fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe
Size

345KB
MD5

a2017d0b077dd29c081b2e8329dd3cdc
SHA1

91d75537d9f15e2246a355e03e336c550610d871
SHA256

fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b
SHA512

6941df5058ef76511f834e8a13cd1ea5e9f3aedc47d2f0a2a051661279daa19aa1900550d32b3c6ac33f5151259645312839f089711556892da7cadb25f136bd
SSDEEP

6144:OvYCmWoza0a1IMVVEb3uqRpwIUV9lMYmFQqZRRphLuVucfb8ehbjN8wS21bKRTw3:O3mWQa0a1IMVr9eMqbRzLuVucfb8ehbz

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2140	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2084	fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe
2084	fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\197bbe06 = "C:\\Windows\\apppatch\\svchost.exe"	fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\197bbe06 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyhiz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gatyfus.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyfus.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyhiz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2140	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2084	fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2140	2084	fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe	30
PID 2084 wrote to memory of 2140	2084	fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe	30
PID 2084 wrote to memory of 2140	2084	fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe	30
PID 2084 wrote to memory of 2140	2084	fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe	30

C:\Users\Admin\AppData\Local\Temp\fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe
"C:\Users\Admin\AppData\Local\Temp\fbbe526f961fb81329ac3463b0efb81a378c6b097fc1a070465fc55edfac942b.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\gahyqah.com

Filesize
23KB

MD5
60c790889d836acae61ee755ba5c69f5

SHA1
7f1b814d60aedae94b0cc2c51540c13ad0d96d77

SHA256
6f11dc64fc933c5f27f197f0d63bda0ac002da8ea82c1d4540f3dbc3a6a9256d

SHA512
94b63e0d2c88f551a35476819c2429b8ae15fba9f599e49fe23767d9ece62c39d43c64d768fcde9b9ab3678b6e60abbdc264611191d20e9d4b51042b4d9eadf9

Download Submit
C:\Program Files (x86)\Windows Defender\galynuh.com

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
42KB

MD5
396285b7e0cf95c67e4dd0393523c9f2

SHA1
118da696524d84800c5ae6665cb78ef79acde8a6

SHA256
f9edbb95aa7484e1c8f014b6b0c0d4d48e2c9df6e640ae4b79390297b7a50562

SHA512
d876e870079d47dff2bbfb899c3132c9d97faf80d7575cc1e8c5b3710dc17a7947accb22968fc9ed8165151f20d73f76641d27fb2d7b85f67f6f49652641ca6f

Download Submit
C:\Program Files (x86)\Windows Defender\lyrysor.com

Filesize
114B

MD5
bfde1e9e9c32c1681a16139450c6909d

SHA1
7e669b927e6a75a10a0ca29e38e58ddcb49b725e

SHA256
e0d020ba1cb6506cee234903a44c747ee0cfa7e2d1e60029e4cd8de9a431512a

SHA512
781fd54f155442dd34f9919b3cd063ee399db411bbfe15f2bdc43d3ab8ac2d04e1011b2c99fab42bebf7b903a94e09aaaef71b7a465d2d04b417f6dad8e8e396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z7V06J7Q\login[3].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
345KB

MD5
9c172d5b8e911cf1fc09ff6f5640154e

SHA1
43570b86b60e341543c1be1c3065be01c6b366d2

SHA256
e4ee5590a31eb37f713a8d7cff0e54e6d90a75a3f0bf65e9cd9c6752e0867e3e

SHA512
a175f1eb6319aeb4e0cb660a2def97b6dbcb45272313a12a55e3d6f7128b612fbd3ee875445b816c8ff8771c58832470aa03139548dab38074e14fe83db9668a

Download Submit
memory/2084-13-0x0000000000A40000-0x0000000000A9C000-memory.dmp

Filesize
368KB

Download
memory/2140-43-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-61-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-72-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-71-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-69-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-68-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-67-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-66-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-64-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-63-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-62-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-60-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-58-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-57-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-56-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-55-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-53-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-52-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-37-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-50-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-49-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-48-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-47-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-46-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-44-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-75-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-42-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-41-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-73-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-40-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-51-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-36-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-34-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-76-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-74-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-70-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-33-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-65-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-39-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-59-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-54-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-45-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-38-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-35-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-32-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-30-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-28-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-27-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-24-0x0000000000200000-0x00000000002A4000-memory.dmp

Filesize
656KB

Download
memory/2140-22-0x0000000000200000-0x00000000002A4000-memory.dmp

Filesize
656KB

Download
memory/2140-18-0x0000000000200000-0x00000000002A4000-memory.dmp

Filesize
656KB

Download
memory/2140-16-0x0000000000200000-0x00000000002A4000-memory.dmp

Filesize
656KB

Download
memory/2140-14-0x0000000000200000-0x00000000002A4000-memory.dmp

Filesize
656KB

Download
memory/2140-20-0x0000000000200000-0x00000000002A4000-memory.dmp

Filesize
656KB

Download
memory/2140-198-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-2141-0x000000007737F000-0x0000000077380000-memory.dmp

Filesize
4KB

Download
memory/2140-77-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2140-78-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download