0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fc

Analysis

max time kernel
120s
max time network
74s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 23:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe
Size

204KB
MD5

7ebac559acd47d88a0af3d1e71126830
SHA1

508ad9d4dd196059156583071211aff82b6b56c5
SHA256

0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fc
SHA512

2ef19c2154aab17f0e16ae473d19d1014e8cf414d304cbc88357fe0e2e89c68bd00920fe024226808284308c0241be84bcb505a2a0d612b09ba6fbc5c6273f39
SSDEEP

3072:AO/6nl92ILkt6i2ox7c39b1a0J86W8xXCKNWOHU/ezYMVWtG4SPUkxbgl:AgFtboVBJtNWyPnYG4fUbk

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2940	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe
2532	0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\92c617b4 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\92c617b4 = "C:\\Windows\\apppatch\\svchost.exe"	0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gatyfus.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\gahyqah.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyfus.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2940	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2532	0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2940	2532	0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe	30
PID 2532 wrote to memory of 2940	2532	0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe	30
PID 2532 wrote to memory of 2940	2532	0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe	30
PID 2532 wrote to memory of 2940	2532	0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe	30

C:\Users\Admin\AppData\Local\Temp\0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe
"C:\Users\Admin\AppData\Local\Temp\0f39e5cc86b7fa38caf56b52babac468617046f6e40718626bba66fd114432fcN.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\gahyqah.com

Filesize
24KB

MD5
a56babbfe826bc088678887201e01c89

SHA1
f4058d660b4e7a32869d193d01a0633d4acb4413

SHA256
dc82a53398d27a8e538a6f4406e5a9698f98c0e831443e799bc871ff18e58b48

SHA512
88504ebfcd73d50481a094686ffeb78b1122e459de15ab20926679b669b2b07bcfceba2e6474b6e5f89b2543121e696129e2d93275c119efba52a99dd1dd81ff

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
42KB

MD5
eb8d67bb700f3716a9583c8adf6ee559

SHA1
1d527810f66a3955dee50b5eefa23b483a972d10

SHA256
4f3cb9afb5cb2b112e80463e56dbf405cbbd0f6e20b81c4f53609d41b6876929

SHA512
45097f1afd4307794b54881781ab34d7dbaf491a20a1d46c302f3b8a0d3b7cae1d71c4be9b11181be03be41acfd2702f042dc2864614c8dd78fdef5fb904e41e

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
42KB

MD5
9f78112fcc2fe1b5c8e56782d52eeb44

SHA1
277638c4265486b6afd0ff7f29156bc4192df24a

SHA256
0885f43ed529b7e8a0fee3c674f1fbe2e61250184148def078d61b6a70eac80c

SHA512
3a580d7ddc44a4077b76ca813cd125c436f386516d06136afb2bded9ffff774e52bb6c616abaae3916d7afe262ff1276309e31118db3b6cf9511cfddaf130478

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
204KB

MD5
51f58968e096fdc3e1b492217fc8f1b9

SHA1
2860384f733b8db884bd482d2c41a3cb6f0ad47c

SHA256
858b699433ec4c5c1ebb670ed61355b26f80b843f9641682b736be7c4bc006da

SHA512
979ffa35f0c5f4a4282888b49c6afc2c942be5045733bc38913a112d1d0257335851d37596dcb6d10d092f5a83d6b4df6c35bda3563d77b6b11df40c862a156b

Download Submit
memory/2532-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2532-1-0x0000000000300000-0x000000000034F000-memory.dmp

Filesize
316KB

Download
memory/2532-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2532-17-0x0000000000300000-0x000000000034F000-memory.dmp

Filesize
316KB

Download
memory/2532-16-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2940-75-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-70-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-21-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2940-24-0x00000000021D0000-0x0000000002272000-memory.dmp

Filesize
648KB

Download
memory/2940-32-0x00000000021D0000-0x0000000002272000-memory.dmp

Filesize
648KB

Download
memory/2940-30-0x00000000021D0000-0x0000000002272000-memory.dmp

Filesize
648KB

Download
memory/2940-33-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2940-28-0x00000000021D0000-0x0000000002272000-memory.dmp

Filesize
648KB

Download
memory/2940-26-0x00000000021D0000-0x0000000002272000-memory.dmp

Filesize
648KB

Download
memory/2940-22-0x00000000021D0000-0x0000000002272000-memory.dmp

Filesize
648KB

Download
memory/2940-34-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-38-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-36-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-47-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-48-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-84-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-83-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-82-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-81-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-80-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-79-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-78-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-77-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-76-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-19-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2940-74-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-73-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-72-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-71-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-20-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2940-69-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-67-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-66-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-65-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-64-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-63-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-62-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-61-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-60-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-59-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-58-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-56-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-55-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-54-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-53-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-52-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-51-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-50-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-49-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-46-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-45-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-44-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-42-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-68-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-41-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-57-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-43-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download
memory/2940-40-0x0000000002530000-0x00000000025E1000-memory.dmp

Filesize
708KB

Download