2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea

General

Target

2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
Size

204KB
MD5

5ed27d3053cc656a600e448fecaab496
SHA1

4b772f271bb7d86c9913445960fed614a052506b
SHA256

2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea
SHA512

b2c15d189ad359ab7870e150d23ffe72e540b2f2ce6b4fa00180e2fda3ebf8cf343b2ef6c2b9ad7ca98d92fa1d5f1cdda15c8f1c38edf606300ee4dc9b36dcd7
SSDEEP

3072:MRAhhcsxgAJuK7bZD01GoI0ON27Usy3/ROzTUF//OE1BMypoxccchtcFBJ1knDx:MRAhhJxX7bNIAROzTsxoyp3wrJ1knDx

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

952 svchost.exe

pid	process
952	svchost.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msiap32.exe"	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msiap32.exe"	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe

description	ioc	process
File created	C:\Windows\SysWOW64\concp32.exe	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
File created	C:\Windows\SysWOW64\vcl32.exe	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
File created	C:\Windows\SysWOW64\msiap32.exe	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
File opened for modification	C:\Windows\SysWOW64\msiap32.exe	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe

Drops file in Windows directory 2 IoCs

Processes:

2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe

description	ioc	process
File created	C:\Windows\svchost.exe	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
File opened for modification	C:\Windows\svchost.exe	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe

Modifies registry class 12 IoCs

Processes:

svchost.exe2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}\ax = aca44805a92505fb8091dc1c8de429d2	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C92B8BA4-8B9A-11D5-EBA1-F78EEEEEE983}	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe

pid process

1812 2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe

pid	process
1812	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe

description	pid	process	target process
PID 1812 wrote to memory of 952	1812	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe	svchost.exe
PID 1812 wrote to memory of 952	1812	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe	svchost.exe
PID 1812 wrote to memory of 952	1812	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe	svchost.exe
PID 1812 wrote to memory of 952	1812	2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe
"C:\Users\Admin\AppData\Local\Temp\2f0c29983bea934f6e27aa1645e9a0c28e69380c02f8091aae7d2928cc70cbea.exe"
1⤵
- Modifies system executable filetype association
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Modifies registry class
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
209KB

MD5
e58ff7f26d45335a1c2d34f170047fca

SHA1
9ba69804a714f370cc8a5598ff982bd5d72cb395

SHA256
70e5420e84e04bba2d88e276ba8d88aa1ad8ef0a05a63507f3455924d4e7f01d

SHA512
c131fbce237af413cbd78b30f8be330827ba92d797d613fcb047eee6dfe51c188d8742043c408fc3fa6e15aaf695660ee6094f0c583fa744833f034393a4d881

Download Submit
memory/952-55-0x0000000000000000-mapping.dmp

Download
memory/952-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/952-59-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads