a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

Analysis

max time kernel
192s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe
Size

1012KB
MD5

d9687bcc9a27bcd0f13b9582edb06f67
SHA1

a74a952457d1bc2edb9d459852fe823615870f60
SHA256

a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92
SHA512

c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769
SSDEEP

12288:b5r+zclYhHS4xovm4+l+9qzezjhGfqlmTlKb37NTXivuzV+2ZrPhnqyPqFjFMuMX:b1+E0SmUafqGlKj7NbivuM2ZrJCjN8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4596	vhwmdff.exe
2796	vhwmdff.exe
1696	vhwmdff.exe
2312	vhwmdff.exe
1092	vhwmdff.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\vhwmdff.exe.log	vhwmdff.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2068 set thread context of 3688	2068	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	82
PID 4596 set thread context of 1092	4596	vhwmdff.exe	87

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133139136521911902"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133139136559724322"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133139136287850015"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133139136481287483"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133139136897849855"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3688	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe
3688	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe
1092	vhwmdff.exe
1092	vhwmdff.exe
1092	vhwmdff.exe
1092	vhwmdff.exe
1092	vhwmdff.exe
1092	vhwmdff.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	vhwmdff.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe
Token: SeTcbPrivilege	772	svchost.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3688	2068	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	82
PID 2068 wrote to memory of 3688	2068	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	82
PID 2068 wrote to memory of 3688	2068	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	82
PID 2068 wrote to memory of 3688	2068	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	82
PID 2068 wrote to memory of 3688	2068	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	82
PID 2068 wrote to memory of 3688	2068	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	82
PID 2068 wrote to memory of 3688	2068	a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe	82
PID 4596 wrote to memory of 2796	4596	vhwmdff.exe	84
PID 4596 wrote to memory of 2796	4596	vhwmdff.exe	84
PID 4596 wrote to memory of 2796	4596	vhwmdff.exe	84
PID 4596 wrote to memory of 1696	4596	vhwmdff.exe	85
PID 4596 wrote to memory of 1696	4596	vhwmdff.exe	85
PID 4596 wrote to memory of 1696	4596	vhwmdff.exe	85
PID 4596 wrote to memory of 2312	4596	vhwmdff.exe	86
PID 4596 wrote to memory of 2312	4596	vhwmdff.exe	86
PID 4596 wrote to memory of 2312	4596	vhwmdff.exe	86
PID 4596 wrote to memory of 1092	4596	vhwmdff.exe	87
PID 4596 wrote to memory of 1092	4596	vhwmdff.exe	87
PID 4596 wrote to memory of 1092	4596	vhwmdff.exe	87
PID 4596 wrote to memory of 1092	4596	vhwmdff.exe	87
PID 4596 wrote to memory of 1092	4596	vhwmdff.exe	87
PID 4596 wrote to memory of 1092	4596	vhwmdff.exe	87
PID 4596 wrote to memory of 1092	4596	vhwmdff.exe	87
PID 1092 wrote to memory of 772	1092	vhwmdff.exe	8
PID 772 wrote to memory of 544	772	svchost.exe	94
PID 772 wrote to memory of 544	772	svchost.exe	94
PID 772 wrote to memory of 544	772	svchost.exe	94
PID 772 wrote to memory of 2624	772	svchost.exe	95
PID 772 wrote to memory of 2624	772	svchost.exe	95
PID 772 wrote to memory of 2624	772	svchost.exe	95
PID 772 wrote to memory of 1300	772	svchost.exe	96
PID 772 wrote to memory of 1300	772	svchost.exe	96
PID 772 wrote to memory of 1300	772	svchost.exe	96
PID 772 wrote to memory of 452	772	svchost.exe	97
PID 772 wrote to memory of 452	772	svchost.exe	97
PID 772 wrote to memory of 452	772	svchost.exe	97
PID 772 wrote to memory of 4940	772	svchost.exe	100
PID 772 wrote to memory of 4940	772	svchost.exe	100
PID 772 wrote to memory of 4940	772	svchost.exe	100
PID 772 wrote to memory of 4016	772	svchost.exe	101
PID 772 wrote to memory of 4016	772	svchost.exe	101

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:544
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2624
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:1300
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:452
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4940
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:4016

C:\Users\Admin\AppData\Local\Temp\a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe
"C:\Users\Admin\AppData\Local\Temp\a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe
  "C:\Users\Admin\AppData\Local\Temp\a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3688

C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
  C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
  C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
  C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
  C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ssh\nxzrgth

Filesize
654B

MD5
179acbc5289320613ba0da7eef3fc7fc

SHA1
505213700e5a9e05d4f4e45534f6c1e5d9520959

SHA256
635a1fb3d324686babb466de2e02c0151c84d533e0134b99bf687b124b5f1ee7

SHA512
ae9efc96c0e618e8e4d0b5717c375f57cae68a324c7b95cc8642d07f30a874a277339808408f2b5ddf5633346464cf3487b7c63acd108332fbfb8c93a81f0d22

Download Submit
C:\ProgramData\ssh\nxzrgth

Filesize
654B

MD5
179acbc5289320613ba0da7eef3fc7fc

SHA1
505213700e5a9e05d4f4e45534f6c1e5d9520959

SHA256
635a1fb3d324686babb466de2e02c0151c84d533e0134b99bf687b124b5f1ee7

SHA512
ae9efc96c0e618e8e4d0b5717c375f57cae68a324c7b95cc8642d07f30a874a277339808408f2b5ddf5633346464cf3487b7c63acd108332fbfb8c93a81f0d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
1012KB

MD5
d9687bcc9a27bcd0f13b9582edb06f67

SHA1
a74a952457d1bc2edb9d459852fe823615870f60

SHA256
a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

SHA512
c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
1012KB

MD5
d9687bcc9a27bcd0f13b9582edb06f67

SHA1
a74a952457d1bc2edb9d459852fe823615870f60

SHA256
a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

SHA512
c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
1012KB

MD5
d9687bcc9a27bcd0f13b9582edb06f67

SHA1
a74a952457d1bc2edb9d459852fe823615870f60

SHA256
a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

SHA512
c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
1012KB

MD5
d9687bcc9a27bcd0f13b9582edb06f67

SHA1
a74a952457d1bc2edb9d459852fe823615870f60

SHA256
a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

SHA512
c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
1012KB

MD5
d9687bcc9a27bcd0f13b9582edb06f67

SHA1
a74a952457d1bc2edb9d459852fe823615870f60

SHA256
a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

SHA512
c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
1012KB

MD5
d9687bcc9a27bcd0f13b9582edb06f67

SHA1
a74a952457d1bc2edb9d459852fe823615870f60

SHA256
a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

SHA512
c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769

Download Submit
memory/772-153-0x0000000031AE0000-0x0000000031B57000-memory.dmp

Filesize
476KB

Download
memory/1092-152-0x00000000012F0000-0x000000000153B000-memory.dmp

Filesize
2.3MB

Download
memory/2068-138-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/2068-136-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3688-137-0x0000000001790000-0x00000000019DB000-memory.dmp

Filesize
2.3MB

Download
memory/3688-135-0x0000000001570000-0x000000000178A000-memory.dmp

Filesize
2.1MB

Download
memory/3688-134-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3688-133-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4596-151-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/4596-142-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/4596-141-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download