03cc85fee1f7601917ed807996281321f6ef8c9bedb29d5a2148cdb3d8b1dde4

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dc2c68ba1d6479092565143803ca30f.exe
Size

24.0MB
MD5

0dc2c68ba1d6479092565143803ca30f
SHA1

06a47fb3ecf052c8c255dc8dc729151d14ca623b
SHA256

03cc85fee1f7601917ed807996281321f6ef8c9bedb29d5a2148cdb3d8b1dde4
SHA512

51a23ff0e194a74d3901cbaf7a0f44d36e81d7d23dce07ce82d27eae44893bfc5591bb1395bc251e344c7986c17971d3962aef56ca73a35f45d594bd2ad2aa96
SSDEEP

393216:CvTIpUq7xHR7Xv2tg/cbN3F2xKN6TNTXdTOAde851z5WL286X2rXYxtEm:KJq10tQcbN3FbUhNXpH2pK

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "361"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "C:\\ProgramData\\DYJDYJ\\svchost.exe"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1676	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 1676	1528	0dc2c68ba1d6479092565143803ca30f.exe	91
PID 1528 wrote to memory of 1676	1528	0dc2c68ba1d6479092565143803ca30f.exe	91
PID 1528 wrote to memory of 1676	1528	0dc2c68ba1d6479092565143803ca30f.exe	91
PID 1528 wrote to memory of 4540	1528	0dc2c68ba1d6479092565143803ca30f.exe	97
PID 1528 wrote to memory of 4540	1528	0dc2c68ba1d6479092565143803ca30f.exe	97
PID 1528 wrote to memory of 4540	1528	0dc2c68ba1d6479092565143803ca30f.exe	97

C:\Users\Admin\AppData\Local\Temp\0dc2c68ba1d6479092565143803ca30f.exe
"C:\Users\Admin\AppData\Local\Temp\0dc2c68ba1d6479092565143803ca30f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\ProgramData\OVCOVC\svchost.exe
  C:\ProgramData\OVCOVC\svchost.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\0dc2c68ba1d6479092565143803ca30f.exe"
  2⤵
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OVCOVC\svchost.exe

Filesize
70KB

MD5
e1e75eae3cddbf9140d1e32413c7c4e0

SHA1
fec301507bb3fd201bde47328c9067b25c929dd1

SHA256
403e204b8f1e79016f91d74193593f296ad0b844b323069b8578d8541e597115

SHA512
22659ecc76e5a2c7439136d54918321c1b8834f23fe9364fe0eb75ddb63bf2c7626b10c04e00aa359af2b6b14d0fad57210c394d70354c0bab61bb7271de0d2f

Download Submit
C:\ProgramData\OVCOVC\svchost.exe

Filesize
89KB

MD5
b3edb4fb80dff313b5b79be15ba21322

SHA1
80e65b9dab01e32fde35380005df66d2e3af20bc

SHA256
228796a82c3d3bb07a7a0927dfd873ca3be4d8fc766c7e0f5f243cbbf1ea1b29

SHA512
f6c21df0abef897a838e98a3dd99c2e1d3fa0eeb591fcf3c77515dacd029757d22fab1a17e3496cb0660cb551f241d8ef087d4636a32000fe53a539d0eac0202

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads