bbe4303c76c52f7393ac21152e95e08735f27ddd070818c76179031e61e6e485

General

Target

f68ecfd28fabcd411e76e01f01b016b8.exe
Size

1.0MB
MD5

f68ecfd28fabcd411e76e01f01b016b8
SHA1

d613f01414a673501cf6657d7486723ff4f58b23
SHA256

bbe4303c76c52f7393ac21152e95e08735f27ddd070818c76179031e61e6e485
SHA512

34ba0b2c69a77c31145505357a648fd849da0f5875ace1da599c01c1ab9243c732bf0f55b204591f11b19458b0bf97a10e46276e58631a26f2b1c4513f8c810b
SSDEEP

24576:kfgFO6nxTySzq3hVNeWY1ANvMALubRDCk/ivJFnz5KU:+g46nxTyeq3hiONUp2kqvJFn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
524	svchos.exe

Loads dropped DLL 4 IoCs

pid	Process
2976	f68ecfd28fabcd411e76e01f01b016b8.exe
1196	cmd.exe
1196	cmd.exe
524	svchos.exe

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2976-0-0x0000000000400000-0x0000000000777000-memory.dmp	vmprotect
behavioral1/memory/2976-1-0x0000000000400000-0x0000000000777000-memory.dmp	vmprotect
behavioral1/memory/2976-12-0x0000000000400000-0x0000000000777000-memory.dmp	vmprotect
behavioral1/files/0x000300000000b1f7-18.dat	vmprotect
behavioral1/files/0x000300000000b1f7-17.dat	vmprotect
behavioral1/memory/2976-16-0x0000000000400000-0x0000000000777000-memory.dmp	vmprotect
behavioral1/files/0x000300000000b1f7-15.dat	vmprotect
behavioral1/files/0x000300000000b1f7-14.dat	vmprotect
behavioral1/memory/524-30-0x0000000000400000-0x0000000000777000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Kin = "C:\\Program Files\\helps\\svchos.exe"	f68ecfd28fabcd411e76e01f01b016b8.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\helps\svchos.exe	f68ecfd28fabcd411e76e01f01b016b8.exe
File opened for modification	C:\Program Files\helps\svchos.exe	f68ecfd28fabcd411e76e01f01b016b8.exe
File created	C:\Program Files\helps\UUWiseHelper.dll	svchos.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1020	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	taskkill.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2976	f68ecfd28fabcd411e76e01f01b016b8.exe
2976	f68ecfd28fabcd411e76e01f01b016b8.exe
2976	f68ecfd28fabcd411e76e01f01b016b8.exe
2976	f68ecfd28fabcd411e76e01f01b016b8.exe
524	svchos.exe
524	svchos.exe
524	svchos.exe
524	svchos.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1196	2976	f68ecfd28fabcd411e76e01f01b016b8.exe	29
PID 2976 wrote to memory of 1196	2976	f68ecfd28fabcd411e76e01f01b016b8.exe	29
PID 2976 wrote to memory of 1196	2976	f68ecfd28fabcd411e76e01f01b016b8.exe	29
PID 2976 wrote to memory of 1196	2976	f68ecfd28fabcd411e76e01f01b016b8.exe	29
PID 1196 wrote to memory of 1020	1196	cmd.exe	31
PID 1196 wrote to memory of 1020	1196	cmd.exe	31
PID 1196 wrote to memory of 1020	1196	cmd.exe	31
PID 1196 wrote to memory of 1020	1196	cmd.exe	31
PID 1196 wrote to memory of 524	1196	cmd.exe	33
PID 1196 wrote to memory of 524	1196	cmd.exe	33
PID 1196 wrote to memory of 524	1196	cmd.exe	33
PID 1196 wrote to memory of 524	1196	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\f68ecfd28fabcd411e76e01f01b016b8.exe
"C:\Users\Admin\AppData\Local\Temp\f68ecfd28fabcd411e76e01f01b016b8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /F /IM "f68ecfd28fabcd411e76e01f01b016b8.exe"&"C:\Program Files\helps\svchos.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM "f68ecfd28fabcd411e76e01f01b016b8.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Program Files\helps\svchos.exe
    "C:\Program Files\helps\svchos.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\helps\svchos.exe

Filesize
714KB

MD5
c76aa84dd3e3aced9b18f0a5eb95d1b8

SHA1
106db5aabfd769e4424b493cfc38340440545fe9

SHA256
7de177a443e074199eee4c923bdb6064efc8ca6e24a85b0061a4956426f4970c

SHA512
0a9676af53adf817f1394d992eec434f160d2b075ce4d3a381f0b27bb75b3285f5ac734e0675ddacbec06f25dae4c7284c8a3dd95b68ae226b90b45097a2d119

Download Submit
C:\Program Files\helps\svchos.exe

Filesize
762KB

MD5
b0b4a37add82756de9e89aa8f0a6641c

SHA1
aa6e9d67fa840d5b1b566c5f8f2f4472c3174dd7

SHA256
77bef37b5272408b253937369c858d1e6f9aba5d3cbf323940d0cdd93478eae8

SHA512
ea29c8f465dcad129062bd00c149ab4b6feb0a2634a195217aa4106d2d55b896274a363fdedc7ec29fb7f99f0ff19ca09b693442dd7615ebe9c0d19aeac7be9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUWiseHelper.dll

Filesize
265KB

MD5
159d237494637c80f2359020cdf7b2a9

SHA1
78591f1657a0617ecbab98dcf9f9488689f96140

SHA256
aa9bf587f8e1fde3ceea5d324226f3fd2f379cfdcd47ff933f5db01a23edfc2b

SHA512
8b87f6e58aaedd66102e412736956714c86084fdf231c13d2d43ce05735f8e704b2aefd414bd69eb0f80f419621d6d6a1ebf65a62501a0a207e394c0499b97ee

Download Submit
\Program Files\helps\UUWiseHelper.dll

Filesize
284KB

MD5
afd14de763f7c540e686afdc55281039

SHA1
0318a2650104e5eb7b6ca7c02d1e54f276a4f14c

SHA256
09a3bf6a8df99c692ba656779c94932a08b61c21350a4bba4bf19afb40076c6c

SHA512
4ad521f270ea54359c91084f76c9287bea9e93533681d766aa7f7dce60f1f731244c27020af141f8a8329ad6c9ec6b080a1cc7665a14b8cdc3bdbb632905a321

Download Submit
\Program Files\helps\svchos.exe

Filesize
961KB

MD5
b26fee7bccbdb9576f896a6eb0523ff2

SHA1
628dce89a56482472720546f1013b213cad629f6

SHA256
3e28ca20091e810497f792621ee415610f5b4f3f4a1dea3ae7fc24b6d4afd730

SHA512
665e76941d21380c22207778fafdd53165e5af090abce42f500f6ef38fd6a42a0b0389cb76b7d9824f32c8ec6785f01041766eb5bf65f082565223d2f0909cee

Download Submit
\Program Files\helps\svchos.exe

Filesize
660KB

MD5
db3dcaa74aa09a3c83f605204cc1447b

SHA1
7a364be5fa004fe5fea5683e32d26bd3a2f66fdd

SHA256
4017d68226f5a89c0ae8e20042c31c0b6a7eb859a1d7421b7cd6a5ef86b60c4a

SHA512
3c824cd35497607e3ab2a4dbb63b5def396e8d47e52c86287d5cfbf8ecbf450511dd07a652d50eb8213b31344d38eda61b1e32b488d50a5c1a377f6099265c8f

Download Submit
\Users\Admin\AppData\Local\Temp\UUWiseHelper.dll

Filesize
156KB

MD5
d78710bad55d1bb33eb8586671501e54

SHA1
2f3527c97526e5cba476a733164b21336fe1b221

SHA256
9c7f0b261ceee36d13a43e7dbfd15e55d0055e3c3a52035db9cbccb41353debe

SHA512
41006bf97403e706dab9ff65836a5b4831832fbc06d993cad81f2d37ec99ee0ce9bc7c40be25a31124f46bbcab979a8e4128cad503fdb915fdf628a2cc5b2dae

Download Submit
memory/524-30-0x0000000000400000-0x0000000000777000-memory.dmp

Filesize
3.5MB

Download
memory/2976-0-0x0000000000400000-0x0000000000777000-memory.dmp

Filesize
3.5MB

Download
memory/2976-1-0x0000000000400000-0x0000000000777000-memory.dmp

Filesize
3.5MB

Download
memory/2976-12-0x0000000000400000-0x0000000000777000-memory.dmp

Filesize
3.5MB

Download
memory/2976-16-0x0000000000400000-0x0000000000777000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads