Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 18:59
Static task
static1
Behavioral task
behavioral1
Sample
900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe
Resource
win10v2004-20220812-en
General
-
Target
900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe
-
Size
1.3MB
-
MD5
bc1e19b75dc9b9ea1939a1234cca5746
-
SHA1
e3a1ff81f188565d6fea6e6950c8c50b58c145ff
-
SHA256
900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f
-
SHA512
bc183d8f08a628478b518a252dc8cd0f0085938cd3a7f34bf4dbd6267b50df2d4033ee342540aa9d7a463f70244e2805dd74bd4e18e8bb83feaee7e657bd679c
-
SSDEEP
24576:zc//////uTXg7JC/leoYP06fTwE8kjvVben2X+mUDkubit+nCTJk41sq9t4akdqf:zc//////uTXSJulhYs6bwKjvlUtmUDk3
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
scvhosts.exe°ÄÃÅʱʱ²Ê¹ÜÀíÕ¾.exescvhostspid process 5084 scvhosts.exe 5088 °ÄÃÅʱʱ²Ê¹ÜÀíÕ¾.exe 4776 scvhosts -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
scvhosts.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\windows\CurrentVersion\Run scvhosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scvhosts = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\scvhosts\"" scvhosts.exe -
Drops file in Program Files directory 2 IoCs
Processes:
scvhosts.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts scvhosts.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts scvhosts.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
scvhostsdescription pid process Token: SeIncBasePriorityPrivilege 4776 scvhosts Token: SeIncBasePriorityPrivilege 4776 scvhosts Token: SeIncBasePriorityPrivilege 4776 scvhosts -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.execmd.execmd.exescvhosts.exedescription pid process target process PID 4092 wrote to memory of 5048 4092 900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe cmd.exe PID 4092 wrote to memory of 5048 4092 900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe cmd.exe PID 4092 wrote to memory of 5048 4092 900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe cmd.exe PID 4092 wrote to memory of 1612 4092 900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe cmd.exe PID 4092 wrote to memory of 1612 4092 900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe cmd.exe PID 4092 wrote to memory of 1612 4092 900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe cmd.exe PID 5048 wrote to memory of 5084 5048 cmd.exe scvhosts.exe PID 5048 wrote to memory of 5084 5048 cmd.exe scvhosts.exe PID 5048 wrote to memory of 5084 5048 cmd.exe scvhosts.exe PID 1612 wrote to memory of 5088 1612 cmd.exe °ÄÃÅʱʱ²Ê¹ÜÀíÕ¾.exe PID 1612 wrote to memory of 5088 1612 cmd.exe °ÄÃÅʱʱ²Ê¹ÜÀíÕ¾.exe PID 1612 wrote to memory of 5088 1612 cmd.exe °ÄÃÅʱʱ²Ê¹ÜÀíÕ¾.exe PID 5084 wrote to memory of 4776 5084 scvhosts.exe scvhosts PID 5084 wrote to memory of 4776 5084 scvhosts.exe scvhosts PID 5084 wrote to memory of 4776 5084 scvhosts.exe scvhosts
Processes
-
C:\Users\Admin\AppData\Local\Temp\900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe"C:\Users\Admin\AppData\Local\Temp\900e3d4de88f95d6b7e8713b31bde3ada3710f66d8a318c71baab11ac3f1e67f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\scvhosts.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\scvhosts.exeC:\Users\Admin\AppData\Local\Temp\scvhosts.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts"C:\Program Files\Common Files\Microsoft Shared\MSINFO\scvhosts"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\°ÄÃÅʱʱ²Ê¹ÜÀíÕ¾.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\°ÄÃÅʱʱ²Ê¹ÜÀíÕ¾.exeC:\Users\Admin\AppData\Local\Temp\°ÄÃÅʱʱ²Ê¹ÜÀíÕ¾.exe3⤵
- Executes dropped EXE
PID:5088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
682KB
MD59259add01be737bf2cfecfb24e57f279
SHA1d756e6113ab2cc61c1fdf4d6dcda6b75832d1b93
SHA256645598749b9407965214fb267b28ed2b8ee05d2c4bcad55bffce301a1cfd863c
SHA5125bfce35f419ed7623bf260f8d7eb0d76a910afe20662ec346adbc18a1cbc210f19e2b707472c51f05be5561e9a7426b14f7d9e7b0b64976d818a4ec9742fa507
-
Filesize
682KB
MD59259add01be737bf2cfecfb24e57f279
SHA1d756e6113ab2cc61c1fdf4d6dcda6b75832d1b93
SHA256645598749b9407965214fb267b28ed2b8ee05d2c4bcad55bffce301a1cfd863c
SHA5125bfce35f419ed7623bf260f8d7eb0d76a910afe20662ec346adbc18a1cbc210f19e2b707472c51f05be5561e9a7426b14f7d9e7b0b64976d818a4ec9742fa507
-
Filesize
682KB
MD59259add01be737bf2cfecfb24e57f279
SHA1d756e6113ab2cc61c1fdf4d6dcda6b75832d1b93
SHA256645598749b9407965214fb267b28ed2b8ee05d2c4bcad55bffce301a1cfd863c
SHA5125bfce35f419ed7623bf260f8d7eb0d76a910afe20662ec346adbc18a1cbc210f19e2b707472c51f05be5561e9a7426b14f7d9e7b0b64976d818a4ec9742fa507
-
Filesize
682KB
MD59259add01be737bf2cfecfb24e57f279
SHA1d756e6113ab2cc61c1fdf4d6dcda6b75832d1b93
SHA256645598749b9407965214fb267b28ed2b8ee05d2c4bcad55bffce301a1cfd863c
SHA5125bfce35f419ed7623bf260f8d7eb0d76a910afe20662ec346adbc18a1cbc210f19e2b707472c51f05be5561e9a7426b14f7d9e7b0b64976d818a4ec9742fa507
-
Filesize
635KB
MD56896473d1f722402af403fe615f510fa
SHA19c55536735833817a17a0db6b10cfb3b7c5f981f
SHA2560c7d1760696ec8b57d00a198a3b09acfb3d5deab108a4d22322c1c7de9ed9157
SHA5127bcdd8e258784651cd0dbbef932f6b6c7f2091a1598d5c825ee662b41535e42aa5078eed1f78e1d06e78c94945e3f3dbd092b7ef1aa503f450ec9074de1400e4
-
Filesize
635KB
MD56896473d1f722402af403fe615f510fa
SHA19c55536735833817a17a0db6b10cfb3b7c5f981f
SHA2560c7d1760696ec8b57d00a198a3b09acfb3d5deab108a4d22322c1c7de9ed9157
SHA5127bcdd8e258784651cd0dbbef932f6b6c7f2091a1598d5c825ee662b41535e42aa5078eed1f78e1d06e78c94945e3f3dbd092b7ef1aa503f450ec9074de1400e4