Overview

overview

8

Static

static

1

Severance ...ll.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    592s
  • max time network
    450s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2023, 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Severance S1 E1 Good News About Hell.exe

  • Size

    2.4MB

  • MD5

    8a28dffe612b26094c6e883fca8da694

  • SHA1

    731fbea100b7df5b8535f88630935bfdd17f84d6

  • SHA256

    f6bf40e3d9bb4c7a09170e5e3bc695c925355e110eede8115fb8eb27ca85d5ab

  • SHA512

    1f1cd414b8000fa8e7305d19bb07b20d9f9843c900cee44fa360b481dcea8c7d262d6836d6f485e4f8d79cf97f9cb73a78656408a2aaa052527895fa8c16926e

  • SSDEEP

    49152:Sqe3f6xMDdNd5rt/gLLmUKjwuJQ9iEpWHGG2J1:rSix0xYLk8SwTCwH

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Severance S1 E1 Good News About Hell.exe
    "C:\Users\Admin\AppData\Local\Temp\Severance S1 E1 Good News About Hell.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Users\Admin\AppData\Local\Temp\is-PJ4KH.tmp\Severance S1 E1 Good News About Hell.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PJ4KH.tmp\Severance S1 E1 Good News About Hell.tmp" /SL5="$C002E,1646062,837632,C:\Users\Admin\AppData\Local\Temp\Severance S1 E1 Good News About Hell.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4412
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-HO7T8.tmp\update.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3932
        • C:\Windows\system32\sc.exe
          sc create ServiceUI binpath= "C:\Windows\System32\ServiceUI.exe" start=auto
          4⤵
          • Launches sc.exe
          PID:1252
        • C:\Windows\system32\sc.exe
          sc start ServiceUI
          4⤵
          • Launches sc.exe
          PID:2932
  • C:\Windows\System32\ServiceUI.exe
    C:\Windows\System32\ServiceUI.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Windows\System32\UITheme.exe
      "C:\Windows\System32\UITheme.exe"
      2⤵
      • Executes dropped EXE
      PID:1740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Sordum\first.json
    Filesize

    6B

    MD5

    83a0339e495cafcfc2c18ad4797dd252

    SHA1

    60ed5d70de0bf3031ea9a1c4b3b375b2a081c197

    SHA256

    a74e0e0fb1d7f8c2904624170cd1d04a8cde57e0bf15afb1a27b6c9be39fa002

    SHA512

    39c1cda10209620e789120078ea26658695dee50263cab7f5388c18754157a476dd00d5c67998e34a2bcfa159959202fb66199507e9ca292e63f32ed02a2b3f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Sordum\is-6NI7B.tmp
    Filesize

    75B

    MD5

    e5c559ffe673984a0f536b5abfba8021

    SHA1

    b149fa18695e87f5d3ebd25b2335f991fabee492

    SHA256

    4085f1f20ec6d4e17b9e39619a9dd67f10333b22c129c5a7f4c42833e9dec321

    SHA512

    083d608bf5d2560acd9afae24dc030d631d9b36e2c3e7ece69643bc0df0e5e2df9cfe0c300247830eafd27059a82d8f4ae349cf61b8b84301dbc523b32183f0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Sordum\update.json
    Filesize

    75B

    MD5

    e5c559ffe673984a0f536b5abfba8021

    SHA1

    b149fa18695e87f5d3ebd25b2335f991fabee492

    SHA256

    4085f1f20ec6d4e17b9e39619a9dd67f10333b22c129c5a7f4c42833e9dec321

    SHA512

    083d608bf5d2560acd9afae24dc030d631d9b36e2c3e7ece69643bc0df0e5e2df9cfe0c300247830eafd27059a82d8f4ae349cf61b8b84301dbc523b32183f0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-HO7T8.tmp\_isetup\_isdecmp.dll
    Filesize

    34KB

    MD5

    c6ae924ad02500284f7e4efa11fa7cfc

    SHA1

    2a7770b473b0a7dc9a331d017297ff5af400fed8

    SHA256

    31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

    SHA512

    f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-HO7T8.tmp\_isetup\_isdecmp.dll
    Filesize

    34KB

    MD5

    c6ae924ad02500284f7e4efa11fa7cfc

    SHA1

    2a7770b473b0a7dc9a331d017297ff5af400fed8

    SHA256

    31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

    SHA512

    f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-HO7T8.tmp\update.bat
    Filesize

    108B

    MD5

    7750d3957b8d273a0e7ed2f286271c9c

    SHA1

    052adf5997f2b6af2d35b05ccd2bf2277d1dcbd7

    SHA256

    e954a52eb9053a5810bd794746c53b83d845dc8bdc1c7c5ba7529de58bcd9b9e

    SHA512

    c003c131c3f1655a44c19a5aa53f4ca5e8f31a8342e4671b6312bb64e97c1f9301744594976fa0b31362c97c673cff11e408ab861e86d578ee6b1db99eee23ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-PJ4KH.tmp\Severance S1 E1 Good News About Hell.tmp
    Filesize

    2.9MB

    MD5

    483f176dbba96b35ba22bcf0532339bc

    SHA1

    bca666e63e6125f4486b028aef346f70bf8f9183

    SHA256

    796c1c7562359ae620a8d0d013973b5df32ba28cc5b751f55ae9be2b33cdc698

    SHA512

    5338f5f0d5a76e70b752407597b4eb6552e4bb21715bbcb5633286b6e726cd63c092aba9325df193e1bb1d313514d9c7db0365bd870a09484f955f236bd223e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-PJ4KH.tmp\Severance S1 E1 Good News About Hell.tmp
    Filesize

    2.9MB

    MD5

    483f176dbba96b35ba22bcf0532339bc

    SHA1

    bca666e63e6125f4486b028aef346f70bf8f9183

    SHA256

    796c1c7562359ae620a8d0d013973b5df32ba28cc5b751f55ae9be2b33cdc698

    SHA512

    5338f5f0d5a76e70b752407597b4eb6552e4bb21715bbcb5633286b6e726cd63c092aba9325df193e1bb1d313514d9c7db0365bd870a09484f955f236bd223e1

    Download Submit

  • C:\Windows\System32\ServiceUI.exe
    Filesize

    31KB

    MD5

    e4d29bd65acc55b7a59e3e7d2a9427db

    SHA1

    ca3c3e4e25b4773a88521afd3d15a864c39bccb8

    SHA256

    00beee1d3245af45c5066fc662fc218059cf147e6a2d235a61b6614d0b7823f5

    SHA512

    1a1a7ea1dad961a1db9e67afa265affd1add8dbac1d0ff96bd05cdbfea0573f122d141f05f79f4a0fbfab5f2642686b172a2cc7cc20546566e61995f2090b5bd

    Download Submit

  • C:\Windows\System32\ServiceUI.exe
    Filesize

    31KB

    MD5

    e4d29bd65acc55b7a59e3e7d2a9427db

    SHA1

    ca3c3e4e25b4773a88521afd3d15a864c39bccb8

    SHA256

    00beee1d3245af45c5066fc662fc218059cf147e6a2d235a61b6614d0b7823f5

    SHA512

    1a1a7ea1dad961a1db9e67afa265affd1add8dbac1d0ff96bd05cdbfea0573f122d141f05f79f4a0fbfab5f2642686b172a2cc7cc20546566e61995f2090b5bd

    Download Submit

  • C:\Windows\System32\UITheme.exe
    Filesize

    70KB

    MD5

    6194f4be681f206c65ecf0a56ad71523

    SHA1

    22181c8dea1847b348de04dc0f9e2af45342437f

    SHA256

    6317c547be5cd0b860919ad1e1fcce6c6d8ea1a7efc0a335a684a89682d440ec

    SHA512

    f83d6edc0d9445c5e8beb3952c32c4985c01ebbbb7a42213b863479c49666dad12ff5c2a61d734a2f5c63c3c6390dd409e9bea694ec2ad429ea0639e3a8fb0dd

    Download Submit

  • C:\Windows\System32\UITheme.exe
    Filesize

    70KB

    MD5

    6194f4be681f206c65ecf0a56ad71523

    SHA1

    22181c8dea1847b348de04dc0f9e2af45342437f

    SHA256

    6317c547be5cd0b860919ad1e1fcce6c6d8ea1a7efc0a335a684a89682d440ec

    SHA512

    f83d6edc0d9445c5e8beb3952c32c4985c01ebbbb7a42213b863479c49666dad12ff5c2a61d734a2f5c63c3c6390dd409e9bea694ec2ad429ea0639e3a8fb0dd

    Download Submit

  • C:\Windows\System32\serviceui.json
    Filesize

    75B

    MD5

    e5c559ffe673984a0f536b5abfba8021

    SHA1

    b149fa18695e87f5d3ebd25b2335f991fabee492

    SHA256

    4085f1f20ec6d4e17b9e39619a9dd67f10333b22c129c5a7f4c42833e9dec321

    SHA512

    083d608bf5d2560acd9afae24dc030d631d9b36e2c3e7ece69643bc0df0e5e2df9cfe0c300247830eafd27059a82d8f4ae349cf61b8b84301dbc523b32183f0c

    Download Submit

  • memory/4412-17-0x00000000024A0000-0x00000000025E0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4412-16-0x00000000024A0000-0x00000000025E0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4412-6-0x00000000027D0000-0x00000000027D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4412-64-0x00000000027D0000-0x00000000027D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4412-65-0x0000000000400000-0x00000000006FC000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4412-66-0x00000000024A0000-0x00000000025E0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5004-1-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/5004-62-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

    Download