919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf

General

Target

919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
Size

114KB
MD5

32076c70f4bed33da3e9f54a9feb0ef1
SHA1

b550c459d0e9d41307b11fd2af05f789645de412
SHA256

919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf
SHA512

5147ca816f8db22a637d99da6af418245792c6e5b3f538d166cb4c5c18da9b723cccb81a786c70b934d7d70ca841dbd839ea850567bbdafbd549b1506b1b3fdd
SSDEEP

3072:zx/vggcs61z2fTkA8TM/BlV2td4WetIfHDv:V/vgg5618TQTgBlUtHTf

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

592 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

svchost.exe

pid process

568 svchost.exe
568 svchost.exe

pid	process
592	svchost.exe

pid	process
568	svchost.exe
568	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe

description	pid	process	target process
PID 1704 set thread context of 1484	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe
PID 1704 set thread context of 568	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exesvchost.exe

pid	process
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe
1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
592	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe

description pid process

Token: SeDebugPrivilege 1704 919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe

description	pid	process
Token: SeDebugPrivilege	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exesvchost.exe

description	pid	process	target process
PID 1704 wrote to memory of 1484	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe
PID 1704 wrote to memory of 1484	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe
PID 1704 wrote to memory of 1484	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe
PID 1704 wrote to memory of 1484	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe
PID 1704 wrote to memory of 1484	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe
PID 1704 wrote to memory of 568	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe
PID 1704 wrote to memory of 568	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe
PID 1704 wrote to memory of 568	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe
PID 1704 wrote to memory of 568	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe
PID 1704 wrote to memory of 568	1704	919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe	svchost.exe
PID 568 wrote to memory of 592	568	svchost.exe	svchost.exe
PID 568 wrote to memory of 592	568	svchost.exe	svchost.exe
PID 568 wrote to memory of 592	568	svchost.exe	svchost.exe
PID 568 wrote to memory of 592	568	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe
"C:\Users\Admin\AppData\Local\Temp\919de11e3ba65b19b6b2c36501182369c16e5073505e25db5d07da1d20475baf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\WINDOWS\SysWOW64\svchost.exe
"C:\WINDOWS\SysWOW64\svchost.exe"
2⤵
- Adds Run key to start application
PID:1484

C:\WINDOWS\SysWOW64\svchost.exe
"C:\WINDOWS\SysWOW64\svchost.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\svchost.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\svchost.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\svchost.exe

Filesize
57KB

MD5
f16879ae4d83e8a129dc715132e2977d

SHA1
a12a3d02c33b9cb51e73c0875b9370638a7d2ac7

SHA256
3a284cacabae309c932754bdf0cdfb6edceaeca09e30339503f22da5c75c5a9a

SHA512
37ea4b4c00cb60806b7323f664c7e7fe12a6ef536919898abe6bf37aff18000fd0a63fb70ca78517812389d277efa6ecc0d0598a3fb7c6b4da13bf6dfc2b99c5

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\svchost.exe

Filesize
57KB

MD5
f16879ae4d83e8a129dc715132e2977d

SHA1
a12a3d02c33b9cb51e73c0875b9370638a7d2ac7

SHA256
3a284cacabae309c932754bdf0cdfb6edceaeca09e30339503f22da5c75c5a9a

SHA512
37ea4b4c00cb60806b7323f664c7e7fe12a6ef536919898abe6bf37aff18000fd0a63fb70ca78517812389d277efa6ecc0d0598a3fb7c6b4da13bf6dfc2b99c5

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\svchost.exe

Filesize
57KB

MD5
f16879ae4d83e8a129dc715132e2977d

SHA1
a12a3d02c33b9cb51e73c0875b9370638a7d2ac7

SHA256
3a284cacabae309c932754bdf0cdfb6edceaeca09e30339503f22da5c75c5a9a

SHA512
37ea4b4c00cb60806b7323f664c7e7fe12a6ef536919898abe6bf37aff18000fd0a63fb70ca78517812389d277efa6ecc0d0598a3fb7c6b4da13bf6dfc2b99c5

Download Submit
memory/568-62-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/568-63-0x00000000000829D0-mapping.dmp

Download
memory/592-67-0x0000000000000000-mapping.dmp

Download
memory/1484-55-0x0000000000100000-0x0000000000123000-memory.dmp

Filesize
140KB

Download
memory/1484-57-0x0000000000100000-0x0000000000123000-memory.dmp

Filesize
140KB

Download
memory/1484-58-0x0000000000101FF0-mapping.dmp

Download
memory/1704-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads