0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

General

Target

0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
Size

130KB
MD5

1b393f35a3329bf17af357f26b6abc9e
SHA1

6544adf7e31f7514c753a01dc408a6ee9e6d9f77
SHA256

0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8
SHA512

3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14
SSDEEP

3072:sXvZEHA1EaU6mLVQQ9oi3W45qy/Uua6B264qE+El:sXTUC7i3W45GuH26w

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Service Host = "C:\\Windows\\SysWOW64\\Microsoft\\Windows\\System32\\svchost.exe -k LocalService"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Service Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe -k LocalService"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1948	svchost.exe

Deletes itself 1 IoCs

pid	Process
1948	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1900	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
1900	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Microsoft	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\system32\Microsoft\Windows	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\Windows\System32	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\Windows	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\system32\Microsoft\Windows\System32	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\system32\Microsoft\Windows\System32\svchost.exe	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File created	C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1948	1900	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe	27
PID 1900 wrote to memory of 1948	1900	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe	27
PID 1900 wrote to memory of 1948	1900	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe	27
PID 1900 wrote to memory of 1948	1900	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe	27

C:\Users\Admin\AppData\Local\Temp\0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
"C:\Users\Admin\AppData\Local\Temp\0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe
  C:\Windows\System32\Microsoft\Windows\System32\svchost.exe -k LocalService -d11081665170111810177131869918613717318111913061616917172511166111021118151071311199916513715318111596161714171710716681111181519713919949561371831811215961631417171714166781118710713819991421813719131811161546161812174171071661916111801467139190991613137692181116156161921117171414166121711185671331999101313717918117761614124171771616612811187671318199916131371791811676161911171712141646151701118132107136182909651372534181121615261611111717111616612811182186713191899313137169218111176161412171712141661481118567135189913131307169181116761617121717714166781118154107131718991951371091811161561691117177141669171118136071341518991813013764918111615616161217178141663171118857131819991061371731811
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Deletes itself
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe

Filesize
130KB

MD5
1b393f35a3329bf17af357f26b6abc9e

SHA1
6544adf7e31f7514c753a01dc408a6ee9e6d9f77

SHA256
0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

SHA512
3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14

Download Submit
C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe

Filesize
130KB

MD5
1b393f35a3329bf17af357f26b6abc9e

SHA1
6544adf7e31f7514c753a01dc408a6ee9e6d9f77

SHA256
0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

SHA512
3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14

Download Submit
\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe

Filesize
130KB

MD5
1b393f35a3329bf17af357f26b6abc9e

SHA1
6544adf7e31f7514c753a01dc408a6ee9e6d9f77

SHA256
0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

SHA512
3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14

Download Submit
\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe

Filesize
130KB

MD5
1b393f35a3329bf17af357f26b6abc9e

SHA1
6544adf7e31f7514c753a01dc408a6ee9e6d9f77

SHA256
0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

SHA512
3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14

Download Submit
memory/1900-58-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/1900-59-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/1900-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/1900-56-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/1900-55-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1900-65-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/1948-70-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/1948-71-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing