d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7

General

Target

d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
Size

246KB
MD5

7aad2531656da0c3ccdd0e670ac2b6fb
SHA1

b84022ae1f3a1c33ca2ac909f9abd4182d9c7c5a
SHA256

d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7
SHA512

3f5e491bfd1fe8c5cd3437ee17d15c34706ef0281c9141eca2a4e6ca5013ed6131298a779623df7706bbf68ec351b892124c74d727856a6c0c2fa6ec763a8402
SSDEEP

6144:koLhB9sYlTjrIhzNSna3LFoj9QDux+XH:k0TjizUna3UsX

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svcnost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svcnost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\xwmscwzljfolz2orhy2bahodrjlawtmu2\svcnost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\xwmscwzljfolz2orhy2bahodrjlawtmu2\\svcnost.exe:*:Enabled:ldrsoft"	svcnost.exe

Drops file in Drivers directory 1 IoCs

Processes:

d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/752-55-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/1732-57-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1732-59-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1732-60-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1732-64-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1732-65-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1732-66-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1756-70-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/2044-81-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1732-82-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2044-87-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

svcnost.exe

pid process

2044 svcnost.exe
2044 svcnost.exe

pid	process
2044	svcnost.exe
2044	svcnost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Init = "\"C:\\Users\\Admin\\AppData\\Roaming\\xwmscwzljfolz2orhy2bahodrjlawtmu2\\svcnost.exe\""	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

svcnost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\desktop.ini	svcnost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\desktop.ini	svcnost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exesvcnost.exe

description	pid	process	target process
PID 752 set thread context of 1732	752	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
PID 1756 set thread context of 2044	1756	svcnost.exe	svcnost.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

svcnost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry	svcnost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\SavedLegacySettingsML = 323332303637393334	svcnost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe

pid process

1732 d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe

pid process

1732 d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe

pid	process
1732	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe

pid	process
1732	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exed6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exesvcnost.exe

description	pid	process	target process
PID 752 wrote to memory of 1732	752	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
PID 752 wrote to memory of 1732	752	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
PID 752 wrote to memory of 1732	752	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
PID 752 wrote to memory of 1732	752	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
PID 752 wrote to memory of 1732	752	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
PID 752 wrote to memory of 1732	752	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
PID 752 wrote to memory of 1732	752	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
PID 752 wrote to memory of 1732	752	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
PID 1732 wrote to memory of 1756	1732	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	svcnost.exe
PID 1732 wrote to memory of 1756	1732	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	svcnost.exe
PID 1732 wrote to memory of 1756	1732	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	svcnost.exe
PID 1732 wrote to memory of 1756	1732	d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe	svcnost.exe
PID 1756 wrote to memory of 2044	1756	svcnost.exe	svcnost.exe
PID 1756 wrote to memory of 2044	1756	svcnost.exe	svcnost.exe
PID 1756 wrote to memory of 2044	1756	svcnost.exe	svcnost.exe
PID 1756 wrote to memory of 2044	1756	svcnost.exe	svcnost.exe
PID 1756 wrote to memory of 2044	1756	svcnost.exe	svcnost.exe
PID 1756 wrote to memory of 2044	1756	svcnost.exe	svcnost.exe
PID 1756 wrote to memory of 2044	1756	svcnost.exe	svcnost.exe
PID 1756 wrote to memory of 2044	1756	svcnost.exe	svcnost.exe

C:\Users\Admin\AppData\Local\Temp\d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
"C:\Users\Admin\AppData\Local\Temp\d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
C:\Users\Admin\AppData\Local\Temp\d6cb65a9cdccdfd4ddfbb78e65cad4122e1d4a031b645a819cc229559f8a12c7.exe
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Roaming\xwmscwzljfolz2orhy2bahodrjlawtmu2\svcnost.exe
"C:\Users\Admin\AppData\Roaming\xwmscwzljfolz2orhy2bahodrjlawtmu2\svcnost.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\xwmscwzljfolz2orhy2bahodrjlawtmu2\svcnost.exe
C:\Users\Admin\AppData\Roaming\xwmscwzljfolz2orhy2bahodrjlawtmu2\svcnost.exe
4⤵
- Modifies firewall policy service
- Loads dropped DLL
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\desktop.ini

Filesize
9KB

MD5
4a27242b307c6a836993353035fafc16

SHA1
5fea7a41b8f9071848108015d8a952e6f944eea0

SHA256
02fd93f64bda51e1e2991184cac13f077d509712e462c9e44be9cf8e22c06de1

SHA512
35e9c87642b82df2bf0a9312bb0e9abfb98282db1e34032a4d0150d82c5e2f2e13150ddc896f1e954f02288a1e696a4306ee595b94b1e404c6ec17bac64c44be

Download Submit
\Users\Admin\AppData\Roaming\ntuser.dat

Filesize
54KB

MD5
7e8e966927e04a35aec644602b8a9e05

SHA1
d201b0b41e8701818d60ddbf9f334332a512c4da

SHA256
46f18d9fbf63f378d86962cbf24f5ce57ce257555acd4effdcc41c1e2f1adf5c

SHA512
246777c79129a5076b71ca5d3f7e59b06d344f6b5e771892ae8ee68c0b5af9207cd1868b1336b49e6a84665309ad379a33ec6c8e72d7ce41de72153637921a51

Download Submit
memory/752-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/752-55-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1732-82-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1732-69-0x0000000000370000-0x00000000003F8000-memory.dmp

Filesize
544KB

Download
memory/1732-61-0x0000000000460470-mapping.dmp

Download
memory/1732-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1732-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1732-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1732-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1732-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1732-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1732-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1756-70-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1756-67-0x0000000000000000-mapping.dmp

Download
memory/2044-81-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2044-76-0x0000000000460470-mapping.dmp

Download
memory/2044-86-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/2044-87-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads