e8aed0c136cdb9bc4e945af74612a6acfe7f40345746f0ab30ade612a6d2c935

General

Target

0a7a9a7f98f1c04893b5225fada2f1c2.exe
Size

1.2MB
MD5

0a7a9a7f98f1c04893b5225fada2f1c2
SHA1

7a2efc197f2d6dadb60621174fb0c4a5085b8c41
SHA256

e8aed0c136cdb9bc4e945af74612a6acfe7f40345746f0ab30ade612a6d2c935
SHA512

c614909d57492f27dd3b0e1142755220487914b144da00bb28405f5cb20c452179d4a1b025a6df541c54c24cbcca3e46089458ac179e940d8998bd5369018c7b
SSDEEP

3072:aWGy5OYg60KG+LVowg/e3QT10CF0L+LW1HRDHXJxEHMjx8c7n5diH5n4UJYjaVq:Fp8I6rMMD/0J0Sh3p

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
2508	schostd.exe

Loads dropped DLL 4 IoCs

pid	Process
1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe
1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe
1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe
1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\SVCOSTD = "C:\\Users\\Admin\\updaterd\\schostd.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe
2508	schostd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 2732	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	28
PID 1132 wrote to memory of 2732	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	28
PID 1132 wrote to memory of 2732	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	28
PID 1132 wrote to memory of 2732	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	28
PID 2732 wrote to memory of 3056	2732	cmd.exe	30
PID 2732 wrote to memory of 3056	2732	cmd.exe	30
PID 2732 wrote to memory of 3056	2732	cmd.exe	30
PID 2732 wrote to memory of 3056	2732	cmd.exe	30
PID 2732 wrote to memory of 2756	2732	cmd.exe	31
PID 2732 wrote to memory of 2756	2732	cmd.exe	31
PID 2732 wrote to memory of 2756	2732	cmd.exe	31
PID 2732 wrote to memory of 2756	2732	cmd.exe	31
PID 1132 wrote to memory of 2796	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	32
PID 1132 wrote to memory of 2796	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	32
PID 1132 wrote to memory of 2796	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	32
PID 1132 wrote to memory of 2796	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	32
PID 2796 wrote to memory of 2628	2796	cmd.exe	34
PID 2796 wrote to memory of 2628	2796	cmd.exe	34
PID 2796 wrote to memory of 2628	2796	cmd.exe	34
PID 2796 wrote to memory of 2628	2796	cmd.exe	34
PID 1132 wrote to memory of 2508	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	35
PID 1132 wrote to memory of 2508	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	35
PID 1132 wrote to memory of 2508	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	35
PID 1132 wrote to memory of 2508	1132	0a7a9a7f98f1c04893b5225fada2f1c2.exe	35

C:\Users\Admin\AppData\Local\Temp\0a7a9a7f98f1c04893b5225fada2f1c2.exe
"C:\Users\Admin\AppData\Local\Temp\0a7a9a7f98f1c04893b5225fada2f1c2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AMHZYF.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\reg.exe
    REG ADD
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\BQuvL.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SVCOSTD" /t REG_SZ /d "C:\Users\Admin\updaterd\schostd.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2628
- C:\Users\Admin\updaterd\schostd.exe
  "C:\Users\Admin\updaterd\schostd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AMHZYF.bat

Filesize
161B

MD5
7a206e7118c90ba805346aee84b41e91

SHA1
2edcf2ee1cc7d6838486612f38a40ee2aae31dd1

SHA256
1c4bc5d8cdb67d898bdabca4d0489fe7b6b47409899a9113a1db81daf95e8a33

SHA512
64024585e71b97c88f5fe81d520b61e7d919d257b647503e611cb3d887aede222b77fb523269b12308c46a45abf1eb9780147dd51e270b6a90a036a3bb37ff30

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQuvL.bat

Filesize
127B

MD5
e3e411c61d1954c9dbcb1dcddd6e0576

SHA1
88db4956fb95b92056e8542cbbb9a9ce112090df

SHA256
b1a3d8ae0f4dd01c1647b37f23bcdd9bac036224995472e97683fe2aa76dd625

SHA512
4eecf9709a10c2e1a6906d5c95e268c3a1cf36e623cde9c0eb9e97d8abc8e5561b857be927b7bce14be9def8c2ca77b2871bb289050b4bbf1946046f1636adcc

Download Submit
C:\Users\Admin\updaterd\schostd.exe

Filesize
885KB

MD5
ceaa1f849a4af0486f88cd0c86c2fc9a

SHA1
d85b67681cf1386af755594feee3164766a1f81a

SHA256
889312b0ea39bef183eb928e9daf0ed5c1e70ed9f70697d4094ceeddbead2320

SHA512
e97c192b4c70af630828db23086b7138424aec4c2d51938ad34721295d6d2096efece5e52b59d33291131de81db33696ebb5374518a8e4bf684b2bd7da98fc30

Download Submit
C:\Users\Admin\updaterd\schostd.exe

Filesize
1.0MB

MD5
0efb7780cabdf719dcd7726aa9f06465

SHA1
d464523ff6c4ca28aaef6fef275cf0534a6f62e2

SHA256
bbe5900d9113e7a556645ee1a508590bac7a6d751b0088ea45b05942a109a2e9

SHA512
b6ff35cd79465ad1278e667811577671125715d38c484157f0cf30bcca0bc31c2b32de47c0ffff38dcb7263b3b0577a8a20979e8077d42391db8d2766ae5d7b6

Download Submit
\Users\Admin\updaterd\schostd.exe

Filesize
1.2MB

MD5
0a7a9a7f98f1c04893b5225fada2f1c2

SHA1
7a2efc197f2d6dadb60621174fb0c4a5085b8c41

SHA256
e8aed0c136cdb9bc4e945af74612a6acfe7f40345746f0ab30ade612a6d2c935

SHA512
c614909d57492f27dd3b0e1142755220487914b144da00bb28405f5cb20c452179d4a1b025a6df541c54c24cbcca3e46089458ac179e940d8998bd5369018c7b

Download Submit
\Users\Admin\updaterd\schostd.exe

Filesize
1.0MB

MD5
e306f95e984bc9a68ac2a9d1fb715be6

SHA1
3d6237b155b759238ffb120e5f65ac4fb275727b

SHA256
f2bddcd894e24f7643802968d608a635175df4f268f0094034ebddea9c98f3ea

SHA512
c766cbf44ec82a615f21a5463398c629f443885f47fa3fb16870e9929a9815b2a8583ff7bfa1d162308f93aaf568748748992bac46d01acbe6b761c28fd1a815

Download Submit
\Users\Admin\updaterd\schostd.exe

Filesize
851KB

MD5
7702ba4dca16fde7d21f96a9f10ff84c

SHA1
df1f6cf40c6f4fd83ee70189599fa26fa0197cc3

SHA256
dd66e6b41eafbfe37d36ca27d2df237cd547158861a1b8f155cd2877a8ed1f81

SHA512
c71ea88ee512ef562bce9f854db28777d2343b997fbb0f7cdd30e464515f16f4c8b18f8960b98fe62f94bf3011ed8b8861ad42544cc4c7e68569d9792740aaf4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads