Malware Analysis Report

2025-08-10 14:57

Sample ID 241112-pc8cessele
Target b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe
SHA256 b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9

Threat Level: Known bad

The file b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 12:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 12:12

Reported

2024-11-12 12:14

Platform

win7-20240903-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\8b122f4f = "C:\\Windows\\apppatch\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\8b122f4f = "C:\\Windows\\apppatch\\svchost.exe" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe

"C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nonasthmatic.com udp
GB 92.123.128.133:80 www.bing.com tcp
GB 92.123.128.133:80 www.bing.com tcp
US 8.8.8.8:53 nonasthmatic.com udp
GB 92.123.128.133:80 www.bing.com tcp
US 8.8.8.8:53 nonasthmatic.com udp
GB 92.123.128.133:80 www.bing.com tcp
US 8.8.8.8:53 nonasthmatic.com udp

Files

C:\Windows\apppatch\svchost.exe

MD5 03cb42f3a620bee5e6d0f666c450bf8a
SHA1 7aa1ea7bed816c8786c883ba303db3f10d80220f
SHA256 7c2c5cd99a2d7b4ba91df02b399aaffd18d6a9b6de32959671c826b2f8a92117
SHA512 9587df8c59f9041e2cda4808de6988a361b4ea76f74a0c06c97c72a1147ea38bbc7b2ebef7d70e5003e435574039502f25d6712c3b889cb05ce0a5229b8a1736

memory/1776-36-0x00000000028D0000-0x000000000296B000-memory.dmp

memory/1776-34-0x00000000028D0000-0x000000000296B000-memory.dmp

memory/1776-32-0x00000000028D0000-0x000000000296B000-memory.dmp

memory/1776-31-0x0000000000400000-0x0000000000467000-memory.dmp

memory/1776-30-0x00000000025C0000-0x000000000264C000-memory.dmp

memory/1776-28-0x00000000025C0000-0x000000000264C000-memory.dmp

memory/1776-26-0x00000000025C0000-0x000000000264C000-memory.dmp

memory/1776-24-0x00000000025C0000-0x000000000264C000-memory.dmp

memory/1776-20-0x00000000025C0000-0x000000000264C000-memory.dmp

memory/1776-22-0x00000000025C0000-0x000000000264C000-memory.dmp

memory/1776-19-0x0000000000400000-0x0000000000467000-memory.dmp

memory/1776-18-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2420-17-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2420-16-0x00000000002A0000-0x0000000000305000-memory.dmp

memory/2420-1-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2420-0-0x00000000002A0000-0x0000000000305000-memory.dmp

memory/1776-82-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

memory/1776-81-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

memory/1776-79-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

memory/1776-78-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

memory/1776-75-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

memory/1776-74-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

memory/1776-72-0x0000000003D90000-0x0000000003D91000-memory.dmp

memory/1776-71-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

memory/1776-68-0x0000000003D90000-0x0000000003D91000-memory.dmp

memory/1776-67-0x0000000003D80000-0x0000000003D81000-memory.dmp

memory/1776-65-0x0000000003D60000-0x0000000003D61000-memory.dmp

memory/1776-64-0x0000000003D70000-0x0000000003D71000-memory.dmp

memory/1776-60-0x0000000003D50000-0x0000000003D51000-memory.dmp

memory/1776-58-0x0000000003730000-0x0000000003731000-memory.dmp

memory/1776-57-0x0000000003740000-0x0000000003741000-memory.dmp

memory/1776-54-0x0000000003730000-0x0000000003731000-memory.dmp

memory/1776-53-0x0000000003720000-0x0000000003721000-memory.dmp

memory/1776-51-0x0000000003420000-0x0000000003421000-memory.dmp

memory/1776-50-0x0000000003430000-0x0000000003431000-memory.dmp

memory/1776-47-0x0000000003420000-0x0000000003421000-memory.dmp

memory/1776-46-0x00000000032D0000-0x00000000032D1000-memory.dmp

memory/1776-44-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/1776-43-0x00000000032C0000-0x00000000032C1000-memory.dmp

memory/1776-42-0x00000000032C0000-0x00000000032C1000-memory.dmp

memory/1776-40-0x0000000002B30000-0x0000000002B31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 12:12

Reported

2024-11-12 12:14

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cd3aad7e = "C:\\Windows\\apppatch\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cd3aad7e = "C:\\Windows\\apppatch\\svchost.exe" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe

"C:\Users\Admin\AppData\Local\Temp\b13ca74b39894bd5dca71ae6f9156181a9b4761cf192cdc030a204c1f928ecd9.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nonasthmatic.com udp
GB 92.123.128.190:80 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 190.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
GB 92.123.128.190:80 www.bing.com tcp
US 8.8.8.8:53 nonasthmatic.com udp
GB 92.123.128.190:80 www.bing.com tcp
US 8.8.8.8:53 nonasthmatic.com udp
GB 92.123.128.190:80 www.bing.com tcp
US 8.8.8.8:53 nonasthmatic.com udp

Files

memory/4208-0-0x0000000002200000-0x0000000002265000-memory.dmp

memory/4208-1-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 6351958787e4f6e5a54b7b8453454482
SHA1 ca4673ee5cfac0e59b03d0a798cc111829ce3083
SHA256 c6506e47927280b2fd3c3839353943ed03a92b0b1a01f45ae5fe5f153cf35fe0
SHA512 0183349ae0ef16bae03fddf583fe0a9e688f62490d4e3456edf99ac43fa6dee94e529fbff3385272d635bb3f817264e2a28b35151f64acc466a3c3f38fca8b98

memory/4208-13-0x0000000000400000-0x0000000000467000-memory.dmp

memory/4208-12-0x0000000002200000-0x0000000002265000-memory.dmp

memory/1936-14-0x0000000000400000-0x0000000000467000-memory.dmp

memory/1936-15-0x0000000002B70000-0x0000000002BFC000-memory.dmp

memory/1936-16-0x0000000000400000-0x0000000000467000-memory.dmp

memory/1936-17-0x0000000002F40000-0x0000000002FDB000-memory.dmp

memory/1936-21-0x0000000002F40000-0x0000000002FDB000-memory.dmp

memory/1936-19-0x0000000002F40000-0x0000000002FDB000-memory.dmp

memory/1936-24-0x0000000002450000-0x0000000002451000-memory.dmp

memory/1936-26-0x0000000002460000-0x0000000002461000-memory.dmp

memory/1936-70-0x0000000002570000-0x0000000002571000-memory.dmp

memory/1936-69-0x0000000002580000-0x0000000002581000-memory.dmp

memory/1936-66-0x0000000002570000-0x0000000002571000-memory.dmp

memory/1936-77-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/1936-76-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1936-72-0x0000000002590000-0x0000000002591000-memory.dmp

memory/1936-65-0x0000000002560000-0x0000000002561000-memory.dmp

memory/1936-63-0x0000000002540000-0x0000000002541000-memory.dmp

memory/1936-62-0x0000000002550000-0x0000000002551000-memory.dmp

memory/1936-59-0x0000000002540000-0x0000000002541000-memory.dmp

memory/1936-58-0x0000000002530000-0x0000000002531000-memory.dmp

memory/1936-56-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1936-55-0x0000000002520000-0x0000000002521000-memory.dmp

memory/1936-52-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1936-51-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1936-49-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1936-48-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/1936-44-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/1936-42-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/1936-41-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/1936-38-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/1936-37-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/1936-35-0x0000000002480000-0x0000000002481000-memory.dmp

memory/1936-34-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1936-31-0x0000000002480000-0x0000000002481000-memory.dmp

memory/1936-30-0x0000000002470000-0x0000000002471000-memory.dmp

memory/1936-28-0x0000000002450000-0x0000000002451000-memory.dmp

memory/1936-27-0x0000000002460000-0x0000000002461000-memory.dmp