0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe
Size

204KB
MD5

67aaef7927e3eee14ad886752c81976b
SHA1

94556579509742e1be30dc8d1a0c26eb78790233
SHA256

0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04
SHA512

0befc2d61492850e9e8232bcab27cf7988437d1f5b88367b8b015cefde84cbdd1ce100223571181d29d987ce4103a48e208085ec2fdf921fc0ab1bcd2aa8dc92
SSDEEP

3072:mO/6nl92ILkt6i2ox7c39b1a0J86W8xXCKNWOHU/ezYMVWtG4SPUkxbgl:mgFtboVBJtNWyPnYG4fUbk

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe
2220	0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\78a41585 = "C:\\Windows\\apppatch\\svchost.exe"	0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\78a41585 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2256	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2220	0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2256	2220	0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe	29
PID 2220 wrote to memory of 2256	2220	0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe	29
PID 2220 wrote to memory of 2256	2220	0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe	29
PID 2220 wrote to memory of 2256	2220	0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe	29

C:\Users\Admin\AppData\Local\Temp\0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe
"C:\Users\Admin\AppData\Local\Temp\0950663ad0e7a2498cd96444cf37f8fe4c3646fc0056b6abd25d0ccd1a781d04.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
99KB

MD5
ed05167ca22048b2bd938b29aec127e9

SHA1
7564825365d7bb5913d71767efceef91b8d8ad44

SHA256
a5bdbeba9b85386284b3228ef667664b4ce008044317da64cb4aba3f633e0766

SHA512
9edd3b23b2e984e04074d9bedae2f2012a4f37dc06ef7149087f2a6ccc661281e8ee8a376580538c8592519d7733229d5e23f7599675308b1ffd2b6f9ce3fc15

Download Submit
C:\Program Files (x86)\Windows Defender\galyqaz.com

Filesize
99KB

MD5
5ea8a8239f6d8e82bbc13d31dba987f9

SHA1
b0c5179ffcc12235a655f3026f5e6cc32469c3fc

SHA256
78622cc6edb104e16825030b1e172c017b7a12e17416b8384709c0639b6f3d2b

SHA512
36382be3b6426505819cc5ab2a8aea53716371e0452629771303d1371fb1e2f8e721bf3fffee2bc99bf137be04bb4eee8254eda9088bdfbdba06e6d57d1c615c

Download Submit
C:\Program Files (x86)\Windows Defender\vojyqem.com

Filesize
1KB

MD5
41a9e52c31d297fd53e9478e2bb3872a

SHA1
1a12ad93ae36540d2bd4c6292c6229f8105d598d

SHA256
48a12734598348e741bbb7da28340aee9ab1d07198e21112dd3a49ae35063f80

SHA512
cf57b59c285f8f58b897f7412bd3508ccf6c06d83d254d1ca565076b37b5a46db5d95be64ffe1647f2d0bb81dd9111df50b80a372d75b15f5deb14784469b72e

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
204KB

MD5
69cb8bbafaaba49747cb62e00bc68080

SHA1
e7e1fedf55c74460306016306d565e9763f2c809

SHA256
3280551b4217597b29ca2f31aae9c70e2c5245a09ff8253044abd8adae6dc36c

SHA512
1cc9f89da94e099e98acf77fd65db2619aeae2febdb7f669448210261860ad4d370f3af5564df38c42c80e97c530240923a1a95eefb0560911914e6be5c8c5ef

Download Submit
memory/2220-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2220-1-0x0000000001BE0000-0x0000000001C2F000-memory.dmp

Filesize
316KB

Download
memory/2220-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2220-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2220-17-0x0000000001BE0000-0x0000000001C2F000-memory.dmp

Filesize
316KB

Download
memory/2220-16-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2256-74-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-69-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-21-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2256-32-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2256-30-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2256-28-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2256-33-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2256-26-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2256-25-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2256-22-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2256-34-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-36-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-38-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-47-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-60-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-84-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-83-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-82-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-81-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-80-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-78-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-77-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-76-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-75-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-19-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2256-73-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-72-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-71-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-70-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-20-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2256-68-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-67-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-66-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-65-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-64-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-63-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-61-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-59-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-58-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-57-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-56-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-55-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-54-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-53-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-52-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-51-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-50-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-49-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-48-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-46-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-45-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-44-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-43-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-41-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-79-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-62-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-42-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download
memory/2256-40-0x00000000025F0000-0x00000000026A1000-memory.dmp

Filesize
708KB

Download