900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f

General

Target

900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe
Size

1.3MB
MD5

bc1e19b75dc9b9ea1939a1234cca5746
SHA1

e3a1ff81f188565d6fea6e6950c8c50b58c145ff
SHA256

900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f
SHA512

bc183d8f08a628478b518a252dc8cd0f0085938cd3a7f34bf4dbd6267b50df2d4033ee342540aa9d7a463f70244e2805dd74bd4e18e8bb83feaee7e657bd679c
SSDEEP

24576:zc//////uTXg7JC/leoYP06fTwE8kjvVben2X+mUDkubit+nCTJk41sq9t4akdqf:zc//////uTXSJulhYs6bwKjvlUtmUDk3

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

scvhosts.exe°ÄÃÅÊ±Ê±²Ê¹ÜÀíÕ¾.exescvhosts

pid process

5084 scvhosts.exe
5088 °ÄÃÅÊ±Ê±²Ê¹ÜÀíÕ¾.exe
4776 scvhosts

pid	process
5084	scvhosts.exe
5088	°ÄÃÅÊ±Ê±²Ê¹ÜÀíÕ¾.exe
4776	scvhosts

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

scvhosts.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\windows\CurrentVersion\Run	scvhosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scvhosts = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\scvhosts\""	scvhosts.exe

Drops file in Program Files directory 2 IoCs

Processes:

scvhosts.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts	scvhosts.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts	scvhosts.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

scvhosts

description	pid	process
Token: SeIncBasePriorityPrivilege	4776	scvhosts
Token: SeIncBasePriorityPrivilege	4776	scvhosts
Token: SeIncBasePriorityPrivilege	4776	scvhosts

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.execmd.execmd.exescvhosts.exe

description	pid	process	target process
PID 4092 wrote to memory of 5048	4092	900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe	cmd.exe
PID 4092 wrote to memory of 5048	4092	900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe	cmd.exe
PID 4092 wrote to memory of 5048	4092	900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe	cmd.exe
PID 4092 wrote to memory of 1612	4092	900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe	cmd.exe
PID 4092 wrote to memory of 1612	4092	900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe	cmd.exe
PID 4092 wrote to memory of 1612	4092	900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe	cmd.exe
PID 5048 wrote to memory of 5084	5048	cmd.exe	scvhosts.exe
PID 5048 wrote to memory of 5084	5048	cmd.exe	scvhosts.exe
PID 5048 wrote to memory of 5084	5048	cmd.exe	scvhosts.exe
PID 1612 wrote to memory of 5088	1612	cmd.exe	°ÄÃÅÊ±Ê±²Ê¹ÜÀíÕ¾.exe
PID 1612 wrote to memory of 5088	1612	cmd.exe	°ÄÃÅÊ±Ê±²Ê¹ÜÀíÕ¾.exe
PID 1612 wrote to memory of 5088	1612	cmd.exe	°ÄÃÅÊ±Ê±²Ê¹ÜÀíÕ¾.exe
PID 5084 wrote to memory of 4776	5084	scvhosts.exe	scvhosts
PID 5084 wrote to memory of 4776	5084	scvhosts.exe	scvhosts
PID 5084 wrote to memory of 4776	5084	scvhosts.exe	scvhosts

C:\Users\Admin\AppData\Local\Temp\900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe
"C:\Users\Admin\AppData\Local\Temp\900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\scvhosts.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\scvhosts.exe
C:\Users\Admin\AppData\Local\Temp\scvhosts.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5084

C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\°ÄÃÅÊ±Ê±²Ê¹ÜÀíÕ¾.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\°ÄÃÅÊ±Ê±²Ê¹ÜÀíÕ¾.exe
C:\Users\Admin\AppData\Local\Temp\°ÄÃÅÊ±Ê±²Ê¹ÜÀíÕ¾.exe
3⤵
- Executes dropped EXE
PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts

Filesize
682KB

MD5
9259add01be737bf2cfecfb24e57f279

SHA1
d756e6113ab2cc61c1fdf4d6dcda6b75832d1b93

SHA256
645598749b9407965214fb267b28ed2b8ee05d2c4bcad55bffce301a1cfd863c

SHA512
5bfce35f419ed7623bf260f8d7eb0d76a910afe20662ec346adbc18a1cbc210f19e2b707472c51f05be5561e9a7426b14f7d9e7b0b64976d818a4ec9742fa507

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\scvhosts

Filesize
682KB

MD5
9259add01be737bf2cfecfb24e57f279

SHA1
d756e6113ab2cc61c1fdf4d6dcda6b75832d1b93

SHA256
645598749b9407965214fb267b28ed2b8ee05d2c4bcad55bffce301a1cfd863c

SHA512
5bfce35f419ed7623bf260f8d7eb0d76a910afe20662ec346adbc18a1cbc210f19e2b707472c51f05be5561e9a7426b14f7d9e7b0b64976d818a4ec9742fa507

Download Submit
C:\Users\Admin\AppData\Local\Temp\scvhosts.exe

Filesize
682KB

MD5
9259add01be737bf2cfecfb24e57f279

SHA1
d756e6113ab2cc61c1fdf4d6dcda6b75832d1b93

SHA256
645598749b9407965214fb267b28ed2b8ee05d2c4bcad55bffce301a1cfd863c

SHA512
5bfce35f419ed7623bf260f8d7eb0d76a910afe20662ec346adbc18a1cbc210f19e2b707472c51f05be5561e9a7426b14f7d9e7b0b64976d818a4ec9742fa507

Download Submit
C:\Users\Admin\AppData\Local\Temp\scvhosts.exe

Filesize
682KB

MD5
9259add01be737bf2cfecfb24e57f279

SHA1
d756e6113ab2cc61c1fdf4d6dcda6b75832d1b93

SHA256
645598749b9407965214fb267b28ed2b8ee05d2c4bcad55bffce301a1cfd863c

SHA512
5bfce35f419ed7623bf260f8d7eb0d76a910afe20662ec346adbc18a1cbc210f19e2b707472c51f05be5561e9a7426b14f7d9e7b0b64976d818a4ec9742fa507

Download Submit
C:\Users\Admin\AppData\Local\Temp\°ÄÃÅÊ±Ê±²Ê¹ÜÀíÕ¾.exe

Filesize
635KB

MD5
6896473d1f722402af403fe615f510fa

SHA1
9c55536735833817a17a0db6b10cfb3b7c5f981f

SHA256
0c7d1760696ec8b57d00a198a3b09acfb3d5deab108a4d22322c1c7de9ed9157

SHA512
7bcdd8e258784651cd0dbbef932f6b6c7f2091a1598d5c825ee662b41535e42aa5078eed1f78e1d06e78c94945e3f3dbd092b7ef1aa503f450ec9074de1400e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\°ÄÃÅÊ±Ê±²Ê¹ÜÀíÕ¾.exe

Filesize
635KB

MD5
6896473d1f722402af403fe615f510fa

SHA1
9c55536735833817a17a0db6b10cfb3b7c5f981f

SHA256
0c7d1760696ec8b57d00a198a3b09acfb3d5deab108a4d22322c1c7de9ed9157

SHA512
7bcdd8e258784651cd0dbbef932f6b6c7f2091a1598d5c825ee662b41535e42aa5078eed1f78e1d06e78c94945e3f3dbd092b7ef1aa503f450ec9074de1400e4

Download Submit
memory/1612-133-0x0000000000000000-mapping.dmp

Download
memory/4776-140-0x0000000000000000-mapping.dmp

Download
memory/5048-132-0x0000000000000000-mapping.dmp

Download
memory/5084-134-0x0000000000000000-mapping.dmp

Download
memory/5088-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads