17f2c1ea90f7a90d08c5a3de34dbd08973daed2b8eeda65e7dc68cdb933b683f

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

503d212b6795b4af9bc63a38e29e1340N.exe
Size

349KB
MD5

503d212b6795b4af9bc63a38e29e1340
SHA1

42ab014e91de372cf47fe7129931490f17d242b4
SHA256

17f2c1ea90f7a90d08c5a3de34dbd08973daed2b8eeda65e7dc68cdb933b683f
SHA512

8eb9a1f3b4f8c9a4e8f44146e5e1eb8e7459cf1bf6f2e8d652e4225cf5d743c80ec23d5975f442631a5f65f15b8f1d729b9428b90f5771021e5496865571a88e
SSDEEP

6144:rVTQ+SiexKAK4y6UvcZSeNH49qQQOH+ym4LLIoTqHSMaxzL:xSiOK4yjNQOGzoTCSMG

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4836	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5b2b48ba = "C:\\Windows\\apppatch\\svchost.exe"	503d212b6795b4af9bc63a38e29e1340N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5b2b48ba = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	503d212b6795b4af9bc63a38e29e1340N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	503d212b6795b4af9bc63a38e29e1340N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1944	4836	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	503d212b6795b4af9bc63a38e29e1340N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4836	svchost.exe
4836	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2216	503d212b6795b4af9bc63a38e29e1340N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 4836	2216	503d212b6795b4af9bc63a38e29e1340N.exe	84
PID 2216 wrote to memory of 4836	2216	503d212b6795b4af9bc63a38e29e1340N.exe	84
PID 2216 wrote to memory of 4836	2216	503d212b6795b4af9bc63a38e29e1340N.exe	84

C:\Users\Admin\AppData\Local\Temp\503d212b6795b4af9bc63a38e29e1340N.exe
"C:\Users\Admin\AppData\Local\Temp\503d212b6795b4af9bc63a38e29e1340N.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 816
    3⤵
    - Program crash
    PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4836 -ip 4836
1⤵
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
349KB

MD5
067ee30eb4600089b23a7e1cd5d97412

SHA1
7fabccc5feed386a145e336e480af85c82047222

SHA256
5a6b01e6d597a6a16f89405f7562a5af57782606620501d72c30fdc66090b98b

SHA512
9d8bcf2496288ce3ba4bc4aed2898f8aa6745b9e10e7ef350b7ca5a855bcf982d3d6128340bd9ce6e1d90a702b53775f4a24cd30ce5ac7631505f6756b72f967

Download Submit
memory/2216-9-0x0000000000840000-0x00000000008A9000-memory.dmp

Filesize
420KB

Download
memory/4836-10-0x0000000003160000-0x00000000031AA000-memory.dmp

Filesize
296KB

Download
memory/4836-11-0x0000000003600000-0x0000000003658000-memory.dmp

Filesize
352KB

Download
memory/4836-15-0x0000000003600000-0x0000000003658000-memory.dmp

Filesize
352KB

Download
memory/4836-13-0x0000000003600000-0x0000000003658000-memory.dmp

Filesize
352KB

Download
memory/4836-18-0x0000000003600000-0x0000000003658000-memory.dmp

Filesize
352KB

Download