cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad

Analysis

max time kernel
143s
max time network
102s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe
Size

27KB
MD5

b28cb16882c9a10c0c280a042a89554b
SHA1

a4c49f57403386a01dff8380bc613c78dc11d8cd
SHA256

cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad
SHA512

0363c7e5ee62dbc256a1f1377a6df738ce3dfca88f8089a1ceff534f961d5fc2ddb23e21047a04549d978d0ecb1b1ec81ce659d60f8edda826c50f02b7d87759
SSDEEP

768:L+fuEHnPQKR298R3D89H1RxQjYnaB9yVFnotQB89xw:LWuEHPrR2989D2+F

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	sohst.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KpfwSvc.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.KXP\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safeup.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwstub.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravservice.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arpfw.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTRAY.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360upp.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTRAY.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.EXE\debugger = "ntsd -d"	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KpfwSvc.EXE	sohst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.EXE\debugger = "ntsd -d"	sohst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE	sohst.exe

Deletes itself 1 IoCs

pid	Process
760	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe
1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe
2032	sohst.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\linkinfo.dll	sohst.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\sohst.exe	sohst.exe
File created	C:\Program Files\sohst.exe	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fonts\niuxs.sys	sohst.exe
File created	C:\Windows\fonts\fuckjss.sys	sohst.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2044	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe
1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe
2032	sohst.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
460	Process not Found
460	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	sohst.exe
Token: SeDebugPrivilege	2032	sohst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2032	1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe	28
PID 1016 wrote to memory of 2032	1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe	28
PID 1016 wrote to memory of 2032	1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe	28
PID 1016 wrote to memory of 2032	1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe	28
PID 2032 wrote to memory of 840	2032	sohst.exe	29
PID 2032 wrote to memory of 840	2032	sohst.exe	29
PID 2032 wrote to memory of 840	2032	sohst.exe	29
PID 2032 wrote to memory of 840	2032	sohst.exe	29
PID 840 wrote to memory of 2044	840	cmd.exe	31
PID 840 wrote to memory of 2044	840	cmd.exe	31
PID 840 wrote to memory of 2044	840	cmd.exe	31
PID 840 wrote to memory of 2044	840	cmd.exe	31
PID 1016 wrote to memory of 760	1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe	32
PID 1016 wrote to memory of 760	1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe	32
PID 1016 wrote to memory of 760	1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe	32
PID 1016 wrote to memory of 760	1016	cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe	32

C:\Users\Admin\AppData\Local\Temp\cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe
"C:\Users\Admin\AppData\Local\Temp\cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Program Files\sohst.exe
  "C:\Program Files\sohst.exe"
  2⤵
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc config avp start= disabled
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\sc.exe
      sc config avp start= disabled
      4⤵
      Launches sc.exe
      PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\cf39790ed2484a93231afc1058c52d7231baf281c104f9c4ec96ea98e4ad30ad.exe"
  2⤵
  - Deletes itself
  PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\sohst.exe

Filesize
23KB

MD5
ffa6fcd7e5400b6c36e69659541d1bd2

SHA1
1b411d413f0202063b541b26065c981aa3d04fe9

SHA256
54f8d1ba14a3cb2e97178db9f505990a3ee6940567de779170b7016d97fb46dd

SHA512
e60893de02adcb463202600320e86bb32418d9f3a11b44f1d2d7c471ddd5916e04dda1f62b420be1875674676ec20727a55d9fdab565e5385ae7c44faea18479

Download Submit
C:\Program Files\sohst.exe

Filesize
23KB

MD5
ffa6fcd7e5400b6c36e69659541d1bd2

SHA1
1b411d413f0202063b541b26065c981aa3d04fe9

SHA256
54f8d1ba14a3cb2e97178db9f505990a3ee6940567de779170b7016d97fb46dd

SHA512
e60893de02adcb463202600320e86bb32418d9f3a11b44f1d2d7c471ddd5916e04dda1f62b420be1875674676ec20727a55d9fdab565e5385ae7c44faea18479

Download Submit
\Program Files\sohst.exe

Filesize
23KB

MD5
ffa6fcd7e5400b6c36e69659541d1bd2

SHA1
1b411d413f0202063b541b26065c981aa3d04fe9

SHA256
54f8d1ba14a3cb2e97178db9f505990a3ee6940567de779170b7016d97fb46dd

SHA512
e60893de02adcb463202600320e86bb32418d9f3a11b44f1d2d7c471ddd5916e04dda1f62b420be1875674676ec20727a55d9fdab565e5385ae7c44faea18479

Download Submit
\Program Files\sohst.exe

Filesize
23KB

MD5
ffa6fcd7e5400b6c36e69659541d1bd2

SHA1
1b411d413f0202063b541b26065c981aa3d04fe9

SHA256
54f8d1ba14a3cb2e97178db9f505990a3ee6940567de779170b7016d97fb46dd

SHA512
e60893de02adcb463202600320e86bb32418d9f3a11b44f1d2d7c471ddd5916e04dda1f62b420be1875674676ec20727a55d9fdab565e5385ae7c44faea18479

Download Submit
\Users\Admin\AppData\Local\Temp\dll5B89.tmp

Filesize
17KB

MD5
48ee1245a78958248ff6cbbaab706d42

SHA1
9be430c4aeb033e1335f568c6d6bc955a9041614

SHA256
2392129364cbc517cb1bbee309bced6de90b75e8a2cd795d601ea7e15e2c12f5

SHA512
2ab1fc5c418982560d75f1813aca5f2cdc17107f53a7ae752e472116ed53734c299e1ab8e451541fc435175f2bc360a4f90e2580aa9fb5ea02a3ca3c1b4095b9

Download Submit
memory/760-64-0x0000000000000000-mapping.dmp

Download
memory/840-62-0x0000000000000000-mapping.dmp

Download
memory/1016-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1016-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2032-57-0x0000000000000000-mapping.dmp

Download
memory/2032-61-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2032-66-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/2044-63-0x0000000000000000-mapping.dmp

Download