df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3

General

Target

df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe
Size

322KB
MD5

5cf41cd66c441e6f123e2a6ca31dfc94
SHA1

252f08afc054e9ea7772d3509d746a333c852577
SHA256

df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3
SHA512

35a7eece74c671ca42131f7af4d5717f53c0f0859cb5f55825128c9c16ba45ae2f6de65cf0b80eea24453a1e4e7d62abc4100bbaf8cfcbe553d37433ab2fb456
SSDEEP

6144:3KfcmBvK3G/IglKkaeJpM5/TuJ/TdnFMrdi4+OBA6OJieishfSyBmvwEN4Qk:3KEavQHYUeTO7k/TdFMrdi0A6OJie9fL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2008 svchost.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1260 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe

pid process

1236 df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe

pid	process
2008	svchost.exe

pid	process
1260	cmd.exe

pid	process
1236	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\windows\CurrentVersion\Run	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files\\system\\svchost.exe\""	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe

Drops file in Program Files directory 3 IoCs

Processes:

df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe

description	ioc	process
File created	C:\Program Files\system\svchost.bat	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe
File created	C:\Program Files\system\svchost.exe	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe
File opened for modification	C:\Program Files\system\svchost.exe	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exesvchost.exe

description	pid	process	target process
PID 1236 wrote to memory of 2008	1236	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe	svchost.exe
PID 1236 wrote to memory of 2008	1236	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe	svchost.exe
PID 1236 wrote to memory of 2008	1236	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe	svchost.exe
PID 1236 wrote to memory of 2008	1236	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe	svchost.exe
PID 2008 wrote to memory of 1000	2008	svchost.exe	iexplore.exe
PID 2008 wrote to memory of 1000	2008	svchost.exe	iexplore.exe
PID 2008 wrote to memory of 1000	2008	svchost.exe	iexplore.exe
PID 2008 wrote to memory of 1000	2008	svchost.exe	iexplore.exe
PID 1236 wrote to memory of 1260	1236	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe	cmd.exe
PID 1236 wrote to memory of 1260	1236	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe	cmd.exe
PID 1236 wrote to memory of 1260	1236	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe	cmd.exe
PID 1236 wrote to memory of 1260	1236	df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe
"C:\Users\Admin\AppData\Local\Temp\df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1236

C:\Program Files\system\svchost.exe
"C:\Program Files\system\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\system\svchost.bat""
2⤵
- Deletes itself
PID:1260

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\system\svchost.bat
Filesize
254B

MD5
99328ab5f8dfa3409be286b432e361dd

SHA1
7f317ce632d252562ea7d1366e5f72d9410f3495

SHA256
15c1762901b6ba627b603d60051f9589fd51d393f6915009e57b105aee92b514

SHA512
1eb4437554f567fabba96c45def87fa48ab6474b8322ac52f9333e36c8afd97d979cbde39ada543cf50ea4fc47a7e098ad919688e9d73961de3d361eb972b369

Download Submit
C:\Program Files\system\svchost.exe
Filesize
322KB

MD5
5cf41cd66c441e6f123e2a6ca31dfc94

SHA1
252f08afc054e9ea7772d3509d746a333c852577

SHA256
df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3

SHA512
35a7eece74c671ca42131f7af4d5717f53c0f0859cb5f55825128c9c16ba45ae2f6de65cf0b80eea24453a1e4e7d62abc4100bbaf8cfcbe553d37433ab2fb456

Download Submit
C:\Program Files\system\svchost.exe
Filesize
322KB

MD5
5cf41cd66c441e6f123e2a6ca31dfc94

SHA1
252f08afc054e9ea7772d3509d746a333c852577

SHA256
df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3

SHA512
35a7eece74c671ca42131f7af4d5717f53c0f0859cb5f55825128c9c16ba45ae2f6de65cf0b80eea24453a1e4e7d62abc4100bbaf8cfcbe553d37433ab2fb456

Download Submit
\Program Files\system\svchost.exe
Filesize
322KB

MD5
5cf41cd66c441e6f123e2a6ca31dfc94

SHA1
252f08afc054e9ea7772d3509d746a333c852577

SHA256
df56d5bcfe60053f7d038231e389be9a4f645b718afefa0a725cd1ee882039f3

SHA512
35a7eece74c671ca42131f7af4d5717f53c0f0859cb5f55825128c9c16ba45ae2f6de65cf0b80eea24453a1e4e7d62abc4100bbaf8cfcbe553d37433ab2fb456

Download Submit
memory/1236-69-0x0000000000400000-0x00000000004C781C-memory.dmp

Filesize
798KB

Download
memory/1236-56-0x0000000000400000-0x00000000004C781C-memory.dmp

Filesize
798KB

Download
memory/1236-55-0x0000000000400000-0x00000000004C781C-memory.dmp

Filesize
798KB

Download
memory/1236-57-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1236-58-0x0000000000400000-0x00000000004C781C-memory.dmp

Filesize
798KB

Download
memory/1236-54-0x0000000000400000-0x00000000004C781C-memory.dmp

Filesize
798KB

Download
memory/1260-68-0x0000000000000000-mapping.dmp

Download
memory/2008-60-0x0000000000000000-mapping.dmp

Download
memory/2008-67-0x0000000000400000-0x00000000004C781C-memory.dmp

Filesize
798KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads