Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 10:52
Behavioral task
behavioral1
Sample
333a2ddeff0c9ca32c0acb16c599ceca.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
333a2ddeff0c9ca32c0acb16c599ceca.exe
Resource
win10v2004-20231222-en
General
-
Target
333a2ddeff0c9ca32c0acb16c599ceca.exe
-
Size
149KB
-
MD5
333a2ddeff0c9ca32c0acb16c599ceca
-
SHA1
c436a8a68d18b4a11725b1f7eab668c7be0023b9
-
SHA256
cd2ce43e3d6e54043f36430a56e4851247146ff5c28c4435560ec2a25c931567
-
SHA512
6a15f03cab2d4616e92cc43b18e31f6b16478e2cb6329230cc6999acf4846065866b5f861024f33c64c603b48dac3d00516c2cf09b4bbd71511ed32a8fcdb043
-
SSDEEP
3072:RVXRx6bQjbySzxL+jnKi0ChHnyYLG5fxa2HNCXkbFmGgzlG6yYIv:RdRs8uS9LkhHVi5pa2tCXkhNgzlGZY
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
svcnost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\xfrqixt1oxhuqsvfolfjcqezftwzqwvb2\svcnost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\xfrqixt1oxhuqsvfolfjcqezftwzqwvb2\\svcnost.exe:*:Enabled:ldrsoft" svcnost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List svcnost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile svcnost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications svcnost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1764-0-0x0000000000400000-0x000000000046E000-memory.dmp upx behavioral2/memory/3776-7-0x0000000000400000-0x000000000046E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
333a2ddeff0c9ca32c0acb16c599ceca.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssend = "\"C:\\Users\\Admin\\AppData\\Roaming\\xfrqixt1oxhuqsvfolfjcqezftwzqwvb2\\svcnost.exe\"" 333a2ddeff0c9ca32c0acb16c599ceca.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
333a2ddeff0c9ca32c0acb16c599ceca.exepid process 1764 333a2ddeff0c9ca32c0acb16c599ceca.exe 1764 333a2ddeff0c9ca32c0acb16c599ceca.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
333a2ddeff0c9ca32c0acb16c599ceca.exepid process 1764 333a2ddeff0c9ca32c0acb16c599ceca.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
333a2ddeff0c9ca32c0acb16c599ceca.exedescription pid process target process PID 1764 wrote to memory of 3776 1764 333a2ddeff0c9ca32c0acb16c599ceca.exe svcnost.exe PID 1764 wrote to memory of 3776 1764 333a2ddeff0c9ca32c0acb16c599ceca.exe svcnost.exe PID 1764 wrote to memory of 3776 1764 333a2ddeff0c9ca32c0acb16c599ceca.exe svcnost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\333a2ddeff0c9ca32c0acb16c599ceca.exe"C:\Users\Admin\AppData\Local\Temp\333a2ddeff0c9ca32c0acb16c599ceca.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xfrqixt1oxhuqsvfolfjcqezftwzqwvb2\svcnost.exe"C:\Users\Admin\AppData\Roaming\xfrqixt1oxhuqsvfolfjcqezftwzqwvb2\svcnost.exe"2⤵
- Modifies firewall policy service
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1764-0-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/1764-1-0x0000000002070000-0x0000000002076000-memory.dmpFilesize
24KB
-
memory/1764-2-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/1764-5-0x0000000002660000-0x000000000266C000-memory.dmpFilesize
48KB
-
memory/1764-11-0x0000000002660000-0x000000000266C000-memory.dmpFilesize
48KB
-
memory/1764-10-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3776-7-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3776-13-0x00000000020A0000-0x00000000020BE000-memory.dmpFilesize
120KB
-
memory/3776-14-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/3776-16-0x00000000020A0000-0x00000000020BE000-memory.dmpFilesize
120KB