726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1

General

Target

726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1.exe
Size

338KB
MD5

1c1a3953f986a78a0cbab8ad355173ca
SHA1

27d7cf26bb775b85343d8d5374bf06000d8a549f
SHA256

726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1
SHA512

48a476ed896206256057d3e7309dd17266202aef76a00544feb0ba5b0950cfa353ae22e93b93ec1ffcc972819c3d7a184e68a2484c25c0e6753a4be8f398c409
SSDEEP

6144:fExz45TS77IQi8Dq+9fXphN2LfjEcYzaWqr57Q7Xwxc4SQjWvvf:VTS71Dq+pcYWWqtfxvSQj2f

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4936	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\69b37046 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\69b37046 = "C:\\Windows\\apppatch\\svchost.exe"	726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4936	svchost.exe
4936	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2392	726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 4936	2392	726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1.exe	84
PID 2392 wrote to memory of 4936	2392	726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1.exe	84
PID 2392 wrote to memory of 4936	2392	726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1.exe	84

C:\Users\Admin\AppData\Local\Temp\726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1.exe
"C:\Users\Admin\AppData\Local\Temp\726a480d8f657945dea859b502f5be70087d516109b3dc674d0aea22045a78c1.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
338KB

MD5
7b97f64e90117429ce7c20d69f611809

SHA1
ac892865fbc26ab9269367e8e0f65861a7c7e652

SHA256
e7588b45a6180349b94f642cdb1c2af2d4511e852331fb2d2accf5e22a14ed46

SHA512
4fb030fe346adbb4583672ccbf1571d1bed2c395d1c3d5874bdb27c073292a42a18d7641238d4bd455d43981b938bb7cdde807fd68d0d86aad6506b44ce3310f

Download Submit
memory/2392-8-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/4936-10-0x0000000003310000-0x000000000339C000-memory.dmp

Filesize
560KB

Download
memory/4936-13-0x0000000003800000-0x000000000389B000-memory.dmp

Filesize
620KB

Download
memory/4936-14-0x0000000003800000-0x000000000389B000-memory.dmp

Filesize
620KB

Download
memory/4936-16-0x0000000003800000-0x000000000389B000-memory.dmp

Filesize
620KB

Download
memory/4936-46-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/4936-44-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/4936-43-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/4936-72-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/4936-71-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/4936-67-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/4936-65-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/4936-64-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/4936-19-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/4936-61-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/4936-60-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/4936-58-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/4936-57-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/4936-54-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/4936-53-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/4936-51-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/4936-50-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/4936-47-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/4936-39-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4936-37-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/4936-36-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/4936-33-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/4936-32-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/4936-30-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4936-29-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/4936-26-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4936-25-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4936-23-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/4936-22-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4936-21-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4936-82-0x0000000003800000-0x000000000389B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads