5a0ac8396526447a810f54d8db717c6228221f16cef43c2f6f50146d270d556e

General

Target

5a0ac8396526447a810f54d8db717c6228221f16cef43c2f6f50146d270d556e.exe
Size

183KB
MD5

d1d8ac86520cc64370fb930ab8d63f45
SHA1

e9f5e7d2051f701038a0bdab1cf0ded44638f28d
SHA256

5a0ac8396526447a810f54d8db717c6228221f16cef43c2f6f50146d270d556e
SHA512

5f90a14708edb65e80ccd060f85404808befc21b4d39255e2bd48f4d3ebf897a8cd90db494745d7622ba7d1fd1e0dee5c33ab26d08befe58b752ba81d921aae8
SSDEEP

3072:FvWotnOkwYaH3p4njdwIhYPyVu//GJzpF1D5un:NWolO7Rp4jxVhzun

Score

8^/10

persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\iCount\Parameters\ServiceDll = "C:\\Windows\\Temp\\HostService.dll"	5a0ac8396526447a810f54d8db717c6228221f16cef43c2f6f50146d270d556e.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1380-55-0x0000000000400000-0x0000000000467000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
944	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C3B504-47C6-4141-ADAB-8862A97112D0}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-ce-7c-c8-9e-ac	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C3B504-47C6-4141-ADAB-8862A97112D0}\ae-ce-7c-c8-9e-ac	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-ce-7c-c8-9e-ac\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C3B504-47C6-4141-ADAB-8862A97112D0}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C3B504-47C6-4141-ADAB-8862A97112D0}\WpadNetworkName = "Network 2"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C3B504-47C6-4141-ADAB-8862A97112D0}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-ce-7c-c8-9e-ac\WpadDecisionTime = c007b95c0803d901	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0045000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{95C3B504-47C6-4141-ADAB-8862A97112D0}\WpadDecisionTime = c007b95c0803d901	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-ce-7c-c8-9e-ac\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5a0ac8396526447a810f54d8db717c6228221f16cef43c2f6f50146d270d556e.exe
"C:\Users\Admin\AppData\Local\Temp\5a0ac8396526447a810f54d8db717c6228221f16cef43c2f6f50146d270d556e.exe"
1⤵
- Sets DLL path for service in the registry
PID:1380

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\hostservice.dll

Filesize
136KB

MD5
39a9c5b0f4723947de4d91c12563b227

SHA1
fbad821bf44b78ca28df7d7ca13f13a5b39f1338

SHA256
3e07c8d3fb642b2ebd2ba72e38d18e0022a86d36148fb88d55b84885d69aa9ff

SHA512
c11e7375e1dcc2b1ae1c590fa077f73f63e4f56a214e8426d388cc7bd488c144d024a61e0d602f6097774b848d680c2863d893347d80ada813fdeea4cae3b7fa

Download Submit
\Windows\Temp\HostService.dll

Filesize
136KB

MD5
39a9c5b0f4723947de4d91c12563b227

SHA1
fbad821bf44b78ca28df7d7ca13f13a5b39f1338

SHA256
3e07c8d3fb642b2ebd2ba72e38d18e0022a86d36148fb88d55b84885d69aa9ff

SHA512
c11e7375e1dcc2b1ae1c590fa077f73f63e4f56a214e8426d388cc7bd488c144d024a61e0d602f6097774b848d680c2863d893347d80ada813fdeea4cae3b7fa

Download Submit
memory/944-57-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1380-55-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing