d7dc9b65641f4eba1474e3d50be0f4f64df210a459a7e9cf544c6f81d59830eb

General

Target

4960873709b36a8b7fb85ed766605d4e.exe
Size

1.1MB
MD5

4960873709b36a8b7fb85ed766605d4e
SHA1

8ae792b830869a3bdb36e0e24b9ec4cb2bdad337
SHA256

d7dc9b65641f4eba1474e3d50be0f4f64df210a459a7e9cf544c6f81d59830eb
SHA512

927ae7a7e640d9100e2a129502069d28cde35c77cbf8620269dbc6d4df723384470fbb1d1f498aadb3d79b50e8f5d3e362d33cbcc32575b98fe377c51d9f97b0
SSDEEP

24576:4qg8zeKPja85nd0T9RAN0P30mqym6hzsGoRlG4qqjwg1mRWRuU:44zeI/0XqymkulG4qmxmiuU

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	4960873709b36a8b7fb85ed766605d4e.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	4960873709b36a8b7fb85ed766605d4e.exe
1916	4960873709b36a8b7fb85ed766605d4e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	4960873709b36a8b7fb85ed766605d4e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1916	4960873709b36a8b7fb85ed766605d4e.exe
1916	4960873709b36a8b7fb85ed766605d4e.exe
1916	4960873709b36a8b7fb85ed766605d4e.exe
1916	4960873709b36a8b7fb85ed766605d4e.exe
1916	4960873709b36a8b7fb85ed766605d4e.exe
1916	4960873709b36a8b7fb85ed766605d4e.exe
1916	4960873709b36a8b7fb85ed766605d4e.exe
1916	4960873709b36a8b7fb85ed766605d4e.exe
1916	4960873709b36a8b7fb85ed766605d4e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1916	4960873709b36a8b7fb85ed766605d4e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1916	4960873709b36a8b7fb85ed766605d4e.exe
1916	4960873709b36a8b7fb85ed766605d4e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2672	1916	4960873709b36a8b7fb85ed766605d4e.exe	29
PID 1916 wrote to memory of 2672	1916	4960873709b36a8b7fb85ed766605d4e.exe	29
PID 1916 wrote to memory of 2672	1916	4960873709b36a8b7fb85ed766605d4e.exe	29
PID 1916 wrote to memory of 2672	1916	4960873709b36a8b7fb85ed766605d4e.exe	29
PID 1916 wrote to memory of 2652	1916	4960873709b36a8b7fb85ed766605d4e.exe	28
PID 1916 wrote to memory of 2652	1916	4960873709b36a8b7fb85ed766605d4e.exe	28
PID 1916 wrote to memory of 2652	1916	4960873709b36a8b7fb85ed766605d4e.exe	28
PID 1916 wrote to memory of 2652	1916	4960873709b36a8b7fb85ed766605d4e.exe	28

C:\Users\Admin\AppData\Local\Temp\4960873709b36a8b7fb85ed766605d4e.exe
"C:\Users\Admin\AppData\Local\Temp\4960873709b36a8b7fb85ed766605d4e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
5611518085f0e601b7af262b73ca1e21

SHA1
679e284b4e15030b11e9fcab9e54090f6128c6c2

SHA256
8e59e3dc5427519534af0cfb2713d94388d03240f4f6d2c9ec6a13db1d9812ab

SHA512
0fc4c396d00386c7942366bab8bf30b59723f4a8b0d5bfe00dbc4a74df13acb68cd6616694a81de199bcd2409ff41b6dcaca931614165deefadd728350c52bcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
721B

MD5
029159ede06595c78d61b01f24e12728

SHA1
00a1f9ccf137499860eda8b51c93893b907a3912

SHA256
cb2cd63de8deed684ba38270803dfc49c6acc8d7703a0b1417385dd9a5bf7bdc

SHA512
cf2e18c0ab0095a38f2c6eb16c21ce8f4a096976a3d65a07e8073d010095682fa740224bcae2c02fc03de97c0a90070dd0fe1d02428ffc4481a9756ed5f94ed7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
70c430c288b31649de7f29d28d0d7cd5

SHA1
09c1b8595fcea87df3bfe597ddd0ed38b68f18c9

SHA256
8394dfd20957905433db3ebced32ead23cf6845463e03b51864de9f8ca8309b8

SHA512
e71aef50ad7879603d50679ceee715bfce92d86a40f617ccd6d67da351cc751bf9fa8309ddd1371e1774d90691d8fb9e47341c3915fdf16713e1d0bbad0545e5

Download Submit
memory/1916-1-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1916-0-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1916-17-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/1916-18-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/1916-21-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1916-23-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/1916-24-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads