80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf

General

Target

80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
Size

102KB
MD5

0d526a581fe37551f95090b34b3f8539
SHA1

b792f38aae08343dabf1a17ec5d9180d9492c376
SHA256

80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf
SHA512

c2fb51796c5454b14831cc74510792bf949f60ad05e9afd682506a5594be7c3980e2aaeca64a347aa9c774ff2bc83361c4d3d173fce2a4265813ab00e1c29ee9
SSDEEP

3072:65ACQjVyPZZkIVrjQ/BvA7rvjHY4Zx/Woa:8myPZF1AvUrvjHYo/

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Drops file in Drivers directory 1 IoCs

Processes:

80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\usbhc.sys 80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\usbhc.sys	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe

description	pid	process	target process
PID 1236 set thread context of 340	1236	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

520 sc.exe
1440 sc.exe
1788 sc.exe
272 sc.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
520	sc.exe
1440	sc.exe
1788	sc.exe
272	sc.exe

pid	process
460

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe

description	pid	process	target process
PID 1236 wrote to memory of 340	1236	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
PID 1236 wrote to memory of 340	1236	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
PID 1236 wrote to memory of 340	1236	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
PID 1236 wrote to memory of 340	1236	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
PID 1236 wrote to memory of 340	1236	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
PID 1236 wrote to memory of 340	1236	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
PID 1236 wrote to memory of 340	1236	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
PID 1236 wrote to memory of 340	1236	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
PID 1236 wrote to memory of 340	1236	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
PID 1236 wrote to memory of 340	1236	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
PID 340 wrote to memory of 520	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 520	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 520	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 520	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 1440	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 1440	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 1440	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 1440	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 1788	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 1788	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 1788	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 1788	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 272	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 272	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 272	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe
PID 340 wrote to memory of 272	340	80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
"C:\Users\Admin\AppData\Local\Temp\80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
C:\Users\Admin\AppData\Local\Temp\80f0c45f7d42275ec4b26daadc5848544dc0fcfec3f2202b38e83ede2d9e9ebf.exe
2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\sc.exe
sc stop usbhc
3⤵
- Launches sc.exe
PID:520

C:\Windows\SysWOW64\sc.exe
sc delete usbhc
3⤵
- Launches sc.exe
PID:1440

C:\Windows\SysWOW64\sc.exe
sc create usbhc binPath= C:\Windows\system32\drivers\usbhc.sys type= kernel start= auto DisplayName= usbhc
3⤵
- Launches sc.exe
PID:1788

C:\Windows\SysWOW64\sc.exe
sc start usbhc
3⤵
- Launches sc.exe
PID:272

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Privilege Escalation

New Service

1

T1050

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/272-70-0x0000000000000000-mapping.dmp

Download
memory/340-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/340-56-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/340-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/340-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/340-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/340-63-0x0000000000406825-mapping.dmp

Download
memory/340-65-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/340-69-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/340-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/520-66-0x0000000000000000-mapping.dmp

Download
memory/1236-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1440-67-0x0000000000000000-mapping.dmp

Download
memory/1788-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing