22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77

General

Target

22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
Size

185KB
MD5

7ba47942e3a561db346c230f7b53253a
SHA1

465c57f9a98b4689d00540653fb00971db32e36c
SHA256

22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77
SHA512

64a18dfc11ed04fc54fbd2fdb87aa31197b3b5fe93cd96c40f0bf39973e4d31e3ce353230207f8025e50d4d11e03b7c75eaa4bd73cb4cb16efce1bfbd598ad3a
SSDEEP

3072:SqJZXS7XlU7IHr7fVLMdNF22Qcjst9zqO2jT0AooNIqhpdLaehggC:9nX2U7IHr7dLMd62Q8gzqrzNIILD6gC

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\20698 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccsoqf.com"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1148	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe

Loads dropped DLL 1 IoCs

pid	Process
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 1148	2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	26

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\ccsoqf.com	svchost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1148	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
1148	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1148	2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	26
PID 2044 wrote to memory of 1148	2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	26
PID 2044 wrote to memory of 1148	2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	26
PID 2044 wrote to memory of 1148	2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	26
PID 2044 wrote to memory of 1148	2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	26
PID 2044 wrote to memory of 1148	2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	26
PID 2044 wrote to memory of 1148	2044	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	26
PID 1148 wrote to memory of 1656	1148	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	27
PID 1148 wrote to memory of 1656	1148	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	27
PID 1148 wrote to memory of 1656	1148	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	27
PID 1148 wrote to memory of 1656	1148	22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe	27

C:\Users\Admin\AppData\Local\Temp\22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
"C:\Users\Admin\AppData\Local\Temp\22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe
  "C:\Users\Admin\AppData\Local\Temp\22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Drops file in Program Files directory
    PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe

Filesize
185KB

MD5
7ba47942e3a561db346c230f7b53253a

SHA1
465c57f9a98b4689d00540653fb00971db32e36c

SHA256
22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77

SHA512
64a18dfc11ed04fc54fbd2fdb87aa31197b3b5fe93cd96c40f0bf39973e4d31e3ce353230207f8025e50d4d11e03b7c75eaa4bd73cb4cb16efce1bfbd598ad3a

Download Submit
\Users\Admin\AppData\Local\Temp\22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77.exe

Filesize
185KB

MD5
7ba47942e3a561db346c230f7b53253a

SHA1
465c57f9a98b4689d00540653fb00971db32e36c

SHA256
22cf2686e5889e5ce88aa31c3de31d923e63cc3fd86633e4e1b34c365d6fbc77

SHA512
64a18dfc11ed04fc54fbd2fdb87aa31197b3b5fe93cd96c40f0bf39973e4d31e3ce353230207f8025e50d4d11e03b7c75eaa4bd73cb4cb16efce1bfbd598ad3a

Download Submit
memory/1148-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1148-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1148-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1148-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1148-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1656-66-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1656-67-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1656-68-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing