2bcda1b7bb6bbf3e07c9a2fc96c27b10d9fe6a201c38864f8bf192d2a1caf9a4

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 15:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DATA.scr
Size

889KB
MD5

29edd2fbedcfd056c4227eb762de516e
SHA1

01053aff28fc7ae32d9800b676d79828e18cb75f
SHA256

462a637a40d4a1b00fb846ac7c4dea44a2a66bef583e69423f7ad5c12c34a8ef
SHA512

f1faa29fb5ab51dd9de94a53ec0496a65bee302f2da2b7d596685e7a26ed6768040589ead8fcd274ccabf78352bf671ae045a836a0f34c38017ce2c79c6a18e5
SSDEEP

24576:BX48QE+U/hHKp3TN0gEkIdO9DIWJH+OndSrW6WZr+GSPwx5b:BXz+wHKn0kIEBJeY+56pSPS

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2692	svchost.exe
2572	svchost.exe
3012	svchost.exe
2876	svchost.exe
2100	svchost.exe
1780	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
1732	DATA.scr
1732	DATA.scr
2572	svchost.exe
2572	svchost.exe
3012	svchost.exe
2876	svchost.exe
2876	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\progrmma = "C:\\Program Files (x86)\\xexe\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\progrmma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xexe\\svchost.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 2572	2692	svchost.exe	30
PID 3012 set thread context of 2876	3012	svchost.exe	32
PID 2100 set thread context of 1780	2100	svchost.exe	34

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Informacionnye Texnologii\Mail Attachment\svchost.exe	DATA.scr
File created	C:\Program Files (x86)\xexe\svchost.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\xexe\svchost.exe	svchost.exe
File created	C:\Program Files (x86)\xexe\privetik.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\xexe\privetik.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2572	svchost.exe
2876	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2692	svchost.exe
3012	svchost.exe
2100	svchost.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2692	1732	DATA.scr	18
PID 1732 wrote to memory of 2692	1732	DATA.scr	18
PID 1732 wrote to memory of 2692	1732	DATA.scr	18
PID 1732 wrote to memory of 2692	1732	DATA.scr	18
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2692 wrote to memory of 2572	2692	svchost.exe	30
PID 2572 wrote to memory of 3012	2572	svchost.exe	31
PID 2572 wrote to memory of 3012	2572	svchost.exe	31
PID 2572 wrote to memory of 3012	2572	svchost.exe	31
PID 2572 wrote to memory of 3012	2572	svchost.exe	31
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 3012 wrote to memory of 2876	3012	svchost.exe	32
PID 2876 wrote to memory of 2100	2876	svchost.exe	33
PID 2876 wrote to memory of 2100	2876	svchost.exe	33
PID 2876 wrote to memory of 2100	2876	svchost.exe	33
PID 2876 wrote to memory of 2100	2876	svchost.exe	33
PID 2100 wrote to memory of 1780	2100	svchost.exe	34
PID 2100 wrote to memory of 1780	2100	svchost.exe	34
PID 2100 wrote to memory of 1780	2100	svchost.exe	34
PID 2100 wrote to memory of 1780	2100	svchost.exe	34
PID 2100 wrote to memory of 1780	2100	svchost.exe	34
PID 2100 wrote to memory of 1780	2100	svchost.exe	34
PID 2100 wrote to memory of 1780	2100	svchost.exe	34
PID 2100 wrote to memory of 1780	2100	svchost.exe	34
PID 2100 wrote to memory of 1780	2100	svchost.exe	34
PID 2100 wrote to memory of 1780	2100	svchost.exe	34
PID 2100 wrote to memory of 1780	2100	svchost.exe	34
PID 2100 wrote to memory of 1780	2100	svchost.exe	34

C:\Users\Admin\AppData\Local\Temp\DATA.scr
"C:\Users\Admin\AppData\Local\Temp\DATA.scr" /S
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files (x86)\Informacionnye Texnologii\Mail Attachment\svchost.exe
  "C:\Program Files (x86)\Informacionnye Texnologii\Mail Attachment\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Program Files (x86)\Informacionnye Texnologii\Mail Attachment\svchost.exe
    "C:\Program Files (x86)\Informacionnye Texnologii\Mail Attachment\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\xexe\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\xexe\svchost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Users\Admin\AppData\Local\Temp\xexe\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xexe\svchost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Program Files (x86)\xexe\svchost.exe
        
        "C:\Program Files (x86)\xexe\svchost.exe" runas
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Program Files (x86)\xexe\svchost.exe
        
        "C:\Program Files (x86)\xexe\svchost.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Informacionnye Texnologii\Mail Attachment\svchost.exe

Filesize
146KB

MD5
28821314757e2580ece6a2694fd3b294

SHA1
2157156b87b3e3abe312e765956adf22b16881d4

SHA256
d899af420d716b9d289bdb6c7c16f6cb4a03c4834e59cdaa780e5b8c90c81df5

SHA512
fbfb36dde9d64367a53c5679b943b5d1b50fd9c8997b7419edd63a7b6413eaecfab26ced6cc83bc653b15d7a479a1b1d27b465f8a38323816a24f7d1eacde08c

Download Submit
C:\Program Files (x86)\Informacionnye Texnologii\Mail Attachment\svchost.exe

Filesize
93KB

MD5
7fc87d654858e20b2bf72c09e97e078f

SHA1
7b7ca1c80c90c209cc70eca39e93e1601d6617b1

SHA256
c52e66197be52af5d98d85d26c15d931d82225db44237a48933aa6df74cfc699

SHA512
133ff02d51f16ff189c1df89fd0cd302efd15c69a96f6c44fff7dfd19a24868a1972d40cb9df1330921c64b7a92d638dd5d1a8f94637f36b37eafac59e2d261a

Download Submit
C:\Program Files (x86)\Informacionnye Texnologii\Mail Attachment\svchost.exe

Filesize
64KB

MD5
d070461f7c0731b6ab7b357fef3328a4

SHA1
c9b2a6decf77b528fb61030d248a50cb50b28aed

SHA256
fac20738c0471c02392ae7690406d677cebb9ef67152bab748ae239d5df1aedf

SHA512
eb6f3fe020fd3ffac42da2df6f0c3f2bee8d7a54210cfdae86a5fbd39d8ea994da6c27219891d0224e97cf0229e89165d8478f39e7433830b4a32ee4d238127d

Download Submit
C:\Program Files (x86)\Informacionnye Texnologii\Mail Attachment\svchost.exe

Filesize
355KB

MD5
46b294b773763fab02166716ce3be3d9

SHA1
63766f8f269c4941b235aeede648c59e9c02b0e1

SHA256
cf365645c279a3e0fb167175cfc2aa68c88cfa488decff828dfc103971eb25e9

SHA512
18656bbea985b1bb0d57689f3a5b92e47c757d2ad807684c5ac4e0414c0e344e7f2795ed1ad78d06b3a9bdf60e4cee37d0327069b7e96269ba9f3342d6240fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xexe\svchost.exe

Filesize
377KB

MD5
f1eadbd73a7e105974058dd39761e93c

SHA1
dd6119e35de2703c3f9f049c340b6a1f4e7a6aad

SHA256
5881b469b07ec3f0169c1c56bc39925c2e7f2ce29510c891cc26784c530add34

SHA512
a59eba0961f425efbb0dd5037f08202fc23569689a10a566cde56fe187d326a72b747944213c72287e5a5d6fe71062f450563d09d01993d0bb20d435927518f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xexe\svchost.exe

Filesize
278KB

MD5
afab0b98e5191b33abab5fd07699e1c3

SHA1
9863327441346edb57ebab95c77e2e642547cbca

SHA256
de9672b579cbf3999537da4bb7c2be088d6e1b51579ce78e0bb53c648ee01dd4

SHA512
949125e540ade96a96bd69fdb8cd99978ad7a9a450321b656ae01d326211fc62f54d697dccf89b3f5f963094bb8245718bfbdcb5813717395df5097df382f0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xexe\svchost.exe

Filesize
717KB

MD5
e9180da6f9d802b4ed9a8cb0f14892a0

SHA1
d066edac955d1cf5b8a5aedc9b04ece7473925e6

SHA256
dcfa2aed95359f3e3ad74c5b3a7580746cd4d1185cd237827c461e61105d2acd

SHA512
61e8226ac610e2811baa779fb43a822f514987419d1dbbab7e9ac4921ead21c007f446ec37b83de9c99d977dcf2a8485fad9dca5afc198288dc8b1a5e5d54b66

Download Submit
\Program Files (x86)\Informacionnye Texnologii\Mail Attachment\svchost.exe

Filesize
156KB

MD5
d85ed5e03c61d13324d431e1edecb33b

SHA1
bab50cec3222edb088c66fdf739cd7a2484b610e

SHA256
64cab8b3fae8a4e683273d49e85769c37b443c1a44ce87fca6b68b9164fb5e4b

SHA512
ece26d3fe99e3f30132cea5730eafef36bcd34d02872a2c7018bf1c5a7afce97831b686687245e6ec547b0367c63fe37f460d259a464efbcd90e8f52b73f23de

Download Submit
\Program Files (x86)\Informacionnye Texnologii\Mail Attachment\svchost.exe

Filesize
164KB

MD5
757142a1a1856e3524e1cd1ea9f378df

SHA1
3534cc0a07010d3030167e192e50bede9af90212

SHA256
3227aeca941958bd28a928851cbfb9029619ce8c012dc5f2f0d81e2fbe411b05

SHA512
c06607ed2b672c05905fc54dbec9cb231f31ce9db97774e8450e629df9d757d1e7e4a602fe398f6b5176bafe4233deb667de0c3a1ae948bf554c8ccacd280824

Download Submit
\Users\Admin\AppData\Local\Temp\xexe\svchost.exe

Filesize
514KB

MD5
1ef5a0612cf6db870479e11eaab1b3a9

SHA1
57ef04d9a14c7d2368b7435fa97937854b6e274a

SHA256
ebe28dedb8c0d9911ff893a98e6588a6103d9e14c809c4477b319afbd7804e4d

SHA512
ac6f05b37041fadb56132c9267c909bddd903ce17a23bfaf81194a655838c23706fa9e06f4bf0bab2276b6317e38d0e5b47e02c00730f143eb0c05f1bcb4093a

Download Submit
\Users\Admin\AppData\Local\Temp\xexe\svchost.exe

Filesize
330KB

MD5
77cd31bf00d97b8083b527a2819adefb

SHA1
56f9d032f8a6e958f5d6eaa92338c9082a685c45

SHA256
723cf83d08088d6b52c32882083e105097e737b708114c333f8a5ba19ebd30fd

SHA512
73532aa52f2383cfe6281dd8a25f59d5ed8dec1d7f6729bafac1bb8d77fdbfbfaac273b7316da73f6e81b21c5b44c84c325f5110145657afd456b1b4aadc5f38

Download Submit
memory/1732-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1780-111-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1780-107-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1780-106-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1780-104-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1780-102-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1780-110-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1780-113-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1780-115-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1780-114-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-37-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2572-23-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-30-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-38-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-31-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-49-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-35-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2572-39-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2876-81-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2876-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download