ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce

General

Target

ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe
Size

112KB
MD5

d32c41307f894359c518565c3beece7c
SHA1

8774d311aec925856d36e9c4382a4e13c66938e5
SHA256

ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce
SHA512

c2812f70e643cd40ce64f663cea3e1d699fe113d3a909bac05b4786ac2f447f0e9f4e32f0c56206985d3fc239f2e99d96397684a11a4ef5f2a89eb3442da9a6c
SSDEEP

1536:Rq2rj11bzDR+jeZw5zX0vCGhNhe2loYOXjuDlLN1+wdElArfSar7lqABVVn7/9ox:Y2PR+Kw57wNbT/giZrfSapv9zHa

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svghost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\svghost.exe\""	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\svghost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\svghost.exe\""	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1228 set thread context of 1216	1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1216	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe
1216	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1216	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1216	1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	28
PID 1228 wrote to memory of 1216	1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	28
PID 1228 wrote to memory of 1216	1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	28
PID 1228 wrote to memory of 1216	1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	28
PID 1228 wrote to memory of 1216	1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	28
PID 1228 wrote to memory of 1216	1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	28
PID 1228 wrote to memory of 1216	1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	28
PID 1228 wrote to memory of 1216	1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	28
PID 1228 wrote to memory of 1216	1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	28
PID 1228 wrote to memory of 1216	1228	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	28
PID 1216 wrote to memory of 1256	1216	ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe
  "C:\Users\Admin\AppData\Local\Temp\ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe
    "C:\Users\Admin\AppData\Local\Temp\ee7438f7d8d4bf23038c163886d7f0a2f81cad52e590a78cc5efd39d68826fce.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of WriteProcessMemory
    PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1216-57-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1216-59-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1216-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1216-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1216-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1216-64-0x000000000040114A-mapping.dmp

Download
memory/1216-66-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/1216-67-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1216-71-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing