e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529

General

Target

e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe
Size

338KB
MD5

6b774827e14741d6bfdfdc2959473210
SHA1

8c33fc56e3412d31908c09c689deeba489bd80a0
SHA256

e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529
SHA512

09720e99acae8c4c9918df9d7394417f1e43ee076d33e3974b3c0c330fa336341aad710ddc27f89525c2b73fced8ffc91cc5013889c5c4207ddaaf7b99197d33
SSDEEP

6144:uExz45lS77IQi8Dq+9fXphN2LfjEcYzaWqr57Q7Xwxc4SQjWvvf:8lS71Dq+pcYWWqtfxvSQj2f

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
464	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d42b8c24 = "C:\\Windows\\apppatch\\svchost.exe"	e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d42b8c24 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
464	svchost.exe
464	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4264	e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 464	4264	e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe	82
PID 4264 wrote to memory of 464	4264	e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe	82
PID 4264 wrote to memory of 464	4264	e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe	82

C:\Users\Admin\AppData\Local\Temp\e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe
"C:\Users\Admin\AppData\Local\Temp\e90cec933eac90ffb6764a41ea9f957130de117214f82c5c9dc6442c03b08529N.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Winlogon Helper DLL

2

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
338KB

MD5
09b5a75024898669e909c0f4da4615e0

SHA1
53ae8b2973702970ccfe7e0f23380ee8a5055a67

SHA256
b9d321032fda8ae2098939a9c103e9ceab9dbd60f44dde08bcb716875cd1cab5

SHA512
cbbd7889dc3f8e6841321ee6265c4421cd8df449388422ab01cb2df0db0aeaae5a3168c7345a2f625b13fe6a69732f6fbf2f5a72118a1e72f4c92834f5ce8524

Download Submit
memory/464-64-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/464-60-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/464-11-0x0000000003A00000-0x0000000003A9B000-memory.dmp

Filesize
620KB

Download
memory/464-13-0x0000000003A00000-0x0000000003A9B000-memory.dmp

Filesize
620KB

Download
memory/464-16-0x0000000003A00000-0x0000000003A9B000-memory.dmp

Filesize
620KB

Download
memory/464-59-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/464-18-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/464-21-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/464-22-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/464-20-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/464-25-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/464-45-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/464-43-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/464-42-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/464-71-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/464-70-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/464-66-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/464-81-0x0000000003A00000-0x0000000003A9B000-memory.dmp

Filesize
620KB

Download
memory/464-10-0x0000000003630000-0x00000000036BC000-memory.dmp

Filesize
560KB

Download
memory/464-63-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/464-15-0x0000000003A00000-0x0000000003A9B000-memory.dmp

Filesize
620KB

Download
memory/464-57-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/464-56-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/464-46-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/464-53-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/464-52-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/464-50-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/464-49-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/464-38-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/464-36-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/464-35-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/464-32-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/464-31-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/464-29-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/464-28-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/464-24-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/4264-8-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads