ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb

General

Target

ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb.exe
Size

338KB
MD5

8381fa95b5086f2458e312417ef2ad08
SHA1

3715543c229b41966b9676467c2164f3ab1442ad
SHA256

ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb
SHA512

aab06d243347348ba2a41201b38ad9c1f2a40aa3b3b496956621d7b81caab451a0136716d6311f6966cbce9f73c70d8898bc65479fad85e88a34e482a49a43d4
SSDEEP

6144:uExz45TS77IQi8Dq+9fXphN2LfjEcYzaWqr57Q7Xwxc4SQjWvvfr:8TS71Dq+pcYWWqtfxvSQj2fr

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3588	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3db6775e = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3db6775e = "C:\\Windows\\apppatch\\svchost.exe"	ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3588	svchost.exe
3588	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4620	ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 3588	4620	ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb.exe	83
PID 4620 wrote to memory of 3588	4620	ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb.exe	83
PID 4620 wrote to memory of 3588	4620	ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb.exe	83

C:\Users\Admin\AppData\Local\Temp\ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb.exe
"C:\Users\Admin\AppData\Local\Temp\ccf371f130681c9c3f884706edf3b8730219256e93cab96780fd1f44901c18fb.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
338KB

MD5
cfd24fdb7b90059646771e6c98c6a147

SHA1
35c1d2410220ee1be37e40946bdc65e167145c81

SHA256
1bf3cf0d21f1db2b9c497141117ac2ba5ef4629078f35361cc3aaf99c651cb31

SHA512
624d01c8a0e946344378322b280a7d5598bf16b6ddf539ae9994f4bc73799aa4181e6f7efd82a305610dbbd363c57ee7f9aa3cd881db4ae8cd63a6dda8109898

Download Submit
memory/3588-52-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/3588-10-0x0000000002A20000-0x0000000002AAC000-memory.dmp

Filesize
560KB

Download
memory/3588-11-0x0000000002E00000-0x0000000002E9B000-memory.dmp

Filesize
620KB

Download
memory/3588-13-0x0000000002E00000-0x0000000002E9B000-memory.dmp

Filesize
620KB

Download
memory/3588-15-0x0000000002E00000-0x0000000002E9B000-memory.dmp

Filesize
620KB

Download
memory/3588-18-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/3588-20-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/3588-71-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/3588-70-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/3588-66-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/3588-64-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download
memory/3588-63-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/3588-60-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download
memory/3588-59-0x0000000003F40000-0x0000000003F41000-memory.dmp

Filesize
4KB

Download
memory/3588-57-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/3588-56-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download
memory/3588-81-0x0000000002E00000-0x0000000002E9B000-memory.dmp

Filesize
620KB

Download
memory/3588-53-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/3588-31-0x0000000003E80000-0x0000000003E81000-memory.dmp

Filesize
4KB

Download
memory/3588-49-0x0000000003F00000-0x0000000003F01000-memory.dmp

Filesize
4KB

Download
memory/3588-46-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

Filesize
4KB

Download
memory/3588-45-0x0000000003EE0000-0x0000000003EE1000-memory.dmp

Filesize
4KB

Download
memory/3588-43-0x0000000003EC0000-0x0000000003EC1000-memory.dmp

Filesize
4KB

Download
memory/3588-42-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

Filesize
4KB

Download
memory/3588-38-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

Filesize
4KB

Download
memory/3588-36-0x0000000003E90000-0x0000000003E91000-memory.dmp

Filesize
4KB

Download
memory/3588-35-0x0000000003EA0000-0x0000000003EA1000-memory.dmp

Filesize
4KB

Download
memory/3588-32-0x0000000003E90000-0x0000000003E91000-memory.dmp

Filesize
4KB

Download
memory/3588-50-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

Filesize
4KB

Download
memory/3588-29-0x0000000003E60000-0x0000000003E61000-memory.dmp

Filesize
4KB

Download
memory/3588-28-0x0000000003E70000-0x0000000003E71000-memory.dmp

Filesize
4KB

Download
memory/3588-25-0x0000000003E60000-0x0000000003E61000-memory.dmp

Filesize
4KB

Download
memory/3588-24-0x0000000003E50000-0x0000000003E51000-memory.dmp

Filesize
4KB

Download
memory/3588-22-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/3588-21-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/4620-8-0x0000000000160000-0x00000000001C7000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads