9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4

General

Target

9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Size

108KB
MD5

b70d924452693e80d3b46c8c48b725b3
SHA1

d39e984be2859fb39cc35ccf4b5538d6e6c4b081
SHA256

9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4
SHA512

f301b6b9271d853a1acddf1de9f7850164afcca96a55697b44cfc6340cb9f3a247dbf15bd5c77f9a4e55d724827c9ad050d8fb1e141e66a9b904fe69b3cf4b0c
SSDEEP

768:pmrSjWEt5aAOvLg0uKMLGOlavHE8q8pi6ezRGMo4M+eCWJOrG578eE2aejRtuh2v:0rkhOvLmZnavhnNMXeCW0UE2ab

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\fzx9823.exe = "C:\\Program Files (x86)\\Common Files\\fzx9823.exe:*:Enabled:Windows Live Messenger 8.1 (Safe Mode)"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\fzx9823.exe = "C:\\Program Files (x86)\\Common Files\\fzx9823.exe:*:Enabled:Windows Live Messenger 8.1 (Safe Mode)"	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\fzx9823.exe = "C:\\Program Files (x86)\\Common Files\\fzx9823.exe:*:Enabled:Windows Live Messenger 8.1 (Safe Mode)"	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Common Files\fzx9823.exe = "C:\\Program Files (x86)\\Common Files\\fzx9823.exe:*:Enabled:Windows Live Messenger 8.1 (Safe Mode)"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Carpeta de Archivos"	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Carpeta de Archivos"	svchost.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe

Executes dropped EXE 1 IoCs

pid	Process
4856	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Log Agent = "C:\\Program Files (x86)\\Common Files\\svchost.exe"	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\12x34.edh	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
File opened for modification	C:\Program Files (x86)\Common Files\winlogon.exe	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
File opened for modification	C:\Program Files (x86)\Common Files\svchost.exe	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
File created	C:\Program Files (x86)\Common Files\svchost.exe	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
File opened for modification	C:\Program Files (x86)\Common Files\_fe12rmp.exe	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
File opened for modification	C:\Program Files (x86)\Common Files\fzx9823.exe	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
File created	C:\Program Files (x86)\Common Files\fzx9823.exe	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
File created	C:\Program Files (x86)\Common Files\12x34.edh	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
File created	C:\Program Files (x86)\Common Files\97315.jak	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
File created	C:\Program Files (x86)\Common Files\winlogon.exe	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
File opened for modification	C:\Program Files (x86)\Common Files\smss.exe	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
File created	C:\Program Files (x86)\Common Files\smss.exe	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Carpeta de Archivos"	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Carpeta de Archivos"	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2880	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
4856	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 4856	2880	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe	86
PID 2880 wrote to memory of 4856	2880	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe	86
PID 2880 wrote to memory of 4856	2880	9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe	86

C:\Users\Admin\AppData\Local\Temp\9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe
"C:\Users\Admin\AppData\Local\Temp\9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4.exe"
1⤵
- Modifies firewall policy service
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Program Files (x86)\Common Files\svchost.exe
  "C:\Program Files (x86)\Common Files\svchost.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Hidden Files and Directories

2

T1158

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\svchost.exe

Filesize
108KB

MD5
b70d924452693e80d3b46c8c48b725b3

SHA1
d39e984be2859fb39cc35ccf4b5538d6e6c4b081

SHA256
9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4

SHA512
f301b6b9271d853a1acddf1de9f7850164afcca96a55697b44cfc6340cb9f3a247dbf15bd5c77f9a4e55d724827c9ad050d8fb1e141e66a9b904fe69b3cf4b0c

Download Submit
C:\Program Files (x86)\Common Files\svchost.exe

Filesize
108KB

MD5
b70d924452693e80d3b46c8c48b725b3

SHA1
d39e984be2859fb39cc35ccf4b5538d6e6c4b081

SHA256
9fe3ebc9e9d100a3700a6e66c0fd6367adb08bd0d93aad0c9151dcec974067d4

SHA512
f301b6b9271d853a1acddf1de9f7850164afcca96a55697b44cfc6340cb9f3a247dbf15bd5c77f9a4e55d724827c9ad050d8fb1e141e66a9b904fe69b3cf4b0c

Download Submit
memory/2880-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4856-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4856-142-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads