a08f18c6a34c167bf5ea4fe4fe3d2e0f92911e5b0b20aeefd08410c1ef9f72ec

General

Target

?????????????????????wsoihsd.com.exe
Size

1.3MB
MD5

b96da8840dfc5642c077fa473bc6611f
SHA1

850f1c0cc772eb2d35c97eb3dd6e66b1ff1750bd
SHA256

d5aa8ca98c65f958cea8f4a831a15ca2af8c375277a06584ba0d786e919db43c
SHA512

942e10b931027ca42fce30d27dc6f02df65e2a1840b6bc0254c84629de2b3b7180a19411cef60c195431efa53f81ec594689e801fedb954a90f86b42d1eec68f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Jklmno.exeJklmno.exe

pid process

1300 Jklmno.exe
1808 Jklmno.exe

pid	process
1300	Jklmno.exe
1808	Jklmno.exe

Drops file in Windows directory 4 IoCs

Processes:

_____________________wsoihsd.com.exeJklmno.exe

description	ioc	process
File created	C:\Windows\Jklmno.exe	_____________________wsoihsd.com.exe
File opened for modification	C:\Windows\Jklmno.exe	_____________________wsoihsd.com.exe
File opened for modification	C:\Windows\Jklmno.exe	Jklmno.exe
File created	C:\Windows\Jklmno.exe	Jklmno.exe

Modifies data under HKEY_USERS 16 IoCs

Processes:

Jklmno.exeJklmno.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	Jklmno.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Jklmno Qrstuvwx\Group = "Fatal"	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Jklmno.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Jklmno Qrstuvwx	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Jklmno Qrstuvwx	Jklmno.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Jklmno Qrstuvwx\InstallTime = "2021-06-20 21:41"	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	Jklmno.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	Jklmno.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	Jklmno.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

_____________________wsoihsd.com.exeJklmno.exeJklmno.exe

description	pid	process
Token: SeDebugPrivilege	3984	_____________________wsoihsd.com.exe
Token: SeDebugPrivilege	1300	Jklmno.exe
Token: SeDebugPrivilege	1808	Jklmno.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Jklmno.exe

description	pid	process	target process
PID 1300 wrote to memory of 1808	1300	Jklmno.exe	Jklmno.exe
PID 1300 wrote to memory of 1808	1300	Jklmno.exe	Jklmno.exe
PID 1300 wrote to memory of 1808	1300	Jklmno.exe	Jklmno.exe

C:\Users\Admin\AppData\Local\Temp\_____________________wsoihsd.com.exe
"C:\Users\Admin\AppData\Local\Temp\_____________________wsoihsd.com.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\Jklmno.exe
C:\Windows\Jklmno.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\Jklmno.exe
C:\Windows\Jklmno.exe Win7
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\SVP7.PNG
MD5
b02e46db6e44bab74dccf4cfd14a1076

SHA1
295a06cc304356f7f9671c03fc858dc071e1f391

SHA256
24448f93ddeadd0d1c71f273e6a080f0f6200cc0c753f88efb06fced3c816ebf

SHA512
a53948cdef001502e0dc17c0ecf5331dfcff78c54b41d3a4bd11cbe73afe61a55339689d5192fcad7e7f2a805a7b8ada4fadd3b6e637738c589d5c91603e77b4

Download Submit
C:\Windows\Jklmno.exe
MD5
b96da8840dfc5642c077fa473bc6611f

SHA1
850f1c0cc772eb2d35c97eb3dd6e66b1ff1750bd

SHA256
d5aa8ca98c65f958cea8f4a831a15ca2af8c375277a06584ba0d786e919db43c

SHA512
942e10b931027ca42fce30d27dc6f02df65e2a1840b6bc0254c84629de2b3b7180a19411cef60c195431efa53f81ec594689e801fedb954a90f86b42d1eec68f

Download Submit
C:\Windows\Jklmno.exe
MD5
b96da8840dfc5642c077fa473bc6611f

SHA1
850f1c0cc772eb2d35c97eb3dd6e66b1ff1750bd

SHA256
d5aa8ca98c65f958cea8f4a831a15ca2af8c375277a06584ba0d786e919db43c

SHA512
942e10b931027ca42fce30d27dc6f02df65e2a1840b6bc0254c84629de2b3b7180a19411cef60c195431efa53f81ec594689e801fedb954a90f86b42d1eec68f

Download Submit
C:\Windows\Jklmno.exe
MD5
b96da8840dfc5642c077fa473bc6611f

SHA1
850f1c0cc772eb2d35c97eb3dd6e66b1ff1750bd

SHA256
d5aa8ca98c65f958cea8f4a831a15ca2af8c375277a06584ba0d786e919db43c

SHA512
942e10b931027ca42fce30d27dc6f02df65e2a1840b6bc0254c84629de2b3b7180a19411cef60c195431efa53f81ec594689e801fedb954a90f86b42d1eec68f

Download Submit
memory/1300-119-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1808-121-0x0000000000000000-mapping.dmp

Download
memory/3984-114-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads