946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f

General

Target

946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe
Size

81KB
MD5

05e7536ed09a82de0ba2fa5c10078dd9
SHA1

5bbc2735a0cd0dc2ce2ae55cd27a01ff744e364d
SHA256

946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f
SHA512

567ae0a224da3ad961915ea557ca9a36361964bb2d288080179828efe4281dec599658e358eedc2796d7bd8c97226c4835c9adaaa9816e9d24c8cfe4f80f279b
SSDEEP

1536:6eH/koi+oI6O7omS+m0h67gprjDYfiCd1Oz09WuHLSIdZ5xszm5X/uZW7:N/kbanD672P7Cye7rSIdZ5xsLZW7

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Update Srv = "C:\\Windows\\winservxv\\svchost.exe"	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Update Srv = "C:\\Windows\\winservxv\\svchost.exe"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1516	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
904	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe
904	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\winservxv\svchost.exe	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe
File opened for modification	C:\Windows\winservxv\svchost.exe	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe
File created	C:\Windows\winservxv\lsdzvz.dll	svchost.exe
File opened for modification	C:\Windows\winservxv\lsdzvz.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
904	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe
1516	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1516	904	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe	27
PID 904 wrote to memory of 1516	904	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe	27
PID 904 wrote to memory of 1516	904	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe	27
PID 904 wrote to memory of 1516	904	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe	27

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	svchost.exe

C:\Users\Admin\AppData\Local\Temp\946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe
"C:\Users\Admin\AppData\Local\Temp\946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:904
- C:\Windows\winservxv\svchost.exe
  "C:\Windows\winservxv\svchost.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\winservxv\svchost.exe

Filesize
81KB

MD5
05e7536ed09a82de0ba2fa5c10078dd9

SHA1
5bbc2735a0cd0dc2ce2ae55cd27a01ff744e364d

SHA256
946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f

SHA512
567ae0a224da3ad961915ea557ca9a36361964bb2d288080179828efe4281dec599658e358eedc2796d7bd8c97226c4835c9adaaa9816e9d24c8cfe4f80f279b

Download Submit
\Windows\winservxv\svchost.exe

Filesize
81KB

MD5
05e7536ed09a82de0ba2fa5c10078dd9

SHA1
5bbc2735a0cd0dc2ce2ae55cd27a01ff744e364d

SHA256
946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f

SHA512
567ae0a224da3ad961915ea557ca9a36361964bb2d288080179828efe4281dec599658e358eedc2796d7bd8c97226c4835c9adaaa9816e9d24c8cfe4f80f279b

Download Submit
\Windows\winservxv\svchost.exe

Filesize
81KB

MD5
05e7536ed09a82de0ba2fa5c10078dd9

SHA1
5bbc2735a0cd0dc2ce2ae55cd27a01ff744e364d

SHA256
946872420a4abd63dde04f334a65c4e9baba486ac6f5704b9a53e80a7c8b419f

SHA512
567ae0a224da3ad961915ea557ca9a36361964bb2d288080179828efe4281dec599658e358eedc2796d7bd8c97226c4835c9adaaa9816e9d24c8cfe4f80f279b

Download Submit
memory/904-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads