3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28

General

Target

3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
Size

688KB
MD5

9860857ae826db539e9b7ee6aac5a45f
SHA1

731182257ec3679e4c98bd1d6bab868bfc67f7b0
SHA256

3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28
SHA512

6342546c1a7fdd6f41fb43a3a9fda7de044fa9cc470195be638986e5adabb623cb136569a9234c99ed495b7118fbfbcd69b8caed31dca2ab0cf460a8052e4c61
SSDEEP

12288:UsAqMGHGSX1388BxGpDVzUm9AzO+nhuTO6OUHvgTqShXNirBDVO4ZRPyk:UsBbWHzUmxPBD4TqCo84ZRKk

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

svchost.exe3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1928 svchost.exe

pid	process
1928	svchost.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mshjm32.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mshjm32.exe"	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

description	ioc	process
File created	C:\Windows\SysWOW64\concp32.exe	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
File created	C:\Windows\SysWOW64\vcl32.exe	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
File created	C:\Windows\SysWOW64\mshjm32.exe	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
File opened for modification	C:\Windows\SysWOW64\mshjm32.exe	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

Drops file in Windows directory 2 IoCs

Processes:

3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

description	ioc	process
File created	C:\Windows\svchost.exe	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
File opened for modification	C:\Windows\svchost.exe	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

Modifies registry class 12 IoCs

Processes:

3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exesvchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}\ax = f20d95b7ba847fd1d2faf3e0393c7cd1	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9E9A21D-8B9A-11D5-EBA1-F78EEEEEE983}	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

pid process

1444 3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

pid	process
1444	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe

description	pid	process	target process
PID 1444 wrote to memory of 1928	1444	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe	svchost.exe
PID 1444 wrote to memory of 1928	1444	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe	svchost.exe
PID 1444 wrote to memory of 1928	1444	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe	svchost.exe
PID 1444 wrote to memory of 1928	1444	3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe
"C:\Users\Admin\AppData\Local\Temp\3a7c0ff1fae39363406c8004af71cea88d205a7854b60cde2b84cfe9dd435a28.exe"
1⤵
- Modifies system executable filetype association
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\svchost.exe
C:\Windows\svchost.exe
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Modifies registry class
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
690KB

MD5
85c857e0a66f339aa4a14e4b0803ddbd

SHA1
4074cefb1e99d502a01d528d265d24b168c137b5

SHA256
f060f352bea3256c394b918ab76af7c205696eb9a781c2c53a75c2d52bf7e1d0

SHA512
3dc38300a46a0a248df4ffbcfac0589d99e79a913048501f9d8e003bdfe6c51fcfcf7873fe1379c68ff1b2d56a0bc5264ff3e9440c7e495de5883afbbb7e9dd0

Download Submit
memory/1444-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-55-0x0000000000000000-mapping.dmp

Download
memory/1928-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-59-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads