1cf250e6d2cc9f234157f9ca6cbfb44069a662634a7aa9dfdf50808b6094e64c

General

Target

da6a32eecd1e16f98756e915877797f0N.exe
Size

209KB
MD5

da6a32eecd1e16f98756e915877797f0
SHA1

04bc4f201dc8d323b639354ba0343a355c8c09fe
SHA256

1cf250e6d2cc9f234157f9ca6cbfb44069a662634a7aa9dfdf50808b6094e64c
SHA512

693cfd768f852a3942b9670179d100cc4b885555b1ef546bbbf6514f86b9480e181e90326356faf19c15f5a121256b01d9f410d49616c1545d45e8753a291f33
SSDEEP

3072:GQcjk9tVRNIcjb4Ryfjijjx14hdeCXHKPJFo9zpE7Di0X0JuLL+o7BlpF9e:GQh9tVRm2kh34hdeCkcG7DEALLlnN

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4052	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4908-1-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4908-13-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4052-15-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4052-17-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\894bada = "C:\\Windows\\apppatch\\svchost.exe"	da6a32eecd1e16f98756e915877797f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\894bada = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	da6a32eecd1e16f98756e915877797f0N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	da6a32eecd1e16f98756e915877797f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da6a32eecd1e16f98756e915877797f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4052	svchost.exe
4052	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4908	da6a32eecd1e16f98756e915877797f0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 4052	4908	da6a32eecd1e16f98756e915877797f0N.exe	90
PID 4908 wrote to memory of 4052	4908	da6a32eecd1e16f98756e915877797f0N.exe	90
PID 4908 wrote to memory of 4052	4908	da6a32eecd1e16f98756e915877797f0N.exe	90

C:\Users\Admin\AppData\Local\Temp\da6a32eecd1e16f98756e915877797f0N.exe
"C:\Users\Admin\AppData\Local\Temp\da6a32eecd1e16f98756e915877797f0N.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
209KB

MD5
b6bca181f88b3bfae38b54ea0b7e92a8

SHA1
c00927f05ea650d12498503ad06c4726b6bfcb82

SHA256
335f82645eb6e16ba7d85ac855305744e2200c50b907288cc6b6e8759c530cc6

SHA512
42d744dee9112be42734ed8df48b65caa790972e819fe67ea89e560720b3cf249ede29973ad6334d9bb7dadff9dd5562bdfd667c6faddc512f9d3257f945042c

Download Submit
memory/4052-18-0x0000000002B90000-0x0000000002C29000-memory.dmp

Filesize
612KB

Download
memory/4052-14-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4052-15-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4052-17-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4052-16-0x0000000002A00000-0x0000000002A8A000-memory.dmp

Filesize
552KB

Download
memory/4052-20-0x0000000002B90000-0x0000000002C29000-memory.dmp

Filesize
612KB

Download
memory/4052-22-0x0000000002B90000-0x0000000002C29000-memory.dmp

Filesize
612KB

Download
memory/4052-25-0x0000000002B90000-0x0000000002C29000-memory.dmp

Filesize
612KB

Download
memory/4908-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4908-13-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4908-11-0x00000000005D0000-0x0000000000628000-memory.dmp

Filesize
352KB

Download
memory/4908-0-0x00000000005D0000-0x0000000000628000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads