0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4

General

Target

0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
Size

776KB
MD5

1eed7deefa60f321b325a22bf0a9841d
SHA1

bc9b230f5a0120a9eb5971812e4c199b04f6da6c
SHA256

0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4
SHA512

6f4f9297e376c28b532bd97c23f29d145f59bb9fbe1b9db17f9881b4585d789229e4543d344a5e4e593db6726ec647836c0d5daaebdd98fc49cf86863cfeeee7
SSDEEP

24576:UsW/WNSZ8CLGETEjgXs4hDFqCLBkLuC4ATl:Up/HiCHbxhDMEOLutAJ

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	spoolsv.exe

Executes dropped EXE 1 IoCs

pid	Process
1768	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msvcn32.exe"	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msvcn32.exe"	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	spoolsv.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcl32.exe	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
File created	C:\Windows\SysWOW64\msvcn32.exe	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
File opened for modification	C:\Windows\SysWOW64\msvcn32.exe	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
File created	C:\Windows\SysWOW64\concp32.exe	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\spoolsv.exe	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
File created	C:\Windows\spoolsv.exe	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 50baf61a9f5ade489311a1b0224006ce	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3BB55C09-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1204	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1768	1204	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe	27
PID 1204 wrote to memory of 1768	1204	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe	27
PID 1204 wrote to memory of 1768	1204	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe	27
PID 1204 wrote to memory of 1768	1204	0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe	27

C:\Users\Admin\AppData\Local\Temp\0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe
"C:\Users\Admin\AppData\Local\Temp\0d378d35fc5d3b394c2536b057436e71eaf7b3c04091cd19ccee4caec6d45eb4.exe"
1⤵
- Modifies system executable filetype association
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\spoolsv.exe
  C:\Windows\spoolsv.exe
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Modifies registry class
  PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\spoolsv.exe

Filesize
780KB

MD5
dd48a7fde03ee3e5b7ac8f594fb89c34

SHA1
204b0484c8332fd6c9295314acd63de73c318ea5

SHA256
ad05d2c0bf5788e146410e94984e93687523fae921b46ab7094c8bc6dfe5212b

SHA512
a07420a3a33d75f17e771b9dd10b3a3d1d98e0ace24c7b0bd1ca39e622c96015c6130fdc70f063fa30427bbb1bdad10afb585ba06e46653870e26220b5c28adb

Download Submit
memory/1204-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-55-0x0000000000000000-mapping.dmp

Download
memory/1768-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-59-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads