0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe
Size

204KB
MD5

b24d270acc18d8efa11c1c9427acd353
SHA1

4e7d22168d0f50c84d46db80eb8b27af4dca9cc6
SHA256

0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9
SHA512

e4f18671966519f593e100e6d475588da7ff6dd016deff1dab9a24d50e7f8a0492b926fba6efe8b6f1ae8bcad5c48b7759674a03331a15163cb1342a92117f2e
SSDEEP

3072:0aSdR9c1/fuWL0AjMilpCOT+kICtApWFK1WHk25weLcKznxbQFFNj6QU:07oFuhAwM+kICeseWEEPznxbJ

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2304	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe
3032	0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d66c7960 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d66c7960 = "C:\\Windows\\apppatch\\svchost.exe"	0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyfus.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gatyfus.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyhiz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyhiz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyrysor.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\svchost.exe	0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe
File created	C:\Windows\apppatch\svchost.exe	0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2304	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3032	0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2304	3032	0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe	31
PID 3032 wrote to memory of 2304	3032	0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe	31
PID 3032 wrote to memory of 2304	3032	0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe	31
PID 3032 wrote to memory of 2304	3032	0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe	31

C:\Users\Admin\AppData\Local\Temp\0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe
"C:\Users\Admin\AppData\Local\Temp\0dd1bba85cc12120fdafd63103d9530d42aaeacf4538765ad0627fff82bc95e9.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\gahyqah.com

Filesize
24KB

MD5
46fb0a6ac23767734d0c53a08913da2d

SHA1
f0160d81ac1ab0d3ac8a2960a5b98304763b3915

SHA256
e6bbefad8d95061b23d95b106d9b4e9aa4cd0614443ac63559a2e50804897170

SHA512
ed7795120dfde9e5c20f5609f970be09def7211db317e02ce9ae0eebe4ced481cefef07dbbf1fc67988aa1e9ab2a112bbd744900f32aac65f26781ef17369774

Download Submit
C:\Program Files (x86)\Windows Defender\galynuh.com

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
41KB

MD5
def4014ca601e773490c239532b66328

SHA1
e29deff07721860cf0fa65567458200e36c4dbad

SHA256
cd04dae26bb055e8699ba50220f33e80712591fab3efcd1814211dd3e28f8b1e

SHA512
8a53cf8525eb4ee71aa43978a5bb3678b4723f2128323fec371f42bdb51e28bd1a5d8c42fe5d905eb0515249b9cfd083a3fb60e7916b4cc3d311ed61308381c3

Download Submit
C:\Program Files (x86)\Windows Defender\lyrysor.com

Filesize
114B

MD5
bfde1e9e9c32c1681a16139450c6909d

SHA1
7e669b927e6a75a10a0ca29e38e58ddcb49b725e

SHA256
e0d020ba1cb6506cee234903a44c747ee0cfa7e2d1e60029e4cd8de9a431512a

SHA512
781fd54f155442dd34f9919b3cd063ee399db411bbfe15f2bdc43d3ab8ac2d04e1011b2c99fab42bebf7b903a94e09aaaef71b7a465d2d04b417f6dad8e8e396

Download Submit
C:\Program Files (x86)\Windows Defender\lysyfyj.com

Filesize
481B

MD5
1ae6ff925b3808f240f4b35cb27a7059

SHA1
854af1f5a9e3202b4b453b8831acc7439fc4aaf8

SHA256
db5db3223eee26bc70d9095a249eacfaa1bce98d21986b8b415504c01b39834e

SHA512
0fadbdcae02f45d7dc659e4171fff31fb59a17ae086a5602fb5bbce555c6c7678ac4022588c3a28161b3cf27f87b881e60230f05d62e8ca91314ea7f1eb1676f

Download Submit
C:\Program Files (x86)\Windows Defender\lysyfyj.com

Filesize
481B

MD5
13a0e5e9e5a329a61e409adc938dfae9

SHA1
534ca75cfcfe1b370828f38144c3d09a943996f8

SHA256
751d2fb59fd2193d842dc634ac3f7d670900b9b359e0e486825e5672c209c941

SHA512
ffeed411c212f2618fefc595007607bcd52550556c7809ed5d6cb534c4f6db2b04b0534c4cd31aba8f412a5acbb97d01417f9e513d88f2ff15acd886b068ddf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4RXRX1VH\login[3].htm

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\login[2].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Windows\AppPatch\svchost.exe

Filesize
204KB

MD5
1d5cb59e7a89c17b8e6eefb5b53bd60f

SHA1
38ea4681b145a0f998158668553036924580482a

SHA256
986d345b21a56c2b073182c7085dbf04034e3ebfed716d0c46c2c8d60e11693b

SHA512
70d54522f1dbf97e2a686b01244af81a9f1e9eaafa8a7a4bd39a51779608af573c0512b7112a50a0aff13e58595df800a5d95c8f89b5559beffe5ee0923670b3

Download Submit
memory/2304-65-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-60-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-27-0x0000000002250000-0x00000000022F4000-memory.dmp

Filesize
656KB

Download
memory/2304-24-0x0000000002250000-0x00000000022F4000-memory.dmp

Filesize
656KB

Download
memory/2304-34-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-38-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-36-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-40-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-47-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-77-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-83-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-82-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-81-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-80-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-79-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-78-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-76-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-75-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-74-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-73-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-72-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-71-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-70-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-69-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-68-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-67-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-66-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-33-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2304-64-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-62-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-61-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-31-0x0000000002250000-0x00000000022F4000-memory.dmp

Filesize
656KB

Download
memory/2304-59-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-58-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-57-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-56-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-55-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-54-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-53-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-52-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-51-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-49-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-84-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-48-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-46-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-45-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-44-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-63-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-43-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-42-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-41-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-50-0x0000000002400000-0x00000000024B2000-memory.dmp

Filesize
712KB

Download
memory/2304-32-0x0000000002250000-0x00000000022F4000-memory.dmp

Filesize
656KB

Download
memory/2304-28-0x0000000002250000-0x00000000022F4000-memory.dmp

Filesize
656KB

Download
memory/2304-19-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2304-20-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2304-22-0x0000000002250000-0x00000000022F4000-memory.dmp

Filesize
656KB

Download
memory/2304-21-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3032-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3032-1-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/3032-2-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3032-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3032-18-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3032-17-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download