81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
Size

28KB
MD5

98796e376e08ab8fce2dfb0570938751
SHA1

5a8f6bfdc7791d7c7336b225ec996fb60a90a6d3
SHA256

81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812
SHA512

a029579f3f9c6f5247521097fbccec8cdd1d196c95d8813c8da446bb33474b15a2465578a6c3c60e5533ba07e1a5515b4cde55596a14df3b7c9ca98ae2d35877
SSDEEP

768:b2FFwaMLgTzqjA4pYOUd+/u9uppQ1MZrX5iHkYmDWVcNnXwzMtc2/:bWTcvjVpzJdYWZ75hYy

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4264	sovhst.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360upp.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwstub.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngLdr.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360upp.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safeup.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravservice.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KpfwSvc.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.KXP\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE\debugger = "ntsd -d"	sovhst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngLdr.EXE\debugger = "ntsd -d"	sovhst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safeup.EXE\debugger = "ntsd -d"	sovhst.exe

Loads dropped DLL 1 IoCs

pid	Process
4264	sovhst.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\linkinfo.dll	sovhst.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\sovhst.exe	81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
File opened for modification	C:\Program Files\sovhst.exe	sovhst.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fonts\niuxs.sys	sovhst.exe
File created	C:\Windows\fonts\fuckjss.sys	sovhst.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2536	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3916	81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
3916	81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
3916	81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
3916	81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe
4264	sovhst.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	sovhst.exe
Token: SeDebugPrivilege	4264	sovhst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 4264	3916	81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe	79
PID 3916 wrote to memory of 4264	3916	81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe	79
PID 3916 wrote to memory of 4264	3916	81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe	79
PID 4264 wrote to memory of 856	4264	sovhst.exe	80
PID 4264 wrote to memory of 856	4264	sovhst.exe	80
PID 4264 wrote to memory of 856	4264	sovhst.exe	80
PID 856 wrote to memory of 2536	856	cmd.exe	82
PID 856 wrote to memory of 2536	856	cmd.exe	82
PID 856 wrote to memory of 2536	856	cmd.exe	82
PID 3916 wrote to memory of 5036	3916	81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe	84
PID 3916 wrote to memory of 5036	3916	81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe	84
PID 3916 wrote to memory of 5036	3916	81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe	84

C:\Users\Admin\AppData\Local\Temp\81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
"C:\Users\Admin\AppData\Local\Temp\81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Program Files\sovhst.exe
  "C:\Program Files\sovhst.exe"
  2⤵
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc config avp start= disabled
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\sc.exe
      sc config avp start= disabled
      4⤵
      Launches sc.exe
      PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe"
  2⤵
  PID:5036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\sovhst.exe

Filesize
24KB

MD5
5b740193023b700d63331f2f73473851

SHA1
e117d4e186af3a0c8cdcdd4b239852ac37ab6a6d

SHA256
7fd7baa8cabcb6d218fa4dd3efbd65d8e9dd195cbf2af858c8665d9ccbbba412

SHA512
0b2a86922696a7f3c23aee456c9275fb981d8862d699d8c777ee756e123e572ca0e8604bdd20d113b6b460c036147bb9f9986ffd7af8cf3e3e837ea08ef562d7

Download Submit
C:\Program Files\sovhst.exe

Filesize
24KB

MD5
5b740193023b700d63331f2f73473851

SHA1
e117d4e186af3a0c8cdcdd4b239852ac37ab6a6d

SHA256
7fd7baa8cabcb6d218fa4dd3efbd65d8e9dd195cbf2af858c8665d9ccbbba412

SHA512
0b2a86922696a7f3c23aee456c9275fb981d8862d699d8c777ee756e123e572ca0e8604bdd20d113b6b460c036147bb9f9986ffd7af8cf3e3e837ea08ef562d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllC587.tmp

Filesize
17KB

MD5
2398c9de62d15b8957a97f877d7f6982

SHA1
ee6ec78a3e0c50bbb21f7be4445f2874f9addc8c

SHA256
aff30473dd841ef8a285dd71c69da64e4295fbdecbd9e800a7522719ec4b1057

SHA512
741abeccb76c08fa11dec3752209749fd5853bc3a6f847cd67aace1900fd4ee199aec1a4279372c87c6c2d2acf8e281a3570372f96d649fd1f1dc907a68468a8

Download Submit
memory/3916-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-141-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4264-137-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4264-142-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download