0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

General

Target

0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
Size

130KB
MD5

1b393f35a3329bf17af357f26b6abc9e
SHA1

6544adf7e31f7514c753a01dc408a6ee9e6d9f77
SHA256

0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8
SHA512

3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14
SSDEEP

3072:sXvZEHA1EaU6mLVQQ9oi3W45qy/Uua6B264qE+El:sXTUC7i3W45GuH26w

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Service Host = "C:\\Windows\\SysWOW64\\Microsoft\\Windows\\System32\\svchost.exe -k LocalService"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Service Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe -k LocalService"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4556	svchost.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Microsoft	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\system32\Microsoft\Windows\System32\svchost.exe	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File created	C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\system32\Microsoft	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\Windows	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\system32\Microsoft\Windows	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\Windows\System32	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
File opened for modification	C:\Windows\system32\Microsoft\Windows\System32	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 4556	3928	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe	78
PID 3928 wrote to memory of 4556	3928	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe	78
PID 3928 wrote to memory of 4556	3928	0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe	78

C:\Users\Admin\AppData\Local\Temp\0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
"C:\Users\Admin\AppData\Local\Temp\0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe
  C:\Windows\System32\Microsoft\Windows\System32\svchost.exe -k LocalService -d1181665171118101771318694918613717318111913616169170175111606111011418151071311199916513715318111596161714171710716468110111815197139192949561371831811159616314171717141667811180710713819499141813719131811216156161812171710716461916111841467139199916131376918111615616191117171414166121711185671331999101313717918117761614121717716166128111876713418219299016132130717921811676161911171712141661517111813107136189965413753181116156161111171711161661281141818671319189931313716918011114746161412171712141661481118567135180992132131371691811160761617121717714166781118154107131718991951371094182111615616091117177141660917111813647131518991813137691811161561616121717814166317111828571341819991061371731811
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe

Filesize
130KB

MD5
1b393f35a3329bf17af357f26b6abc9e

SHA1
6544adf7e31f7514c753a01dc408a6ee9e6d9f77

SHA256
0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

SHA512
3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14

Download Submit
C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe

Filesize
130KB

MD5
1b393f35a3329bf17af357f26b6abc9e

SHA1
6544adf7e31f7514c753a01dc408a6ee9e6d9f77

SHA256
0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

SHA512
3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14

Download Submit
memory/3928-135-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3928-136-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/3928-138-0x00000000009B0000-0x0000000000A6F000-memory.dmp

Filesize
764KB

Download
memory/3928-139-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/3928-144-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/4556-147-0x0000000002570000-0x0000000002573000-memory.dmp

Filesize
12KB

Download
memory/4556-148-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/4556-149-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/4556-150-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing