8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0

General

Target

8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe
Size

338KB
MD5

f2797c3eb0e310ad9f6fc2ed0c03a410
SHA1

c4fc8a77223dafbe61cebcf04fdf121b78342582
SHA256

8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0
SHA512

364729246b6fdf86ae4fd859824aee9286e0b5db610d824ba5a5b10dd2b0ec96a338f613785022fb997037fba1693373ac783350af1a2833af7f246f9c802c29
SSDEEP

6144:cExz45+S77IQi8Dq+9fXphN2LfjEcYzaWqr57Q7Xwxc4SQjWvvf:W+S71Dq+pcYWWqtfxvSQj2f

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1244	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe
2412	8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d3240cb6 = "C:\\Windows\\apppatch\\svchost.exe"	8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d3240cb6 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1244	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2412	8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1244	2412	8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe	29
PID 2412 wrote to memory of 1244	2412	8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe	29
PID 2412 wrote to memory of 1244	2412	8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe	29
PID 2412 wrote to memory of 1244	2412	8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe	29

C:\Users\Admin\AppData\Local\Temp\8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe
"C:\Users\Admin\AppData\Local\Temp\8092c02a007001d425d237d99a395bec70205f9811628cd89e740a681845f8a0N.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\svchost.exe

Filesize
338KB

MD5
ec2bce6a22fb58beecad533465328143

SHA1
6165d495c38246afc03ee01f3acfbbe9c82f0d27

SHA256
383efc75a98513f5ab5cc9c1c3ae325882c21f8a55cc0c1d804f5e1598b47b41

SHA512
fb18e04a89c426ab40d86c4db6a1babfb77fdaf0b4992ad719b1e54b4a3904e2059d470eeacdc615601cd4e9208b1a79b2d2768f3a2d1e194ffdf471aa1ea03a

Download Submit
memory/1244-65-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1244-24-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1244-22-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1244-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1244-19-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1244-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1244-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1244-30-0x0000000000520000-0x00000000005BB000-memory.dmp

Filesize
620KB

Download
memory/1244-28-0x0000000000520000-0x00000000005BB000-memory.dmp

Filesize
620KB

Download
memory/1244-26-0x0000000000520000-0x00000000005BB000-memory.dmp

Filesize
620KB

Download
memory/1244-76-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1244-75-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1244-73-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1244-72-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1244-69-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1244-68-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1244-97-0x0000000000520000-0x00000000005BB000-memory.dmp

Filesize
620KB

Download
memory/1244-66-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1244-44-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1244-61-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1244-59-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1244-58-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1244-54-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1244-52-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1244-51-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1244-48-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1244-47-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1244-45-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1244-62-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1244-41-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1244-40-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1244-38-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1244-37-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1244-36-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1244-34-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2412-12-0x00000000003B0000-0x0000000000417000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads