8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 23:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe
Size

237KB
MD5

761a61a48968756a16fe28f44ac2cf9e
SHA1

b489a111da5a02591823aa1530f28a41b6147c30
SHA256

8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c
SHA512

85fee1d9474bb742159a8e243b6ada740854c19a24411b695961d772280455e5ab67fbe3a91891805dda289f344d7551f2f1ce6bd6176b8b97d1c21d47d99e08
SSDEEP

6144:sD8okEvTyoZVOgd2QZiw5NLclL5orfQH:usjCF2QZiOU+4

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2416	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe
2360	8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f4cf021c = "C:\\Windows\\apppatch\\svchost.exe"	8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f4cf021c = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\svchost.exe	8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe
File created	C:\Windows\apppatch\svchost.exe	8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2416	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2360	8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2416	2360	8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe	30
PID 2360 wrote to memory of 2416	2360	8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe	30
PID 2360 wrote to memory of 2416	2360	8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe	30
PID 2360 wrote to memory of 2416	2360	8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe	30

C:\Users\Admin\AppData\Local\Temp\8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe
"C:\Users\Admin\AppData\Local\Temp\8c5b9692901214654c1398107f7f3e4dbeb248b6151309ed3b817fd27263ae7c.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\AppPatch\svchost.exe

Filesize
237KB

MD5
13387a1f0a390348d633cb1d21d770c7

SHA1
c45de8f19d4d1b95bf33962e99892b2041a2a70c

SHA256
3fb25c46e75c9edf577391cd67e9ae50d553485c7c871b340ab79be840fcccae

SHA512
c3027fc346ddb4370058ac3990ccd47c22c7ffc4e5cddb4fffdebee776e3a0a3511b1bccd324035f07d64598832a95240a856f2b4466271489ce1f1ee96b6223

Download Submit
memory/2360-0-0x0000000002180000-0x00000000021E5000-memory.dmp

Filesize
404KB

Download
memory/2360-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2360-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2360-16-0x0000000002180000-0x00000000021E5000-memory.dmp

Filesize
404KB

Download
memory/2416-78-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download
memory/2416-71-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/2416-22-0x0000000002690000-0x000000000271C000-memory.dmp

Filesize
560KB

Download
memory/2416-30-0x0000000002690000-0x000000000271C000-memory.dmp

Filesize
560KB

Download
memory/2416-28-0x0000000002690000-0x000000000271C000-memory.dmp

Filesize
560KB

Download
memory/2416-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2416-24-0x0000000002690000-0x000000000271C000-memory.dmp

Filesize
560KB

Download
memory/2416-26-0x0000000002690000-0x000000000271C000-memory.dmp

Filesize
560KB

Download
memory/2416-20-0x0000000002690000-0x000000000271C000-memory.dmp

Filesize
560KB

Download
memory/2416-32-0x0000000002760000-0x00000000027FB000-memory.dmp

Filesize
620KB

Download
memory/2416-36-0x0000000002760000-0x00000000027FB000-memory.dmp

Filesize
620KB

Download
memory/2416-34-0x0000000002760000-0x00000000027FB000-memory.dmp

Filesize
620KB

Download
memory/2416-82-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/2416-81-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/2416-79-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/2416-18-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2416-75-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/2416-74-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/2416-72-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/2416-19-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2416-68-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/2416-67-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/2416-65-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/2416-64-0x0000000003C70000-0x0000000003C71000-memory.dmp

Filesize
4KB

Download
memory/2416-60-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/2416-58-0x0000000003C30000-0x0000000003C31000-memory.dmp

Filesize
4KB

Download
memory/2416-57-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/2416-54-0x0000000003C30000-0x0000000003C31000-memory.dmp

Filesize
4KB

Download
memory/2416-53-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/2416-51-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/2416-50-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/2416-47-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/2416-46-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2416-44-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2416-43-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/2416-42-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/2416-40-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download