03cc85fee1f7601917ed807996281321f6ef8c9bedb29d5a2148cdb3d8b1dde4

Analysis

max time kernel
131s
max time network
37s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dc2c68ba1d6479092565143803ca30f.exe
Size

24.0MB
MD5

0dc2c68ba1d6479092565143803ca30f
SHA1

06a47fb3ecf052c8c255dc8dc729151d14ca623b
SHA256

03cc85fee1f7601917ed807996281321f6ef8c9bedb29d5a2148cdb3d8b1dde4
SHA512

51a23ff0e194a74d3901cbaf7a0f44d36e81d7d23dce07ce82d27eae44893bfc5591bb1395bc251e344c7986c17971d3962aef56ca73a35f45d594bd2ad2aa96
SSDEEP

393216:CvTIpUq7xHR7Xv2tg/cbN3F2xKN6TNTXdTOAde851z5WL286X2rXYxtEm:KJq10tQcbN3FbUhNXpH2pK

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "361"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "C:\\ProgramData\\JCXJCX\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}	svchost.exe

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	0dc2c68ba1d6479092565143803ca30f.exe
2896	0dc2c68ba1d6479092565143803ca30f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2852	2896	0dc2c68ba1d6479092565143803ca30f.exe	30
PID 2896 wrote to memory of 2852	2896	0dc2c68ba1d6479092565143803ca30f.exe	30
PID 2896 wrote to memory of 2852	2896	0dc2c68ba1d6479092565143803ca30f.exe	30
PID 2896 wrote to memory of 2852	2896	0dc2c68ba1d6479092565143803ca30f.exe	30
PID 2896 wrote to memory of 2848	2896	0dc2c68ba1d6479092565143803ca30f.exe	31
PID 2896 wrote to memory of 2848	2896	0dc2c68ba1d6479092565143803ca30f.exe	31
PID 2896 wrote to memory of 2848	2896	0dc2c68ba1d6479092565143803ca30f.exe	31
PID 2896 wrote to memory of 2848	2896	0dc2c68ba1d6479092565143803ca30f.exe	31

C:\Users\Admin\AppData\Local\Temp\0dc2c68ba1d6479092565143803ca30f.exe
"C:\Users\Admin\AppData\Local\Temp\0dc2c68ba1d6479092565143803ca30f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896
- C:\ProgramData\NEHNEH\svchost.exe
  C:\ProgramData\NEHNEH\svchost.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\0dc2c68ba1d6479092565143803ca30f.exe"
  2⤵
  - Deletes itself
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NEHNEH\svchost.exe

Filesize
8.1MB

MD5
f106b91c3773fa1159da5ed4fc1ddab9

SHA1
2848e2b150fbde93aae88a1ae66fa02d2b66ece7

SHA256
ce2612da259be542a7d628b00a5ed8d6595a4b1a2c1ce7d1e68e5448c3075bc9

SHA512
4d03320deae61fab8efd21d16ecca0685cb0cc5e46cd916790a18a157d22b1a8b0d597b2c2fc1181f02666f7fd9c3722c6e746198e5f479ee4a108597d6b11c3

Download Submit
C:\ProgramData\NEHNEH\svchost.exe

Filesize
7.8MB

MD5
e3a2ce41071e5f937a1b2dee9473807c

SHA1
57b6988ff877c78f65df9cb2e005714ebbb4de23

SHA256
4dbbe68850bf6a9ae173cdda760f8888736c03ed70d55fbe8e43e6b4f28442d9

SHA512
69b8d814b33d9b7a0ad79ac4872eca3d3cf8c6c67409e1d3c4c91dc2feebdd68d731c92553ccc0e0deb92a4f0a283551da6a1618c268b68d3098dd9f926d6b88

Download Submit
\ProgramData\NEHNEH\svchost.exe

Filesize
5.5MB

MD5
a3e000b83d36abf9df0ebeee835988a8

SHA1
525a207887f151d45b6af6d3c3e7c4349951aae8

SHA256
bee383710e8f0ac35f03fdc1c8258fd5cb5878362723d2f6449ffeaf49e16e05

SHA512
bd9160f0adb572df149b1fefe4cbcceb03046ea32cab1234d9a16682286ca2007f19546328020c80f9cde2b4aaee471f31bc573d22858f1a427004fc53f2c28d

Download Submit
\ProgramData\NEHNEH\svchost.exe

Filesize
5.3MB

MD5
dab3043e7fd6e3e318d4b7ab518b0c05

SHA1
e4e50ecea091e8f86504fa9a95e68a01c5af026a

SHA256
070748f48589e578451603d7fe4584021a93f629c8794d5d687f248f49aefcaf

SHA512
c9a98c382fd6339567c54da4cf8fd9b2091e893b408117db413cd964473659aed4967e2a17c25434f0af122504164f27ec81e1a3d89a7c3ac9c842582f7975a4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads