179598194b2a89e4c8e46b5c1814f19a52f770ac2f21adc5abbb6b4d9a27ad7d2e1784c03fa04bae9e2d189492b77ebd5592de1697e0f2c35bcfea618b
SSDEEP

6144:q3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9EiS:1mWhND9yJz+b1FcMLmp2ATTSsdS

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1048	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\844a00a3 = "MB0ZÕJI;ÛÍ™\aí\x0fÀ.ÉqGdfRÔî\x1a\x1eæ\x13ÊuÎD¦·¤Dš¢\u0090Dê\x16\u0090_d¨´]\aõÞ/u(N2§´F-0B¨<\fPdªB•e ,\\Ì®à\x04üÔ$´Åš€ô¬}ÍŽÜ¸ìŠ\x10~\x10„êÕÂÚ…þ¿º\"ÊxÕ•ÄdxTÒU=E¶M=R\x1cæ7\u008dM¨ïÞ\f¦Üÿr–@e,äõýHÍ¼\aÌµÜ\u0090¶þ\x15ÕD²\|îhÞåÍ$4Ý•§ì\bµ\u00adôvj…\fˆ8\x16\x04vÊ=EôâúÇ\x0e˜\x1a62xÌÐgõ×\n>ªÕµ\x1c\u009dÞ‡¥=7=ž}¶„²â\ad…$.—MDJl\u00a0'LŒŠ¥VýL\x160]]4žM„ÐUýzÈZ}ä\\WZe"	de089ad73233c994b4b6cf58d81e4ae0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\844a00a3 = "MB0ZÕJI;ÛÍ™\aí\x0fÀ.ÉqGdfRÔî\x1a\x1eæ\x13ÊuÎD¦·¤Dš¢\u0090Dê\x16\u0090_d¨´]\aõÞ/u(N2§´F-0B¨<\fPdªB•e ,\\Ì®à\x04üÔ$´Åš€ô¬}ÍŽÜ¸ìŠ\x10~\x10„êÕÂÚ…þ¿º\"ÊxÕ•ÄdxTÒU=E¶M=R\x1cæ7\u008dM¨ïÞ\f¦Üÿr–@e,äõýHÍ¼\aÌµÜ\u0090¶þ\x15ÕD²\|îhÞåÍ$4Ý•§ì\bµ\u00adôvj…\fˆ8\x16\x04vÊ=EôâúÇ\x0e˜\x1a62xÌÐgõ×\n>ªÕµ\x1c\u009dÞ‡¥=7=ž}¶„²â\ad…$.—MDJl\u00a0'LŒŠ¥VýL\x160]]4žM„ÐUýzÈZ}ä\\WZe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	de089ad73233c994b4b6cf58d81e4ae0N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	de089ad73233c994b4b6cf58d81e4ae0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	de089ad73233c994b4b6cf58d81e4ae0N.exe
2656	de089ad73233c994b4b6cf58d81e4ae0N.exe
2656	de089ad73233c994b4b6cf58d81e4ae0N.exe
2656	de089ad73233c994b4b6cf58d81e4ae0N.exe
2656	de089ad73233c994b4b6cf58d81e4ae0N.exe
2656	de089ad73233c994b4b6cf58d81e4ae0N.exe
2656	de089ad73233c994b4b6cf58d81e4ae0N.exe
2656	de089ad73233c994b4b6cf58d81e4ae0N.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe
1048	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2656	de089ad73233c994b4b6cf58d81e4ae0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1048	2656	de089ad73233c994b4b6cf58d81e4ae0N.exe	84
PID 2656 wrote to memory of 1048	2656	de089ad73233c994b4b6cf58d81e4ae0N.exe	84
PID 2656 wrote to memory of 1048	2656	de089ad73233c994b4b6cf58d81e4ae0N.exe	84

C:\Users\Admin\AppData\Local\Temp\de089ad73233c994b4b6cf58d81e4ae0N.exe
"C:\Users\Admin\AppData\Local\Temp\de089ad73233c994b4b6cf58d81e4ae0N.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LIDWBKOU\login[2].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B3E.tmp

Filesize
1KB

MD5
2f7da88e68306fdc071aba5dd35fd6b6

SHA1
8f95d40564db650d7d542419fec7944fe49ac61c

SHA256
e4b7bbf70d116247498a77834c860fad49630a63ae29d48633c44196b0cf38da

SHA512
03fb47b0e16e5e9d83f5e8a8d1e6fd5d17cf2f97646cac65bb5e32282ea45bf81ba4c891cd294ddf6c344c9c8d0595073d9dae915db97aa1ba6c46afda20cb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\985A.tmp

Filesize
23KB

MD5
d12e2be34e348501f3dcd2ec658ec359

SHA1
37bc6573a0cb1892cea076e085d0528dd0231375

SHA256
6c676e56adeaf640820656e4957ba77f0a2b055560008330df37d88665b0ad36

SHA512
d406dbf848d77b88e65525550936baaabb7be7ef0ad48f660c11bcbe93b8c39de7397eeab6aadf60b1fcc796dec7dc92be7f59945afe87aaac43dd1336e7d5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\98AC.tmp

Filesize
481B

MD5
2a074a2a99a5aac814a2b5b62f92a733

SHA1
a7094440fc570cfe01b67007048c55687bcbc7b1

SHA256
89c1f1020553b03471657b269f86bdb8695cbb06926eecd724e4fb7a3426d2bd

SHA512
1c2ceb99aceaae934686b24e8740f5917416575a0a7a421359e2d900c47262f3128c0dd5f1779b94c383e9281eb275f91eca930347a86892081d144021f09127

Download Submit
C:\Users\Admin\AppData\Local\Temp\98DD.tmp

Filesize
42KB

MD5
cc4721c4e77f14d3553ce27effc47e22

SHA1
31105320a08826206e6176bdf629584a2ab831a0

SHA256
9730fabacac1155dc4c2936e44bf1d97e3002d4284e1f69d2408218466c7656b

SHA512
e80e5107a22e7ddda0eedc9bdb20ec1aa587819ab589d7272f6d87e740b5465bff656d6de8f5f1eaa27e3e1c21c5d1a64a0d167590de3952c51f9a86ee0c8a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB8F.tmp

Filesize
593B

MD5
3b03d93d3487806337b5c6443ce7a62d

SHA1
93a7a790bb6348606cbdaf5daeaaf4ea8cf731d0

SHA256
7392749832c70fcfc2d440d7afc2f880000dd564930d95d634eb1199fa15de30

SHA512
770977beaeedafc5c98d0c32edc8c6c850f05e9f363bc9997fa73991646b02e5d40ceed0017b06caeab0db86423844bc4b0a9f0df2d8239230e423a7bfbd4a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB8F.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
355KB

MD5
57f793275c1d766e29fcdbceed0d45f3

SHA1
183af6e29d178fc08f4994841e535932559ad766

SHA256
26fe46d3ef85277a319ee78499bdced2c543104e252c7e2371b8ac25df65e1ca

SHA512
4349cdf37d659188f9dc9762d85d7f13e9c9ea15a371705a9c795e1d8da28a1af0826fed27b48f242e9e7d852ecf901aa6392d4077b0d5247a7bf5210ab14b1c

Download Submit
memory/1048-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-14-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1048-10-0x0000000002720000-0x00000000027C8000-memory.dmp

Filesize
672KB

Download
memory/1048-171-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/2656-8-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download