a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b

General

Target

a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
Size

380KB
MD5

39bd4a7ead44dc8f844b89d9ceafbd15
SHA1

f90b9d59c2afdffe9db11deafffb681d7355dcbc
SHA256

a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b
SHA512

1a0bb2e03c9170fac5594177976840fb0825487efff65b297b44e1135bfd3209b4222de7ffdcf99163cd448a6871f07647bb44e9ab9f8dfcb6c6f73e1f04bcb4
SSDEEP

6144:MRAhhJxX7bNINTf4cC05nh+H02MzE+mCMNUxU1pAD7Dbir70wFrSL7ta4:UsAqMGHmzDmB51gvbvwUL7tZ

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

svchost.exea117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1000 svchost.exe

pid	process
1000	svchost.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msbhl32.exe"	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msbhl32.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe

description	ioc	process
File created	C:\Windows\SysWOW64\vcl32.exe	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
File created	C:\Windows\SysWOW64\msbhl32.exe	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
File opened for modification	C:\Windows\SysWOW64\msbhl32.exe	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
File created	C:\Windows\SysWOW64\concp32.exe	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe

Drops file in Windows directory 2 IoCs

Processes:

a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe

description	ioc	process
File created	C:\Windows\svchost.exe	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
File opened for modification	C:\Windows\svchost.exe	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe

Modifies registry class 12 IoCs

Processes:

a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 693ec2b9082cb257ae5c26d331c6d567	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA9B119-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe

pid process

1672 a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe

pid	process
1672	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe

description	pid	process	target process
PID 1672 wrote to memory of 1000	1672	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe	svchost.exe
PID 1672 wrote to memory of 1000	1672	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe	svchost.exe
PID 1672 wrote to memory of 1000	1672	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe	svchost.exe
PID 1672 wrote to memory of 1000	1672	a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe
"C:\Users\Admin\AppData\Local\Temp\a117fd485f770fff0531ee0244e687efcc8a0b933249ab2977bae83017da125b.exe"
1⤵
- Modifies system executable filetype association
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Modifies registry class
  PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
380KB

MD5
496d75fe9716a38b2f24dfcbd8beddfa

SHA1
6aafd1c337afd0beb0baba2a8d9935d43c349473

SHA256
2b8c980a96067e91d7b34261729fde0a33158ff366baa6d670975e78848d0d7d

SHA512
ef94c47d52139cbe2efc94c7af5ba754e5af9c66c0b5e9b5dc45a65d8ed2c1249e6f32af5f3830805eaad1cfff4d60935ac1f4c3afc6044fd3d8a7c45375a4cf

Download Submit
memory/1000-55-0x0000000000000000-mapping.dmp

Download
memory/1000-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1000-59-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads