710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff

General

Target

710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
Size

162KB
MD5

7195d62842154220250c93867baf1bf5
SHA1

bcf17349ecc4d06f38f07c9cc3eafd1303e6e523
SHA256

710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff
SHA512

c832e015e265367687b62e74bfab20ca9ea6dba939cee718e03c085c7a573e2b15d7e0f29949961ad2302be42c1aaf3cb47eb765b2963a373f3de33bf76fcb49
SSDEEP

3072:iyH99g4byc6H5c6HcT66vlmm+6zMal04FpFOmal04F3uhUpjBTO+FueB5YJa+a:iyH7xOc6H5c6HcT66vlmuEPOtWYFa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1180	svchost.exe
5104	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
4952	svchost.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3892	dw20.exe
Token: SeBackupPrivilege	3892	dw20.exe
Token: SeBackupPrivilege	3892	dw20.exe
Token: SeBackupPrivilege	3892	dw20.exe
Token: SeBackupPrivilege	3892	dw20.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5104	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
5104	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
5104	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
5104	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 1180	3912	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe	83
PID 3912 wrote to memory of 1180	3912	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe	83
PID 3912 wrote to memory of 1180	3912	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe	83
PID 1180 wrote to memory of 5104	1180	svchost.exe	84
PID 1180 wrote to memory of 5104	1180	svchost.exe	84
PID 1180 wrote to memory of 5104	1180	svchost.exe	84
PID 5104 wrote to memory of 3892	5104	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe	88
PID 5104 wrote to memory of 3892	5104	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe	88
PID 5104 wrote to memory of 3892	5104	710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe	88

C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
"C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
    "C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 888
      4⤵
      Drops file in Windows directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3892

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe

Filesize
127KB

MD5
c835a420aa809c291ef1f6063fe98550

SHA1
2c3091affb6ba021964bc717b97dae0debe55194

SHA256
10e8b508abb60d04e16af96fb53f2e1b9f24913ecd0f5100b0f12717b301a7a5

SHA512
946fcb39882adbe370c34d342bd0fc77addc3ca0d5527788a1a6c6c15c374a59308de89f1596fb58498fff349ae030ecf5af14c15c2337f0acac52e93621abc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe

Filesize
127KB

MD5
c835a420aa809c291ef1f6063fe98550

SHA1
2c3091affb6ba021964bc717b97dae0debe55194

SHA256
10e8b508abb60d04e16af96fb53f2e1b9f24913ecd0f5100b0f12717b301a7a5

SHA512
946fcb39882adbe370c34d342bd0fc77addc3ca0d5527788a1a6c6c15c374a59308de89f1596fb58498fff349ae030ecf5af14c15c2337f0acac52e93621abc0

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/5104-139-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/5104-141-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads