dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe
Size

204KB
MD5

5866cbd8f155f9a52a5c06cfede3f26f
SHA1

89bc8ec013bdac6de4e81eb7e2b7233554b554cc
SHA256

dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85
SHA512

420db1a5e94d5e0991c9dd96da79c6f613b52fa9d4791d05c2930d02b48a9b9957c9cee5cc411d26d7d9b35541d69a9648cb8c2e8273f7e4228e3d329a9f6050
SSDEEP

3072:9O/6nl92ILkt6i2ox7c39b1a0J86W8xXCKNWOHU/ezYMVWtG4SPUkxbgl:9gFtboVBJtNWyPnYG4fUbk

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
944	dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe
944	dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9df9bdfc = "C:\\Windows\\apppatch\\svchost.exe"	dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9df9bdfc = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vojyqem.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2340	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
944	dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 2340	944	dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe	31
PID 944 wrote to memory of 2340	944	dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe	31
PID 944 wrote to memory of 2340	944	dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe	31
PID 944 wrote to memory of 2340	944	dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe	31

C:\Users\Admin\AppData\Local\Temp\dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe
"C:\Users\Admin\AppData\Local\Temp\dee5627b5e4aa2a4d6ab9ab07d28041fce2cbae835ded911608ccc6acf0ebc85.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\vojyqem.com

Filesize
1KB

MD5
d37e82f0a1dff60288f32263a03026c0

SHA1
801258bb764cca58926d4752458190269e6db99a

SHA256
1382cf3ba0e67f4bc4afefbed8f9a7d474426e33b5a297405dd328498aca00bf

SHA512
99731209af7d3c2c7ee488e56e8f07112621ed53bb4bb98aa97af8eb981de25c841fb0b7e2f9bc6e016f6a052d77b3c1e291f9cae1f6ec567b71817b91916935

Download Submit
C:\Users\Admin\AppData\Local\Temp\3671.tmp

Filesize
1KB

MD5
da28ba403a6d9dd81d3ed2a8911230d2

SHA1
05a889527649263fca5c075f0708ff1e010e09c8

SHA256
e7b4afb329a8532787d30efc0c6df39edd54ec1bb87443f40cb1bb3b77e4bc32

SHA512
33e445099301cfeb368870b66aee8f423f1a3fef991ba4f2c464ef276cbe42ca191bfea3a2d2c4ff7379b0c6355164218d89523db62353b81c5a052aad6f787c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F50.tmp

Filesize
1KB

MD5
6c354f4a046b942c163af2dc8b1fd5ef

SHA1
afa13f04e160eb83df179ee9db8820d4ba00d235

SHA256
b7c11a6a3871dbc06e38b85990285bda0d7d15f4e4f6a08cb091673d6d5b4127

SHA512
b75579bbbf5f0af36b283edcc22951a2d95fd7b3c9020fb29bdb8bcb1af12cc66e9198c3e9f3dbd81d43cbb8927e444d43af5f779d40542e192c1a3297971f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDA1.tmp

Filesize
1KB

MD5
710b105d5f4f5163dc9db7e997ccbcab

SHA1
9ae8b2da732f680522e118305efba644e6edc241

SHA256
ea3ff7c9536d171c7ff4e04d680fabacd7158936c7c90b5b65b9d912038b59c0

SHA512
eb6b86cd58af18e53e3016373e4577d4fb43f87acd8ef0ee583b7bff1d505336840c9d58087622916b9e80e39a4e66c89fce2967609627d7e78cd194411a4197

Download Submit
\Windows\AppPatch\svchost.exe

Filesize
204KB

MD5
997852d5261d79aec27a086c6108ff31

SHA1
2797c9c5da0f2e29167da6d9b44e36374f89969e

SHA256
0d849e0a7b61c39b59c6baba89281106633a74f50e5ce02a365e0fb4b775dead

SHA512
4543bafc6fc7e04760fbd047d4d0a9b1177252c9f67cf97a86dafc5d461a9d833ed90a8ddb5a6582617fd085ec5b49a6a4d3a6c8e04461a4a19a4e48f1f78179

Download Submit
memory/944-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/944-1-0x0000000000300000-0x000000000034F000-memory.dmp

Filesize
316KB

Download
memory/944-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/944-19-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/944-18-0x0000000000300000-0x000000000034F000-memory.dmp

Filesize
316KB

Download
memory/944-16-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2340-73-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-66-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-32-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2340-33-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2340-30-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2340-28-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2340-26-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2340-24-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2340-36-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-38-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-34-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-40-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-51-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-84-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-83-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-82-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-81-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-80-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-79-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-77-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-76-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-75-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-74-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-21-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2340-72-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-71-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-70-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-69-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-68-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-22-0x0000000000490000-0x0000000000532000-memory.dmp

Filesize
648KB

Download
memory/2340-65-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-64-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-63-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-62-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-61-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-60-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-59-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-58-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-57-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-56-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-55-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-54-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-52-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-50-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-78-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-49-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-48-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-47-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-67-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-46-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-45-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-44-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-43-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-42-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-53-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download
memory/2340-20-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2340-17-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2340-41-0x0000000001ED0000-0x0000000001F81000-memory.dmp

Filesize
708KB

Download