3f01fbea1c3b83ffb5acef7208ee4012bbee6fee237ed1c1196bb247858257fe

General

Target

36dc5d703aa8c14058f96671fa749d18.exe
Size

64KB
MD5

36dc5d703aa8c14058f96671fa749d18
SHA1

ee18ac063f3a8073cce2a0a8d2981d0c7051fd71
SHA256

3f01fbea1c3b83ffb5acef7208ee4012bbee6fee237ed1c1196bb247858257fe
SHA512

88ab7072b5b93b07551e35baf94d31050039d45f113971dd713c39b2540a284b7ff30b652e75768a4e451710486d8d0ac516a4dcabdfc60c371c4cc2cc503176
SSDEEP

1536:orH0Srs6+3ns8LQsD2yif7iWgzF5PjBS6sxwfz:orH1K88TD2/fmJlVL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2384	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	svohcst.exe
2776	svohcst.exe

Loads dropped DLL 3 IoCs

pid	Process
2384	cmd.exe
2384	cmd.exe
2720	svohcst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Download = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svohcst.exe"	svohcst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2372	36dc5d703aa8c14058f96671fa749d18.exe
2224	36dc5d703aa8c14058f96671fa749d18.exe
2720	svohcst.exe
2776	svohcst.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2776	svohcst.exe
2776	svohcst.exe
2776	svohcst.exe
2776	svohcst.exe
2776	svohcst.exe
2776	svohcst.exe
2776	svohcst.exe
2776	svohcst.exe
2776	svohcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2224	2372	36dc5d703aa8c14058f96671fa749d18.exe	28
PID 2372 wrote to memory of 2224	2372	36dc5d703aa8c14058f96671fa749d18.exe	28
PID 2372 wrote to memory of 2224	2372	36dc5d703aa8c14058f96671fa749d18.exe	28
PID 2372 wrote to memory of 2224	2372	36dc5d703aa8c14058f96671fa749d18.exe	28
PID 2224 wrote to memory of 2384	2224	36dc5d703aa8c14058f96671fa749d18.exe	29
PID 2224 wrote to memory of 2384	2224	36dc5d703aa8c14058f96671fa749d18.exe	29
PID 2224 wrote to memory of 2384	2224	36dc5d703aa8c14058f96671fa749d18.exe	29
PID 2224 wrote to memory of 2384	2224	36dc5d703aa8c14058f96671fa749d18.exe	29
PID 2384 wrote to memory of 2720	2384	cmd.exe	31
PID 2384 wrote to memory of 2720	2384	cmd.exe	31
PID 2384 wrote to memory of 2720	2384	cmd.exe	31
PID 2384 wrote to memory of 2720	2384	cmd.exe	31
PID 2720 wrote to memory of 2776	2720	svohcst.exe	32
PID 2720 wrote to memory of 2776	2720	svohcst.exe	32
PID 2720 wrote to memory of 2776	2720	svohcst.exe	32
PID 2720 wrote to memory of 2776	2720	svohcst.exe	32

C:\Users\Admin\AppData\Local\Temp\36dc5d703aa8c14058f96671fa749d18.exe
"C:\Users\Admin\AppData\Local\Temp\36dc5d703aa8c14058f96671fa749d18.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\36dc5d703aa8c14058f96671fa749d18.exe
  C:\Users\Admin\AppData\Local\Temp\36dc5d703aa8c14058f96671fa749d18.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\run.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\svohcst.exe
      "C:\Users\Admin\AppData\Local\Temp\svohcst.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\svohcst.exe
        
        C:\Users\Admin\AppData\Local\Temp\svohcst.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
238B

MD5
c3683660766aca9dc14c7812398a5a87

SHA1
26c41b8ebe62e7f63c9f41f3fed5eb2222e890cd

SHA256
edee4c5db4ede0ce1777b5c77f228bac8bce1cc51d5cf193ab6e81a36c36566a

SHA512
95f8bf3aac9d1e4e3c5cc88f8f1814b5ab799952da982a666bf21d1a7fb67ee0d9814ed09cbff221a4a18da436b1cc6f519b6c87d0548cc321e8586afec44d0e

Download Submit
\Users\Admin\AppData\Local\Temp\svohcst.exe

Filesize
64KB

MD5
36dc5d703aa8c14058f96671fa749d18

SHA1
ee18ac063f3a8073cce2a0a8d2981d0c7051fd71

SHA256
3f01fbea1c3b83ffb5acef7208ee4012bbee6fee237ed1c1196bb247858257fe

SHA512
88ab7072b5b93b07551e35baf94d31050039d45f113971dd713c39b2540a284b7ff30b652e75768a4e451710486d8d0ac516a4dcabdfc60c371c4cc2cc503176

Download Submit
memory/2224-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2224-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2372-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2372-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2720-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2720-19-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/2720-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2776-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads