3f01fbea1c3b83ffb5acef7208ee4012bbee6fee237ed1c1196bb247858257fe

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36dc5d703aa8c14058f96671fa749d18.exe
Size

64KB
MD5

36dc5d703aa8c14058f96671fa749d18
SHA1

ee18ac063f3a8073cce2a0a8d2981d0c7051fd71
SHA256

3f01fbea1c3b83ffb5acef7208ee4012bbee6fee237ed1c1196bb247858257fe
SHA512

88ab7072b5b93b07551e35baf94d31050039d45f113971dd713c39b2540a284b7ff30b652e75768a4e451710486d8d0ac516a4dcabdfc60c371c4cc2cc503176
SSDEEP

1536:orH0Srs6+3ns8LQsD2yif7iWgzF5PjBS6sxwfz:orH1K88TD2/fmJlVL

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3064	svohcst.exe
4408	svohcst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Download = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svohcst.exe"	svohcst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4872	36dc5d703aa8c14058f96671fa749d18.exe
1360	36dc5d703aa8c14058f96671fa749d18.exe
3064	svohcst.exe
4408	svohcst.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe
4408	svohcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 1360	4872	36dc5d703aa8c14058f96671fa749d18.exe	15
PID 4872 wrote to memory of 1360	4872	36dc5d703aa8c14058f96671fa749d18.exe	15
PID 4872 wrote to memory of 1360	4872	36dc5d703aa8c14058f96671fa749d18.exe	15
PID 1360 wrote to memory of 3604	1360	36dc5d703aa8c14058f96671fa749d18.exe	20
PID 1360 wrote to memory of 3604	1360	36dc5d703aa8c14058f96671fa749d18.exe	20
PID 1360 wrote to memory of 3604	1360	36dc5d703aa8c14058f96671fa749d18.exe	20
PID 3604 wrote to memory of 3064	3604	cmd.exe	18
PID 3604 wrote to memory of 3064	3604	cmd.exe	18
PID 3604 wrote to memory of 3064	3604	cmd.exe	18
PID 3064 wrote to memory of 4408	3064	svohcst.exe	17
PID 3064 wrote to memory of 4408	3064	svohcst.exe	17
PID 3064 wrote to memory of 4408	3064	svohcst.exe	17

C:\Users\Admin\AppData\Local\Temp\36dc5d703aa8c14058f96671fa749d18.exe
"C:\Users\Admin\AppData\Local\Temp\36dc5d703aa8c14058f96671fa749d18.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\36dc5d703aa8c14058f96671fa749d18.exe
  C:\Users\Admin\AppData\Local\Temp\36dc5d703aa8c14058f96671fa749d18.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\run.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604

C:\Users\Admin\AppData\Local\Temp\svohcst.exe
C:\Users\Admin\AppData\Local\Temp\svohcst.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4408

C:\Users\Admin\AppData\Local\Temp\svohcst.exe
"C:\Users\Admin\AppData\Local\Temp\svohcst.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
238B

MD5
c3683660766aca9dc14c7812398a5a87

SHA1
26c41b8ebe62e7f63c9f41f3fed5eb2222e890cd

SHA256
edee4c5db4ede0ce1777b5c77f228bac8bce1cc51d5cf193ab6e81a36c36566a

SHA512
95f8bf3aac9d1e4e3c5cc88f8f1814b5ab799952da982a666bf21d1a7fb67ee0d9814ed09cbff221a4a18da436b1cc6f519b6c87d0548cc321e8586afec44d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svohcst.exe

Filesize
25KB

MD5
f9ede5ef1f05d46e377930783068f469

SHA1
117143591182c2053c65250239ce9b15a7acb796

SHA256
620d97cc3c8d924a327e56db0546519a3c5dadd99a3a57bbf09aa97ab2b7b4ae

SHA512
8b93e8e0469dfaec76172ec2a5c42bbdd13b2617551a79d4a0e70afb59d1c7a72ba0fc7946dbb9440e186bd2d00cf7f090da6d2bdc9cb5e9842976c37106470a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svohcst.exe

Filesize
64KB

MD5
36dc5d703aa8c14058f96671fa749d18

SHA1
ee18ac063f3a8073cce2a0a8d2981d0c7051fd71

SHA256
3f01fbea1c3b83ffb5acef7208ee4012bbee6fee237ed1c1196bb247858257fe

SHA512
88ab7072b5b93b07551e35baf94d31050039d45f113971dd713c39b2540a284b7ff30b652e75768a4e451710486d8d0ac516a4dcabdfc60c371c4cc2cc503176

Download Submit
memory/1360-1-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1360-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3064-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4408-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4408-14-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4872-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4872-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download