44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d

General

Target

44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
Size

1.1MB
MD5

759a89d40794ea36eef8d544d2aac617
SHA1

5686942b21154f81803e72d9dba8d898ba9d7987
SHA256

44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d
SHA512

c94165d41a557074462173fe3d708bf3b09def31ea77cdad20729cf2a4145ecbef234e8b47af250991bf3387624b27de7f555f7f65d8b9859957e81475e5d65e
SSDEEP

24576:Ax2kxb3hcj33RhwoxrY/fE1fPKbuDbQHcsUep4nOPcJC:A15a3RhwgrL30uDkHcsUep4nO0

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1552 svchost.exe
1088 svchost.exe

pid	process
1552	svchost.exe
1088	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe

pid	process
956	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
956	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\svchost.exe"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exesvchost.exe

pid	process
1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
1552	svchost.exe
1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
1552	svchost.exe
1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
1552	svchost.exe
1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
1552	svchost.exe
1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
1552	svchost.exe
1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
1552	svchost.exe
1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
1552	svchost.exe
1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exesvchost.exe

description	pid	process	target process
PID 1600 set thread context of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1552 set thread context of 1088	1552	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 1088 svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exesvchost.exe

pid process

1600 44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
1552 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1088	svchost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exesvchost.exe

description	pid	process	target process
PID 1600 wrote to memory of 2024	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	splwow64.exe
PID 1600 wrote to memory of 2024	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	splwow64.exe
PID 1600 wrote to memory of 2024	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	splwow64.exe
PID 1600 wrote to memory of 2024	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	splwow64.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 1600 wrote to memory of 956	1600	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
PID 956 wrote to memory of 1552	956	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	svchost.exe
PID 956 wrote to memory of 1552	956	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	svchost.exe
PID 956 wrote to memory of 1552	956	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	svchost.exe
PID 956 wrote to memory of 1552	956	44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1088	1552	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
"C:\Users\Admin\AppData\Local\Temp\44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
C:\Users\Admin\AppData\Local\Temp\44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Local\Microsoft\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Microsoft\svchost.exe
C:\Users\Admin\AppData\Local\Microsoft\svchost.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\svchost.exe

Filesize
1.1MB

MD5
759a89d40794ea36eef8d544d2aac617

SHA1
5686942b21154f81803e72d9dba8d898ba9d7987

SHA256
44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d

SHA512
c94165d41a557074462173fe3d708bf3b09def31ea77cdad20729cf2a4145ecbef234e8b47af250991bf3387624b27de7f555f7f65d8b9859957e81475e5d65e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchost.exe

Filesize
1.1MB

MD5
759a89d40794ea36eef8d544d2aac617

SHA1
5686942b21154f81803e72d9dba8d898ba9d7987

SHA256
44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d

SHA512
c94165d41a557074462173fe3d708bf3b09def31ea77cdad20729cf2a4145ecbef234e8b47af250991bf3387624b27de7f555f7f65d8b9859957e81475e5d65e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchost.exe

Filesize
1.1MB

MD5
759a89d40794ea36eef8d544d2aac617

SHA1
5686942b21154f81803e72d9dba8d898ba9d7987

SHA256
44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d

SHA512
c94165d41a557074462173fe3d708bf3b09def31ea77cdad20729cf2a4145ecbef234e8b47af250991bf3387624b27de7f555f7f65d8b9859957e81475e5d65e

Download Submit
\Users\Admin\AppData\Local\Microsoft\svchost.exe

Filesize
1.1MB

MD5
759a89d40794ea36eef8d544d2aac617

SHA1
5686942b21154f81803e72d9dba8d898ba9d7987

SHA256
44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d

SHA512
c94165d41a557074462173fe3d708bf3b09def31ea77cdad20729cf2a4145ecbef234e8b47af250991bf3387624b27de7f555f7f65d8b9859957e81475e5d65e

Download Submit
\Users\Admin\AppData\Local\Microsoft\svchost.exe

Filesize
1.1MB

MD5
759a89d40794ea36eef8d544d2aac617

SHA1
5686942b21154f81803e72d9dba8d898ba9d7987

SHA256
44d22cee65d4b78674ad2b4cda253e01139d3e668bd26dc1146d26646382517d

SHA512
c94165d41a557074462173fe3d708bf3b09def31ea77cdad20729cf2a4145ecbef234e8b47af250991bf3387624b27de7f555f7f65d8b9859957e81475e5d65e

Download Submit
memory/956-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/956-86-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/956-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/956-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/956-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/956-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/956-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/956-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/956-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/956-80-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/956-82-0x000000000041C288-mapping.dmp

Download
memory/956-83-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1088-125-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1088-120-0x000000000041C288-mapping.dmp

Download
memory/1552-119-0x0000000000400000-0x00000000008B7000-memory.dmp

Filesize
4.7MB

Download
memory/1552-126-0x0000000000400000-0x00000000008B7000-memory.dmp

Filesize
4.7MB

Download
memory/1552-121-0x0000000000400000-0x00000000008B7000-memory.dmp

Filesize
4.7MB

Download
memory/1552-92-0x0000000000000000-mapping.dmp

Download
memory/1600-89-0x0000000003E10000-0x00000000042C7000-memory.dmp

Filesize
4.7MB

Download
memory/1600-57-0x0000000000400000-0x00000000008B7000-memory.dmp

Filesize
4.7MB

Download
memory/1600-56-0x0000000000400000-0x00000000008B7000-memory.dmp

Filesize
4.7MB

Download
memory/1600-84-0x0000000003E10000-0x00000000042C7000-memory.dmp

Filesize
4.7MB

Download
memory/1600-88-0x0000000000400000-0x00000000008B7000-memory.dmp

Filesize
4.7MB

Download
memory/1600-87-0x0000000000400000-0x00000000008B7000-memory.dmp

Filesize
4.7MB

Download
memory/1600-55-0x0000000000400000-0x00000000008B7000-memory.dmp

Filesize
4.7MB

Download
memory/1600-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/2024-58-0x0000000000000000-mapping.dmp

Download
memory/2024-59-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads