9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581

General

Target

9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
Size

38KB
MD5

17eac14329b3ba6bc3e242d2999ddcc0
SHA1

86262d6b25f85e7c2d98d67fe267dbad9f220d14
SHA256

9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581
SHA512

726177cf401c3a28364e25a19a3e9d5e92dc4a5b2d816721dca4f1b17350609db5080bbf7e890e156157f5043d5644fdf1e182dd69c3ca56093227798e46967b
SSDEEP

768:2uW1FGZ0luJM94iC94Mlf0rMQqiKdtvudbuExOKDNXRd+YXGX6y:8GZoAvlf0rMQqZWdbBOURd+YXGX6y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1552	SVCH0ST.EXE

Loads dropped DLL 1 IoCs

pid	Process
1552	SVCH0ST.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myZt2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zt2\\SVCH0ST.EXE"	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\norton.sys	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
File opened for modification	C:\Windows\SysWOW64\norton.sys	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
Token: SeDebugPrivilege	1552	SVCH0ST.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1552	SVCH0ST.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 1552	812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe	82
PID 812 wrote to memory of 1552	812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe	82
PID 812 wrote to memory of 1552	812	9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe	82

C:\Users\Admin\AppData\Local\Temp\9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
"C:\Users\Admin\AppData\Local\Temp\9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Local\Temp\Zt2\SVCH0ST.EXE
  C:\Users\Admin\AppData\Local\Temp\Zt2\SVCH0ST.EXE C:\Users\Admin\AppData\Local\Temp\9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Zt2\SVCH0ST.EXE

Filesize
38KB

MD5
17eac14329b3ba6bc3e242d2999ddcc0

SHA1
86262d6b25f85e7c2d98d67fe267dbad9f220d14

SHA256
9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581

SHA512
726177cf401c3a28364e25a19a3e9d5e92dc4a5b2d816721dca4f1b17350609db5080bbf7e890e156157f5043d5644fdf1e182dd69c3ca56093227798e46967b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zt2\SVCH0ST.EXE

Filesize
38KB

MD5
17eac14329b3ba6bc3e242d2999ddcc0

SHA1
86262d6b25f85e7c2d98d67fe267dbad9f220d14

SHA256
9dbd239a99647da00b9c9edca5e5150617d6900f4f89ad038045bb185c774581

SHA512
726177cf401c3a28364e25a19a3e9d5e92dc4a5b2d816721dca4f1b17350609db5080bbf7e890e156157f5043d5644fdf1e182dd69c3ca56093227798e46967b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ztgx.dll

Filesize
20KB

MD5
56e87a2d819b29272823d52f75ed91f2

SHA1
43a1329d9eb988fd1a9ee8ed315049a128f9f598

SHA256
345d3b7367a1cecdb90cf4e8baaed0d19285c7ba3895ab5e2b70c2bd73e57794

SHA512
6bf5614edc0a0fb888af88564c8858c6220c46383daf03c7cefdaffebc5d243400482c3aecb297d78ac2529114b6f3700c97fcc9946c3f3b1bd297f813e83de8

Download Submit
memory/812-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/812-135-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/812-137-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/1552-136-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1552-140-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1552-141-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1552-142-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing