Analysis Overview
SHA256
61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63
Threat Level: Known bad
The file 61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N was found to be: Known bad.
Malicious Activity Summary
simda
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 16:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 16:19
Reported
2024-09-19 16:21
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1ea312d9 = "C:\\Windows\\apppatch\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\galyqaz.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vonypom.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupycag.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupydeq.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\lymyxid.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\gahyqah.com | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\MuiCache | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2636 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2636 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2636 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe
"C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| GB | 95.101.143.195:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.119.255.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 69.162.80.59:80 | lysyfyj.com | tcp |
| US | 69.162.80.59:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 82.31.17.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 8.8.8.8:53 | 151.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
Files
memory/2636-0-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2636-1-0x0000000002910000-0x0000000002962000-memory.dmp
memory/2636-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 9bb759f349181e67a88d07503855632f |
| SHA1 | a03577d04aec75cdacfb5c38a874004c2287e946 |
| SHA256 | 9bec69ef6b3a20ded304407d62aabbb81f1de5d38bf9078aa71c3d0ba9fd194b |
| SHA512 | d67d22f537dd40692f2f82f18d2acb27bf291f08345f22645da6304877aa204b666259663893a59c3221a9db65d288ce4e67255cb838dc7c3acc0adc397fae87 |
memory/1864-14-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2636-18-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2636-17-0x0000000002910000-0x0000000002962000-memory.dmp
memory/2636-16-0x0000000000400000-0x0000000000495000-memory.dmp
memory/1864-15-0x0000000000400000-0x0000000000495000-memory.dmp
memory/1864-19-0x0000000000400000-0x0000000000495000-memory.dmp
memory/1864-20-0x0000000002DA0000-0x0000000002E4A000-memory.dmp
memory/1864-21-0x0000000000400000-0x0000000000495000-memory.dmp
memory/1864-22-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-26-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-24-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-29-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-30-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-81-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-80-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-78-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-77-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-76-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-74-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-73-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-71-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-70-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-69-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-64-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-62-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-61-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-59-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-58-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-57-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-55-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-53-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-52-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-50-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-49-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-47-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-46-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-44-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-42-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-41-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-40-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-39-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-37-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-35-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-34-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-79-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-75-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-72-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-68-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-67-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-66-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-65-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-63-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-60-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-56-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-54-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-51-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-48-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-45-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-43-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-38-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-36-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-33-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-32-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-31-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-28-0x0000000002F90000-0x0000000003047000-memory.dmp
memory/1864-27-0x0000000002F90000-0x0000000003047000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\ZFZ2IW35\login[1].htm
| MD5 | d57e3a550060f85d44a175139ea23021 |
| SHA1 | 2c5cb3428a322c9709a34d04dd86fe7628f8f0a6 |
| SHA256 | 43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c |
| SHA512 | 0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 16:19
Reported
2024-09-19 16:21
Platform
win7-20240903-en
Max time kernel
111s
Max time network
121s
Command Line
Signatures
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\138dc07 = "C:\\Windows\\apppatch\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\lymyxid.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\galyqaz.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupydeq.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupycag.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vonypom.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\qetyfuv.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vocyzit.com | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\MuiCache | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2364 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2364 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2364 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe
"C:\Users\Admin\AppData\Local\Temp\61a409bfbc12a0b18943b9935ffee6c74b12a7814de8223e9b1784fb39a12e63N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 88.221.135.40:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 69.162.80.56:80 | lysyfyj.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 69.162.80.56:80 | lysyfyj.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
Files
memory/2364-0-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2364-1-0x00000000002F0000-0x0000000000342000-memory.dmp
memory/2364-2-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | 0c32fbf5de6ea801f2f1a7b601645df5 |
| SHA1 | 0d4377f5af61c712a2eb3304ce91cc99ad30f74f |
| SHA256 | 1f3b707f3c0568f7db1a8bf7c396683923a4bf70a59009ba3c3a2abaf8766c6c |
| SHA512 | 1ac556cd2ea6ae8a9eea703ad729a25cb85b3cbec03b6ceb066a23ceac991ea2b8748e1b4de628dfc6dc87064ef6ee7b74a2c3d5d5c8aa50a20ec6ee8a65d2ef |
memory/2364-20-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2364-19-0x00000000002F0000-0x0000000000342000-memory.dmp
memory/2364-18-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3068-21-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3068-22-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3068-23-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3068-24-0x00000000022E0000-0x000000000238A000-memory.dmp
memory/3068-26-0x00000000022E0000-0x000000000238A000-memory.dmp
memory/3068-28-0x00000000022E0000-0x000000000238A000-memory.dmp
memory/3068-34-0x00000000022E0000-0x000000000238A000-memory.dmp
memory/3068-32-0x00000000022E0000-0x000000000238A000-memory.dmp
memory/3068-35-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3068-30-0x00000000022E0000-0x000000000238A000-memory.dmp
memory/3068-36-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-38-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-41-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-47-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-48-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-83-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-86-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-85-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-82-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-80-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-79-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-78-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-77-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-76-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-75-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-74-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-73-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-72-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-71-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-70-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-69-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-68-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-67-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-66-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-65-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-63-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-61-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-60-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-59-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-57-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-56-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-55-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-54-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-53-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-52-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-51-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-50-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-49-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-84-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-81-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-46-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-45-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-64-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-44-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-62-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-43-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-58-0x0000000002490000-0x0000000002547000-memory.dmp
memory/3068-42-0x0000000002490000-0x0000000002547000-memory.dmp