c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d

General

Target

c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe
Size

208KB
MD5

2246e84fd55fca789020deb084663d7c
SHA1

fa29765b1c92c36d721650f4ee7f37ac3360d146
SHA256

c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d
SHA512

97b77a3608bad82997a549dffdc7207da035ede84310e7b504b5ea6f0ea49dfe97f11c6ca91f8f144e5409569c759cbf8128c1b8d7dce4e75ff42ceb5e30b22e
SSDEEP

1536:Tc+KQVgd54v2vYEJtFG7gm7fxtS5Yui554vTgzQv:TcLL79vZJhqtkY5Pdzq

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1676	SVCH0ST.exe

Deletes itself 1 IoCs

pid	Process
1244	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1792	c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe
1792	c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SVCH0ST.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AutoKill = "C:\\windows\\system\\SVCH0ST.exe"	SVCH0ST.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\windows\system\HJonny.bat	c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe
File opened for modification	C:\windows\system\SVCH0ST.exe	SVCH0ST.exe
File created	C:\windows\system\SVCH0ST.exe	c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe
File opened for modification	C:\windows\system\SVCH0ST.exe	c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2044	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1792	c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe
1676	SVCH0ST.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1676	1792	c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe	28
PID 1792 wrote to memory of 1676	1792	c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe	28
PID 1792 wrote to memory of 1676	1792	c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe	28
PID 1792 wrote to memory of 1676	1792	c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe	28
PID 1676 wrote to memory of 1244	1676	SVCH0ST.exe	29
PID 1676 wrote to memory of 1244	1676	SVCH0ST.exe	29
PID 1676 wrote to memory of 1244	1676	SVCH0ST.exe	29
PID 1676 wrote to memory of 1244	1676	SVCH0ST.exe	29
PID 1244 wrote to memory of 2044	1244	cmd.exe	31
PID 1244 wrote to memory of 2044	1244	cmd.exe	31
PID 1244 wrote to memory of 2044	1244	cmd.exe	31
PID 1244 wrote to memory of 2044	1244	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe
"C:\Users\Admin\AppData\Local\Temp\c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792
- C:\windows\system\SVCH0ST.exe
  C:\windows\system\SVCH0ST.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\windows\system\HJonny.bat
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\SVCH0ST.exe

Filesize
208KB

MD5
2246e84fd55fca789020deb084663d7c

SHA1
fa29765b1c92c36d721650f4ee7f37ac3360d146

SHA256
c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d

SHA512
97b77a3608bad82997a549dffdc7207da035ede84310e7b504b5ea6f0ea49dfe97f11c6ca91f8f144e5409569c759cbf8128c1b8d7dce4e75ff42ceb5e30b22e

Download Submit
C:\windows\system\HJonny.bat

Filesize
148B

MD5
ec98dfc30186a237077ae0b735084c87

SHA1
5ffd60221fb4bd3ca2cb76b784fe0854f3464f5d

SHA256
63fe6ae7da94f15e4a81b4deb54742f9349e399b9e8e13feeddbd335b4ea3c3e

SHA512
1e087ae7885b6185763717cf6aeb357f3eb4096aadf941060b714b8b40838ae703b44c405888433c993c3bd1c5b66a93c7265052ab883b4750ce6d7eee36177a

Download Submit
C:\windows\system\SVCH0ST.exe

Filesize
208KB

MD5
2246e84fd55fca789020deb084663d7c

SHA1
fa29765b1c92c36d721650f4ee7f37ac3360d146

SHA256
c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d

SHA512
97b77a3608bad82997a549dffdc7207da035ede84310e7b504b5ea6f0ea49dfe97f11c6ca91f8f144e5409569c759cbf8128c1b8d7dce4e75ff42ceb5e30b22e

Download Submit
\Windows\system\SVCH0ST.exe

Filesize
208KB

MD5
2246e84fd55fca789020deb084663d7c

SHA1
fa29765b1c92c36d721650f4ee7f37ac3360d146

SHA256
c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d

SHA512
97b77a3608bad82997a549dffdc7207da035ede84310e7b504b5ea6f0ea49dfe97f11c6ca91f8f144e5409569c759cbf8128c1b8d7dce4e75ff42ceb5e30b22e

Download Submit
\Windows\system\SVCH0ST.exe

Filesize
208KB

MD5
2246e84fd55fca789020deb084663d7c

SHA1
fa29765b1c92c36d721650f4ee7f37ac3360d146

SHA256
c76d02f2c67ed3181153acbcd72cd3e59ad022b990918a5a0099624bdbc95b1d

SHA512
97b77a3608bad82997a549dffdc7207da035ede84310e7b504b5ea6f0ea49dfe97f11c6ca91f8f144e5409569c759cbf8128c1b8d7dce4e75ff42ceb5e30b22e

Download Submit
memory/1676-66-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing