a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082

General

Target

a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082
Sample

191025-1blc144gba
SHA256

a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082

Score

N/A

Malware Config

Signatures

Uses Task Scheduler COM API 1 TTPs 29 IoCs

persistence

Query Registry

T1012

Processes:

svchost.exesvchost.exe

description	ioc	pid	process
Key opened	\Registry\Machine\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	3020	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	3020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	3020	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\	3020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	3020	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	3020	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32	3020	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\	3020	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel	3020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	3020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	3020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	3020	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID	3020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	3020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	3020	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	4488	svchost.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	4488	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	4488	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\	4488	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	4488	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32	4488	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\	4488	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel	4488	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	4488	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	4488	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	4488	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID	4488	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	4488	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	4488	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTakeOwnershipPrivilege 3020 svchost.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3020	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\services\ = "0"	3020	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\services\ = "0"	4488	svchost.exe

Modifies service 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName = "Global\\MMF_BITS8c0d317f-78ce-46c7-a1aa-f9292f51803a"	4524	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

description	pid	process	target process
PID 4924 set thread context of 5080	4924	a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe	a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe
PID 1004 set thread context of 2084	1004	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
PID 3664 set thread context of 4400	3664	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exeSppExtComObj.exea34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

description	pid	process	target process
PID 4924 wrote to memory of 5080	4924	a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe	a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe
PID 5100 wrote to memory of 4292	5100	SppExtComObj.exe	SLUI.exe
PID 5080 wrote to memory of 1004	5080	a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
PID 1004 wrote to memory of 2084	1004	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
PID 2084 wrote to memory of 3020	2084	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe	svchost.exe
PID 3664 wrote to memory of 4400	3664	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
PID 4400 wrote to memory of 4488	4400	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe	svchost.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

pid	process
4924	a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe
1004	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
3664	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

Executes dropped EXE 5 IoCs

Processes:

a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

pid	process
1004	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
2084	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
3664	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
4400	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
4952	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

Drops file in system dir 17 IoCs

Processes:

a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exesvchost.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

description	ioc	pid	process
File created (read-only)	C:\Windows\TEMP\nsbB263.tmp	3664	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
File deleted	C:\Windows\Temp\nsbB263.tmp	3664	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
File created (read-only)	C:\Windows\TEMP\nsqB273.tmp	3664	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
File deleted	C:\Windows\Temp\nsqB273.tmp	3664	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
File created	C:\Windows\TEMP\nsqB273.tmp\System.dll	3664	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
File created	C:\Windows\TEMP\NP	3664	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	4524	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4524	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	4524	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4524	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	4524	svchost.exe
File created (read-only)	C:\Windows\TEMP\nsjB7BD.tmp	4952	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
File deleted	C:\Windows\Temp\nsjB7BD.tmp	4952	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
File created (read-only)	C:\Windows\TEMP\nsjB7BE.tmp	4952	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
File deleted	C:\Windows\Temp\nsjB7BE.tmp	4952	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
File created	C:\Windows\TEMP\nsjB7BE.tmp\System.dll	4952	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
File opened for modification	C:\Windows\TEMP\NP	4952	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	pid	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4232	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4232	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	pid	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4788	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4788	svchost.exe

Loads dropped DLL 4 IoCs

Processes:

a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exea45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

pid	process
4924	a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe
1004	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
3664	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
4952	a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

C:\Users\Admin\AppData\Local\Temp\a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe
"C:\Users\Admin\AppData\Local\Temp\a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Loads dropped DLL
PID:4924

C:\Users\Admin\AppData\Local\Temp\a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe
"C:\Users\Admin\AppData\Local\Temp\a34724574b8608308116557503792322d1b7aead2683db636c701462f99f5082.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:4292

C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Loads dropped DLL
PID:1004

C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:2084

C:\Windows\SYSTEM32\svchost.exe
svchost.exe
1⤵
- Uses Task Scheduler COM API
- Suspicious use of AdjustPrivilegeToken
- Windows security bypass
PID:3020

C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Drops file in system dir
- Loads dropped DLL
PID:3664

C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:4400

C:\Windows\SYSTEM32\svchost.exe
svchost.exe
1⤵
- Uses Task Scheduler COM API
- Windows security bypass
PID:4488

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Modifies service
- Drops file in system dir
PID:4524

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:1572

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4232

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4840

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4788

C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe
1⤵
- Executes dropped EXE
- Drops file in system dir
- Loads dropped DLL
PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1089
T1031

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NP

Download Submit
C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

Download Submit
C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

Download Submit
C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

Download Submit
C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

Download Submit
C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

Download Submit
C:\Users\Admin\AppData\Roaming\services\a45735675b8708408227667604793433e2b7afae3784eb747d702573g99g6083.exe

Download Submit
C:\Windows\TEMP\NP

Download Submit
\Users\Admin\AppData\Local\Temp\nsa7FDF.tmp\System.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nseAFB9.tmp\System.dll

Download Submit
\Windows\Temp\nsjB7BE.tmp\System.dll

Download Submit
\Windows\Temp\nsqB273.tmp\System.dll

Download Submit
memory/3020-6-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads