17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe
Size

204KB
MD5

82602466558504cb7e0712fe7a0dae80
SHA1

4ed2ed49f51598efd1b6512c367b9c4a712cadb6
SHA256

17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1
SHA512

a84e95f17e179e92e89f3430622ce6d6f0a89e633cc796f5d4c005a64754418a1f87d06b752c8cddd6b69aafef302aa0bf10edf5359521edb4556c23de5895cd
SSDEEP

3072:9O/6nl92ILkt6i2ox7c39b1a0J86W8xXCKNWOHU/ezYMVWtG4SPUkxbgl:9gFtboVBJtNWyPnYG4fUbk

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2316	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2800	17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe
2800	17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\aefc030a = "C:\\Windows\\apppatch\\svchost.exe"	17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\aefc030a = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lysyfyj.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2316	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2800	17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2316	2800	17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe	30
PID 2800 wrote to memory of 2316	2800	17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe	30
PID 2800 wrote to memory of 2316	2800	17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe	30
PID 2800 wrote to memory of 2316	2800	17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe	30

C:\Users\Admin\AppData\Local\Temp\17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe
"C:\Users\Admin\AppData\Local\Temp\17bd4ad69a187dcf600bfb2297540a007947955b0a25d03282a0a23bbe14d2c1N.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\lysyfyj.com

Filesize
481B

MD5
cd3d1f07c553ac08acd297627d4ebca9

SHA1
d4389a6aeb7bebf69dbcbd9a8c06cebe875c3191

SHA256
ebd2295dbf981db27e68e377c197132e49f068cb5deab3dc38162940bcdf2aae

SHA512
b727cb30deee4400a3390a029d4b483cc9fc32780eb1c456e8354d84579aa564d5c02a0cf27b9c6cf78c33421bff148c7995d0edcf4d21cee1d809bea411acb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9734.tmp

Filesize
1KB

MD5
d42290af407db8264ef036a63705be54

SHA1
37f59a0b5154a0b702ef82d255146101503852e8

SHA256
6663fae819d7c8b34a05e99ea8837ab6a8f67ab4cc7894b191c17bec83e3472a

SHA512
f2f2645452a16ef442ea47e4e259e9d17b8b472a892fa77bb77be60480ee9f88a6f095fef58eb36967d71beedb750e81730751ceed50f55540920d0efc3c2a09

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
204KB

MD5
c97987f1427de6c3e961571d1711f22c

SHA1
f71cfc571757ac7dadf0c29ba75735d403766e51

SHA256
585257242548928f256de04b3c66050d20235b58114fee7907ddc2a795154334

SHA512
b4e89012ee1d05387a078bf91c9f2d65559a391e2f4384cff0171b322f63dbb2a22e449222c2a40b22773ac84919aa861f223044907e83bae89d2767ed114e9a

Download Submit
memory/2316-71-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-68-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-19-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2316-41-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-40-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-43-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-30-0x00000000022F0000-0x0000000002392000-memory.dmp

Filesize
648KB

Download
memory/2316-28-0x00000000022F0000-0x0000000002392000-memory.dmp

Filesize
648KB

Download
memory/2316-26-0x00000000022F0000-0x0000000002392000-memory.dmp

Filesize
648KB

Download
memory/2316-24-0x00000000022F0000-0x0000000002392000-memory.dmp

Filesize
648KB

Download
memory/2316-22-0x00000000022F0000-0x0000000002392000-memory.dmp

Filesize
648KB

Download
memory/2316-38-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-36-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-34-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-33-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2316-42-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-53-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-84-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-83-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-82-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-81-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-80-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-79-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-78-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-77-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-75-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-74-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-73-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-72-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-21-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2316-32-0x00000000022F0000-0x0000000002392000-memory.dmp

Filesize
648KB

Download
memory/2316-70-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-60-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-69-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-67-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-65-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-64-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-63-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-62-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-61-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-20-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2316-59-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-58-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-57-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-56-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-55-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-54-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-52-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-51-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-50-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-49-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-48-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-76-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-47-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-46-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-66-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-45-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2316-44-0x00000000023A0000-0x0000000002451000-memory.dmp

Filesize
708KB

Download
memory/2800-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2800-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2800-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2800-1-0x00000000002C0000-0x000000000030F000-memory.dmp

Filesize
316KB

Download
memory/2800-17-0x00000000002C0000-0x000000000030F000-memory.dmp

Filesize
316KB

Download
memory/2800-16-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download