d512d4dfff3ff99cf39176b37069b86e72b97432dbd604b70c8720461a23bf10

General

Target

svchost/svchost.exe
Size

268KB
MD5

43d08c0cf431e081e4b85515f8ed6e56
SHA1

980b13a9fbf712a80b45444dc63f9b95a8e2f4bc
SHA256

4f77019c9028fe94ff2995127578c40685b57ad4181cfd16c08a736e4a9cded2
SHA512

5d672c19aa02a09b8ecd5f59b421cb9399eca2a45982e0ef87e4fcedcacd67b200c8f9c6582e93c5285dcc2f5257e200d4e812c51ade165491986d36719a1293
SSDEEP

6144:Ta53bJhs0W69hd1MMdxPe9N9uA0Fu9TBAwzVgBxpyuDMk2kcVef+gKP3v:O1bjXFu9Tu8fd7/

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "mshta vbscript:msgbox(\"??????????!??????????!\",16,\"?????????\")(window.close)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\debugger = "mshta vbscript:msgbox(\"??????????!??????????!\",16,\"?????????\")(window.close)"	regedit.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\1.vbs	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	cmd.exe
File opened for modification	C:\Windows\svchost.exe	cmd.exe
File opened for modification	C:\Windows\2\31.reg	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
2296	taskkill.exe
4260	taskkill.exe
4612	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4336	regedit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4552	2428	svchost.exe	82
PID 2428 wrote to memory of 4552	2428	svchost.exe	82
PID 4552 wrote to memory of 4336	4552	cmd.exe	84
PID 4552 wrote to memory of 4336	4552	cmd.exe	84
PID 4552 wrote to memory of 4260	4552	cmd.exe	85
PID 4552 wrote to memory of 4260	4552	cmd.exe	85
PID 4552 wrote to memory of 4612	4552	cmd.exe	87
PID 4552 wrote to memory of 4612	4552	cmd.exe	87
PID 4552 wrote to memory of 1832	4552	cmd.exe	88
PID 4552 wrote to memory of 1832	4552	cmd.exe	88
PID 1832 wrote to memory of 4416	1832	WScript.exe	89
PID 1832 wrote to memory of 4416	1832	WScript.exe	89
PID 4416 wrote to memory of 2296	4416	cmd.exe	91
PID 4416 wrote to memory of 2296	4416	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\svchost\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost\svchost.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7474.tmp\7475.tmp\7476.bat C:\Users\Admin\AppData\Local\Temp\svchost\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\regedit.exe
    Regedit /s C:\Windows\2\31.reg
    3⤵
    - Sets file execution options in registry
    - Runs .reg file with regedit
    PID:4336
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im perfmon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\System32\1.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /im explorer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7474.tmp\7475.tmp\7476.bat

Filesize
12KB

MD5
4755ff4522eaa4071a841e4971a7ed2a

SHA1
4b1e5e11691b2f20c020dfbd0b35743ab43cfa8e

SHA256
ffeb5830cec1234d357072b6504b2672485fd4a8b1c5b3e3514c511901c4a4ed

SHA512
830232c626281131fe0c409fb3011e4267286fe32903b05229cf7ced77c00ec69c02cd60e93036306e2269688afdcfd005437f7812af713bdde0d30c446159ae

Download Submit
C:\Windows\2\31.reg

Filesize
444B

MD5
ebe3fd17fde6d498bd530a57863644c0

SHA1
fe76d4faa6cae714f1f650294f51b08af13ba85f

SHA256
ae1fa8f693ab356dbf0f54aa49dad1781a16e0835d9a256773468427bddd6931

SHA512
627355bfd1882318daef37956d7b036bff1ec819d4f2c9fdcbe25ab5d4c5fd7ef3386e3aa7b465da74f7acc01ffee39db3058ee717fb2bb56fc4f5e4c2414a7f

Download Submit
C:\Windows\System32\1.vbs

Filesize
829B

MD5
02bad85fcfc935f75f55a31db7de2fdb

SHA1
0c9a9a1e47f3a8fd9e278ec905be569cfdc63458

SHA256
99d0f76cad13e4be4ae28c2214a6073b4ef7efe178734800759503c78e5302e5

SHA512
e8017389393e4166c7d74b0e765314f236c03c0dda9d42c04824fe72654b9bf523b5cf70fa6f1f4718bb893451f62589785b9269b33b196f851f1960faee1253

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads