81e9ca7e2243a5caec964aefcaec3ef542cacfa370642c6d9cb0947cfbace0a4

General

Target

0922ca6a4a045310466eb8c39d0e7990.exe
Size

558KB
MD5

0922ca6a4a045310466eb8c39d0e7990
SHA1

aba632544f4a894c7d9be0c83ddf2d8637033268
SHA256

81e9ca7e2243a5caec964aefcaec3ef542cacfa370642c6d9cb0947cfbace0a4
SHA512

19183c4258cd2a01dac793b99cab216a629fcd9891a1eb6cc8c72111d731ff85472dfc53ce492bbf9bfa16ce5ad8fe5ea03236e02094350cee8f122f37549b6f
SSDEEP

12288:21+vKnoA0cdoIl9jmDBJ4Uh2DEq/51r575O65n9Vy:e+vg0HU9EP4UheEq/B79a

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	0922ca6a4a045310466eb8c39d0e7990.exe

Loads dropped DLL 2 IoCs

pid	Process
3036	0922ca6a4a045310466eb8c39d0e7990.exe
3036	0922ca6a4a045310466eb8c39d0e7990.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3036-0-0x0000000000400000-0x0000000000551000-memory.dmp	upx
behavioral1/files/0x000d000000012262-12.dat	upx
behavioral1/memory/3036-20-0x0000000000400000-0x0000000000551000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	0922ca6a4a045310466eb8c39d0e7990.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3036	0922ca6a4a045310466eb8c39d0e7990.exe
3036	0922ca6a4a045310466eb8c39d0e7990.exe
3036	0922ca6a4a045310466eb8c39d0e7990.exe
3036	0922ca6a4a045310466eb8c39d0e7990.exe
3036	0922ca6a4a045310466eb8c39d0e7990.exe
3036	0922ca6a4a045310466eb8c39d0e7990.exe
3036	0922ca6a4a045310466eb8c39d0e7990.exe
3036	0922ca6a4a045310466eb8c39d0e7990.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3036	0922ca6a4a045310466eb8c39d0e7990.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3036	0922ca6a4a045310466eb8c39d0e7990.exe
3036	0922ca6a4a045310466eb8c39d0e7990.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 832	3036	0922ca6a4a045310466eb8c39d0e7990.exe	29
PID 3036 wrote to memory of 832	3036	0922ca6a4a045310466eb8c39d0e7990.exe	29
PID 3036 wrote to memory of 832	3036	0922ca6a4a045310466eb8c39d0e7990.exe	29
PID 3036 wrote to memory of 832	3036	0922ca6a4a045310466eb8c39d0e7990.exe	29
PID 3036 wrote to memory of 2684	3036	0922ca6a4a045310466eb8c39d0e7990.exe	28
PID 3036 wrote to memory of 2684	3036	0922ca6a4a045310466eb8c39d0e7990.exe	28
PID 3036 wrote to memory of 2684	3036	0922ca6a4a045310466eb8c39d0e7990.exe	28
PID 3036 wrote to memory of 2684	3036	0922ca6a4a045310466eb8c39d0e7990.exe	28

C:\Users\Admin\AppData\Local\Temp\0922ca6a4a045310466eb8c39d0e7990.exe
"C:\Users\Admin\AppData\Local\Temp\0922ca6a4a045310466eb8c39d0e7990.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
2004bcee923b0e0222f4cab87c2c2a3d

SHA1
0a3c122b7cfe403403d913ecc1b328480b1bfc2a

SHA256
f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

SHA512
cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
721B

MD5
8a8138117fcf0ad9eb9ef52dc164b8bd

SHA1
046f364eef5e78e5e1515b9b3861db8756fcfc4f

SHA256
b389dcb8809a4dabffde413963c4de764ab340f3b28d1da35ed72b432ddb0002

SHA512
8715308a879afc8060944477e881367b886b79474fbc7f85db1b6b8bf131baa812908595d09df789c2828b2092601c3261428b9a27f77e0bd461f2a8ff9223ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
558KB

MD5
2ef5368af8ef0de5c9e027f684cc7517

SHA1
343370f754954975da4e15dfa05bab412854cb25

SHA256
656f3575f9a6fbac2a83c6706fe2c5197f8bf36867fd647ec1671f6dcdd0484b

SHA512
8e22f5681f78ef58556beb1afe0762555d817c6c0366b42ce48f87d8e4bd8c4102162f41c03f918fa8e9fee96064e1c2b026c6cd4ee42e2aa7e50a1c25997f1f

Download Submit
memory/3036-0-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/3036-18-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/3036-15-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/3036-20-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/3036-21-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/3036-23-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads