7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6

General

Target

7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe
Size

93KB
MD5

87ab3c97f998f8ed39ed7222fd550778
SHA1

8fcd2ac075ef9cba0953686d1702960ac24c3933
SHA256

7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6
SHA512

87525fb6607882d0b1984f3e5f45021c0b932c1c66fad776cedcb8557a9cb5f391f10ad9c393aed91a53e95e27de72353dad195d78b324884fae775572449a49

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1960 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1960	svchost.exe

Drops startup file 4 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	1960	svchost.exe
Token: 33	1960	svchost.exe
Token: SeIncBasePriorityPrivilege	1960	svchost.exe
Token: 33	1960	svchost.exe
Token: SeIncBasePriorityPrivilege	1960	svchost.exe
Token: 33	1960	svchost.exe
Token: SeIncBasePriorityPrivilege	1960	svchost.exe
Token: 33	1960	svchost.exe
Token: SeIncBasePriorityPrivilege	1960	svchost.exe
Token: 33	1960	svchost.exe
Token: SeIncBasePriorityPrivilege	1960	svchost.exe
Token: 33	1960	svchost.exe
Token: SeIncBasePriorityPrivilege	1960	svchost.exe
Token: 33	1960	svchost.exe
Token: SeIncBasePriorityPrivilege	1960	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exesvchost.exe

description	pid	process	target process
PID 480 wrote to memory of 1960	480	7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe	svchost.exe
PID 480 wrote to memory of 1960	480	7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe	svchost.exe
PID 480 wrote to memory of 1960	480	7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe	svchost.exe
PID 1960 wrote to memory of 1388	1960	svchost.exe	netsh.exe
PID 1960 wrote to memory of 1388	1960	svchost.exe	netsh.exe
PID 1960 wrote to memory of 1388	1960	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe
"C:\Users\Admin\AppData\Local\Temp\7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
3⤵
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
93KB

MD5
87ab3c97f998f8ed39ed7222fd550778

SHA1
8fcd2ac075ef9cba0953686d1702960ac24c3933

SHA256
7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6

SHA512
87525fb6607882d0b1984f3e5f45021c0b932c1c66fad776cedcb8557a9cb5f391f10ad9c393aed91a53e95e27de72353dad195d78b324884fae775572449a49

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
93KB

MD5
87ab3c97f998f8ed39ed7222fd550778

SHA1
8fcd2ac075ef9cba0953686d1702960ac24c3933

SHA256
7d51b570cc6f8bc38ec5c74644442fbabd0b6fb2a67db2b80cc814b1737452e6

SHA512
87525fb6607882d0b1984f3e5f45021c0b932c1c66fad776cedcb8557a9cb5f391f10ad9c393aed91a53e95e27de72353dad195d78b324884fae775572449a49

Download Submit
memory/480-54-0x000007FEF2E80000-0x000007FEF3F16000-memory.dmp

Filesize
16.6MB

Download
memory/480-55-0x0000000001F96000-0x0000000001FB5000-memory.dmp

Filesize
124KB

Download
memory/1388-61-0x0000000000000000-mapping.dmp

Download
memory/1388-62-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp

Filesize
8KB

Download
memory/1960-56-0x0000000000000000-mapping.dmp

Download
memory/1960-59-0x000007FEF2E80000-0x000007FEF3F16000-memory.dmp

Filesize
16.6MB

Download
memory/1960-60-0x0000000001EC6000-0x0000000001EE5000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads