9c06619c911dc9aeb11f6a73925e4c8e839d27b9ab79e0ce040e686d6763132c

General

Target

9c06619c911dc9aeb11f6a73925e4c8e839d27b9ab79e0ce040e686d6763132c.exe
Size

372KB
MD5

1e1b80a07f00b2c2edac7c613b03decd
SHA1

0418955f6d685da9c069a116994c2970b8a0f8f9
SHA256

9c06619c911dc9aeb11f6a73925e4c8e839d27b9ab79e0ce040e686d6763132c
SHA512

ecc012766ff45a9411c484bed28e9d81c2c905872728e71a9c9cad80f7901b8b450b241609bd8c49ece85d397bf3259e2f23941744b51bfe1e72121793269613
SSDEEP

6144:RAlGAl/iEj4XO4eKPujeLJJSENknFRn9i7MjWlVgfkWOof115FTIA:zwi9VRJSEqnr46WSM6f115

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
912	svcmost.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1532	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3ee44995c964b68fdb52c6e311917841.exe	svcmost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3ee44995c964b68fdb52c6e311917841.exe	svcmost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\3ee44995c964b68fdb52c6e311917841 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svcmost.exe\" .."	svcmost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3ee44995c964b68fdb52c6e311917841 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svcmost.exe\" .."	svcmost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
912	svcmost.exe
912	svcmost.exe
912	svcmost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	svcmost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 912	668	9c06619c911dc9aeb11f6a73925e4c8e839d27b9ab79e0ce040e686d6763132c.exe	28
PID 668 wrote to memory of 912	668	9c06619c911dc9aeb11f6a73925e4c8e839d27b9ab79e0ce040e686d6763132c.exe	28
PID 668 wrote to memory of 912	668	9c06619c911dc9aeb11f6a73925e4c8e839d27b9ab79e0ce040e686d6763132c.exe	28
PID 912 wrote to memory of 1532	912	svcmost.exe	29
PID 912 wrote to memory of 1532	912	svcmost.exe	29
PID 912 wrote to memory of 1532	912	svcmost.exe	29

C:\Users\Admin\AppData\Local\Temp\9c06619c911dc9aeb11f6a73925e4c8e839d27b9ab79e0ce040e686d6763132c.exe
"C:\Users\Admin\AppData\Local\Temp\9c06619c911dc9aeb11f6a73925e4c8e839d27b9ab79e0ce040e686d6763132c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:668
- C:\Users\Admin\AppData\Local\Temp\svcmost.exe
  "C:\Users\Admin\AppData\Local\Temp\svcmost.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svcmost.exe" "svcmost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svcmost.exe

Filesize
372KB

MD5
1e1b80a07f00b2c2edac7c613b03decd

SHA1
0418955f6d685da9c069a116994c2970b8a0f8f9

SHA256
9c06619c911dc9aeb11f6a73925e4c8e839d27b9ab79e0ce040e686d6763132c

SHA512
ecc012766ff45a9411c484bed28e9d81c2c905872728e71a9c9cad80f7901b8b450b241609bd8c49ece85d397bf3259e2f23941744b51bfe1e72121793269613

Download Submit
C:\Users\Admin\AppData\Local\Temp\svcmost.exe

Filesize
372KB

MD5
1e1b80a07f00b2c2edac7c613b03decd

SHA1
0418955f6d685da9c069a116994c2970b8a0f8f9

SHA256
9c06619c911dc9aeb11f6a73925e4c8e839d27b9ab79e0ce040e686d6763132c

SHA512
ecc012766ff45a9411c484bed28e9d81c2c905872728e71a9c9cad80f7901b8b450b241609bd8c49ece85d397bf3259e2f23941744b51bfe1e72121793269613

Download Submit
memory/668-54-0x000007FEF3C60000-0x000007FEF4683000-memory.dmp

Filesize
10.1MB

Download
memory/668-55-0x000007FEF2770000-0x000007FEF3806000-memory.dmp

Filesize
16.6MB

Download
memory/668-56-0x0000000002056000-0x0000000002075000-memory.dmp

Filesize
124KB

Download
memory/668-62-0x0000000002056000-0x0000000002075000-memory.dmp

Filesize
124KB

Download
memory/912-60-0x000007FEF3C60000-0x000007FEF4683000-memory.dmp

Filesize
10.1MB

Download
memory/912-61-0x000007FEF2770000-0x000007FEF3806000-memory.dmp

Filesize
16.6MB

Download
memory/912-63-0x0000000000A16000-0x0000000000A35000-memory.dmp

Filesize
124KB

Download
memory/912-66-0x0000000000A16000-0x0000000000A35000-memory.dmp

Filesize
124KB

Download
memory/1532-65-0x000007FEFBBC1000-0x000007FEFBBC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing