6d163443389051e1a8c4fe585e0b97d7a16fb6855f0b13a719e401d042819354

Analysis

max time kernel
211s
max time network
198s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 13:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

388d1d5626a4192a172f9aa3351a679a.exe
Size

25KB
MD5

388d1d5626a4192a172f9aa3351a679a
SHA1

4da2552f1e70e9882abda90409943c37c2830030
SHA256

6d163443389051e1a8c4fe585e0b97d7a16fb6855f0b13a719e401d042819354
SHA512

cfe2c7d11258fd6cb69bd37e789950e85b49c9c8a810864f8cb3e880aa252f70162757f45de423d63fa44bc807830f1349e9927c29127837ba5958f7097271a1
SSDEEP

768:mSSdAWyLwqHq43GfWaTc/5pwSPt8uLFtR:mh7qK43VH4SPLr

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
672	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2584	SVSH0ST.EXE

Loads dropped DLL 2 IoCs

pid	Process
2564	388d1d5626a4192a172f9aa3351a679a.exe
2564	388d1d5626a4192a172f9aa3351a679a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2564-3-0x0000000000220000-0x0000000000236000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-2.dat	upx
behavioral1/memory/2564-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2564-4-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2564-12-0x0000000000220000-0x0000000000236000-memory.dmp	upx
behavioral1/memory/2584-14-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-16-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2564-30-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-46-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-69-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-143-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-144-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-861-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-916-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-917-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-1350-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-1513-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-1514-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-1526-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-1560-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2584-1572-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\SVSH0ST.EXE"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\SVSH0ST.EXE"	reg.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\r:	SVSH0ST.EXE
File opened (read-only)	\??\u:	SVSH0ST.EXE
File opened (read-only)	\??\z:	SVSH0ST.EXE
File opened (read-only)	\??\h:	SVSH0ST.EXE
File opened (read-only)	\??\p:	SVSH0ST.EXE
File opened (read-only)	\??\y:	SVSH0ST.EXE
File opened (read-only)	\??\l:	SVSH0ST.EXE
File opened (read-only)	\??\w:	SVSH0ST.EXE
File opened (read-only)	\??\m:	SVSH0ST.EXE
File opened (read-only)	\??\n:	SVSH0ST.EXE
File opened (read-only)	\??\o:	SVSH0ST.EXE
File opened (read-only)	\??\s:	SVSH0ST.EXE
File opened (read-only)	\??\t:	SVSH0ST.EXE
File opened (read-only)	\??\v:	SVSH0ST.EXE
File opened (read-only)	\??\g:	SVSH0ST.EXE
File opened (read-only)	\??\j:	SVSH0ST.EXE
File opened (read-only)	\??\x:	SVSH0ST.EXE
File opened (read-only)	\??\k:	SVSH0ST.EXE
File opened (read-only)	\??\q:	SVSH0ST.EXE
File opened (read-only)	\??\e:	SVSH0ST.EXE
File opened (read-only)	\??\i:	SVSH0ST.EXE

Drops autorun.inf file 1 TTPs 9 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\c:\autorun.inf	SVSH0ST.EXE
File created	\??\f:\autorun.inf	SVSH0ST.EXE
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	SVSH0ST.EXE
File opened for modification	C:\autorun.inf	SVSH0ST.EXE
File opened for modification	\??\c:\autorun.inf	SVSH0ST.EXE
File opened for modification	\??\f:\autorun.inf	SVSH0ST.EXE
File opened for modification	C:\Windows\SysWOW64\autorun.inf	SVSH0ST.EXE
File created	C:\Windows\SysWOW64\Autorun.inf	SVSH0ST.EXE
File created	C:\autorun.inf	SVSH0ST.EXE

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SVSH0ST.EXE	388d1d5626a4192a172f9aa3351a679a.exe
File created	C:\Windows\SysWOW64\SVSH0ST.EXE	SVSH0ST.EXE
File opened for modification	C:\Windows\SysWOW64\SVSH0ST.EXE	SVSH0ST.EXE
File opened for modification	C:\Windows\SysWOW64\autorun.inf	SVSH0ST.EXE
File created	C:\Windows\SysWOW64\Autorun.inf	SVSH0ST.EXE
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	SVSH0ST.EXE
File created	C:\Windows\SysWOW64\SVSH0ST.EXE	388d1d5626a4192a172f9aa3351a679a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\SERVWRAP.ASP	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html	SVSH0ST.EXE
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html	SVSH0ST.EXE

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-8.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\501.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\editUser.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\currency.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.1.7600.16385_none_21be611582619ce3\managePermissions.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_82258a09c9170bac\RSSFeeds.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-12.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\412.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-15.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-100.asp	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_59e6a839753b16d1\RSSFeeds.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f86c44a49a61f132\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-14.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5646c597a746df57\slideShow.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c1ab456ba37238a2\weather.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Bears.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-12.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_roles_b03f5f7f11d50a3a_6.1.7600.16385_none_02a1a2d949085578\manageAllRoles.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_users_b03f5f7f11d50a3a_6.1.7600.16385_none_be918bff95b9bbc5\findUsers.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7fa92a4e1adcf67f\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ba2212be09f75c28\currency.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-16.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-2.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\412.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2867d8179890f1a8\currency.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-10.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\405.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-100.asp	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\412.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ae1bce6b81c0916\flyout.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\AppConfigHome.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-17.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.1.7600.16385_none_ffd9db4d7f4ad539\ManageProviders.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-17.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-19.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Soft Blue.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8dcb8bb83ef0bc47\weather.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8734fb86705288a7\RSSFeeds.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0accb12490597570\clock.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7c3aeb36c5f98c70\cpu.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-4.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-7.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401-5.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-9.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\405.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-17.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7fddcd6a1ab604da\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Hand Prints.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0accb12490597570\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c9675951dd42e377\settings.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-6.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-16.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\default.aspx	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\406.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_de44258d81747ce2\RSSFeeds.html	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401-1.htm	SVSH0ST.EXE
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dd612a0790e20961\calendar.html	SVSH0ST.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a81a58586029349bdd43687f98c414d000000000200000000001066000000010000200000002f753251b8014098ae34992fd6f560094978d187fc65561ee5e504a36106e4e6000000000e80000000020000200000006ca004780195c4f4021e0e66cf9f9ff70e953739a0fca10eb0619c52dfdcb6ab20000000834c8f1e7bbf52556e8886b2a5e93cd1f116f7d143a46da101a52a7b791a518e40000000029ebbfd9ca67595035e133d596cb1e8bea63ea384be0bb74c90278be9be401179bc4328be179b75fcb976585ea73bbf9f7bbdd05aac8e8fc9b96cfd25cc0cbe	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1786667495"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E5B0E91-C359-11D3-8098-6E3D54FB2439} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807d6d076657bf01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a81a58586029349bdd43687f98c414d00000000020000000000106600000001000020000000b6e49c9b793cbc4efe6b5174508d7f403831206e44ea09df9942c1b9cf66a270000000000e80000000020000200000005092d2b3179c502c1f02cd3110cc6757af804e6b8b97064d45bd0c409c2b033c90000000c01277be5852039fe7b0e4c1f6dd96412c61f509628cb2657b204db88e3c863a935bb06718e0d9076b7ab48912f61e915ac46c1314fcffa1ea8422adc82f9fb8d92abd82f322ba7449d91aa7e6c162055c47f949484c63a5c858863101743c5d0734017ef8d2e96afa8af95534323539ab8726f339af351e0e3464bd73ab5a411361b471cb14e313efc6269599ed52974000000028c08e9f9ae9ffeb76823180584abea3567e9f83935930ec1c18082d45cc59547fe7b31dcd7df2241d5732209eca6ec6e579e4787d3d832cf20977076be7aab2	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://ov.12vh.com"	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2756	reg.exe
1796	reg.exe
2124	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2584	SVSH0ST.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1756	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1756	iexplore.exe
1756	iexplore.exe
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2584	2564	388d1d5626a4192a172f9aa3351a679a.exe	28
PID 2564 wrote to memory of 2584	2564	388d1d5626a4192a172f9aa3351a679a.exe	28
PID 2564 wrote to memory of 2584	2564	388d1d5626a4192a172f9aa3351a679a.exe	28
PID 2564 wrote to memory of 2584	2564	388d1d5626a4192a172f9aa3351a679a.exe	28
PID 2584 wrote to memory of 2756	2584	SVSH0ST.EXE	29
PID 2584 wrote to memory of 2756	2584	SVSH0ST.EXE	29
PID 2584 wrote to memory of 2756	2584	SVSH0ST.EXE	29
PID 2584 wrote to memory of 2756	2584	SVSH0ST.EXE	29
PID 2584 wrote to memory of 1796	2584	SVSH0ST.EXE	31
PID 2584 wrote to memory of 1796	2584	SVSH0ST.EXE	31
PID 2584 wrote to memory of 1796	2584	SVSH0ST.EXE	31
PID 2584 wrote to memory of 1796	2584	SVSH0ST.EXE	31
PID 2584 wrote to memory of 2760	2584	SVSH0ST.EXE	33
PID 2584 wrote to memory of 2760	2584	SVSH0ST.EXE	33
PID 2584 wrote to memory of 2760	2584	SVSH0ST.EXE	33
PID 2584 wrote to memory of 2760	2584	SVSH0ST.EXE	33
PID 2584 wrote to memory of 2016	2584	SVSH0ST.EXE	37
PID 2584 wrote to memory of 2016	2584	SVSH0ST.EXE	37
PID 2584 wrote to memory of 2016	2584	SVSH0ST.EXE	37
PID 2584 wrote to memory of 2016	2584	SVSH0ST.EXE	37
PID 2584 wrote to memory of 2440	2584	SVSH0ST.EXE	35
PID 2584 wrote to memory of 2440	2584	SVSH0ST.EXE	35
PID 2584 wrote to memory of 2440	2584	SVSH0ST.EXE	35
PID 2584 wrote to memory of 2440	2584	SVSH0ST.EXE	35
PID 2584 wrote to memory of 2124	2584	SVSH0ST.EXE	41
PID 2584 wrote to memory of 2124	2584	SVSH0ST.EXE	41
PID 2584 wrote to memory of 2124	2584	SVSH0ST.EXE	41
PID 2584 wrote to memory of 2124	2584	SVSH0ST.EXE	41
PID 2584 wrote to memory of 1224	2584	SVSH0ST.EXE	39
PID 2584 wrote to memory of 1224	2584	SVSH0ST.EXE	39
PID 2584 wrote to memory of 1224	2584	SVSH0ST.EXE	39
PID 2584 wrote to memory of 1224	2584	SVSH0ST.EXE	39
PID 2584 wrote to memory of 1756	2584	SVSH0ST.EXE	42
PID 2584 wrote to memory of 1756	2584	SVSH0ST.EXE	42
PID 2584 wrote to memory of 1756	2584	SVSH0ST.EXE	42
PID 2584 wrote to memory of 1756	2584	SVSH0ST.EXE	42
PID 2564 wrote to memory of 672	2564	388d1d5626a4192a172f9aa3351a679a.exe	43
PID 2564 wrote to memory of 672	2564	388d1d5626a4192a172f9aa3351a679a.exe	43
PID 2564 wrote to memory of 672	2564	388d1d5626a4192a172f9aa3351a679a.exe	43
PID 2564 wrote to memory of 672	2564	388d1d5626a4192a172f9aa3351a679a.exe	43
PID 2564 wrote to memory of 2640	2564	388d1d5626a4192a172f9aa3351a679a.exe	44
PID 2564 wrote to memory of 2640	2564	388d1d5626a4192a172f9aa3351a679a.exe	44
PID 2564 wrote to memory of 2640	2564	388d1d5626a4192a172f9aa3351a679a.exe	44
PID 2564 wrote to memory of 2640	2564	388d1d5626a4192a172f9aa3351a679a.exe	44
PID 1756 wrote to memory of 3016	1756	iexplore.exe	49
PID 1756 wrote to memory of 3016	1756	iexplore.exe	49
PID 1756 wrote to memory of 3016	1756	iexplore.exe	49
PID 1756 wrote to memory of 3016	1756	iexplore.exe	49
PID 1224 wrote to memory of 1352	1224	cmd.exe	50
PID 1224 wrote to memory of 1352	1224	cmd.exe	50
PID 1224 wrote to memory of 1352	1224	cmd.exe	50
PID 1224 wrote to memory of 1352	1224	cmd.exe	50
PID 1352 wrote to memory of 2008	1352	net.exe	52
PID 1352 wrote to memory of 2008	1352	net.exe	52
PID 1352 wrote to memory of 2008	1352	net.exe	52
PID 1352 wrote to memory of 2008	1352	net.exe	52

C:\Users\Admin\AppData\Local\Temp\388d1d5626a4192a172f9aa3351a679a.exe
"C:\Users\Admin\AppData\Local\Temp\388d1d5626a4192a172f9aa3351a679a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\SVSH0ST.EXE
  C:\Windows\system32\SVSH0ST.EXE
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V svchost /T REG_SZ /D C:\Windows\system32\SVSH0ST.EXE /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V svchost /T REG_SZ /D C:\Windows\system32\SVSH0ST.EXE /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://ov.12vh.com /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net start shellHWDetection
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\net.exe
      net start shellHWDetection
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start shellHWDetection
        5⤵
        
        PID:2008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_SZ /d 3 /f
    3⤵
    - Modifies registry key
    PID:2124
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.http://ov.12vh.com/TJ.asp
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\388d1d5626a4192a172f9aa3351a679a.bat
  2⤵
  - Deletes itself
  PID:672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\388d1d5626a4192a172f9aa3351a679a.bat""
  2⤵
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
0fb93fe407960dc53f7746e89778da8b

SHA1
a72097ebe8034462c1b1ca1de3d33db9b0bd6042

SHA256
ccce40c7dc29e5b23ca14d02e535b6bb4d57e840ed21809759ae1e51a42015db

SHA512
2130eb59c6127177b685b4d1775c863ae90856606b646c2a72837134d5f10aee87ecbc63177a91cd28ae5019d487317488af08aa3e206b54a19ba71993894d13

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

Filesize
8KB

MD5
4c2dc4f3104ed6599ddd4d0f188d8482

SHA1
77864db99d99f3fb39a47663c894281790e4d342

SHA256
649065fc5ce616a5012cf6215f0df2f83ca91f2bf869bd79c36d65837275ab84

SHA512
629755bd9f86a01a49275f898a452896f998e17defe1f571b467f079c6e4a9e646ae31375450562bb2ee6204a565ed74ddde45bcb0fbfb29bb602ec1170c740e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2aad920e0cdbaba563edfb6b5050901

SHA1
98139e8196af643f3a8dee2f26008e0ebc78c664

SHA256
5d066ef5751ebc1a55dc8c49ac27585c1990db8e3ab480a8265ded746c6bf013

SHA512
c0b0494a30125665400b064f6d60f06a576dbd2315c677776b7cb23934b1365f53b0e84209e25bdc9c23a27fe8f2bb6f08bbb48fddc94d44677f8ceaf2a63926

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e250a30d0235cdbdedbcb7ea1630e584

SHA1
06ca362f8b02ea6f6932cd320e1aa72f3776afff

SHA256
5772f20e247f24844fdb283cfd377dffe4381383ee323494630f66f0e0b67a24

SHA512
fe937eae36766e173b495475f8a443db343bade3699c5805f93c87312edde3223d16022432e8731e4cd2e11b38bf09c593a80f1b8fef0bf2fbe56e2902c83e45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1677192a789a05d2bffa241f094f9c4

SHA1
0d39defc4effcd6177ec936146bb9731b0e5586e

SHA256
cf546b722cb9876c823b93225c1ec4605a6e3cbe0794d6d19c2f2a733c6b6946

SHA512
8a07d19fb58fba7afe9e35ad8f57e1b2f586478210b93ee36ecb0b69eb3c3f816b772c1c37e0c83a938e6ec6d895ed1719288d91b2be168933679b1dcbc5e8fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b0423aa77271ff6e368f0f4f4b75c7bf

SHA1
2e5b83c5a1aba89bae6651a41452b2473bf04e46

SHA256
3ecd3287aac15e8141c25c33ecb69d724177ebb78b7c1d95a4127d31986a0c09

SHA512
537ca828307bb2e427795af4ce0525e21804f85d2e971cb940208b980a21f15e9a2fe911178e039d1aaee172d0b9bfde3dfbea7e5a4ad87da7a5f9fe343ab1e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b12b243d62f8672c72e74ac6df3f6299

SHA1
78f4832b675a4ed8f971e2ccfe94e39012afee64

SHA256
db07110eaafcd5a52e8eeb4bb91c55c79c7ea95994ad0b4bf369b7161bb51fd1

SHA512
57923d493b8c5e401151633e8a5dfacf7bba7e723da5b4eef8dc0a61d680c08c130ae525f049aab0c81e422cee4809134076ac3dd1fca30967a8e2c7a4121a88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01094027e9785e169f24337927403909

SHA1
a93d12a6c29af9ccc3a96fd915c09aa9cf1702a3

SHA256
10fc801180b0b6484588b7d5493e8a51ec8fdd44ee4b1c8dec2d396d8b006bf9

SHA512
0d9b1b860c89925991bebb6e0e55ddfa66430cc4056868cc4f233ec49cff4e1968b9b5e178b447d276f95b59e6160f5c87cce5131abc0ff7f1aca8f85562df39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b2844da40eee6ebf05948e4965e33d8

SHA1
d2d3f0b09db16e0834e1ee9371d8bea0a47a8ff3

SHA256
f999ca8cef1ede5cc640a65ba69ab225d766de4f39fe8cadf47f80ea556cd075

SHA512
1ec6611ee8a08017f4fd5fdc3e43ebb1f0acc3a4e33deecf897d6dfb2b77aabf66e404c2a554bf385835bc21361484d7faef4b00b3e1ea21eb938c2249629497

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c33e23a24a501fc3198ef77f8bf01fb

SHA1
156df16c62266e49f66d249e99a756671bf32eb7

SHA256
13f7c56a8d30cd06ff9a52471e6c5f862d4da63f516f964bfae90c9e4ed7c66c

SHA512
752164f447daebc06d533bd8c67fb8705ca8e26f2d675a53d94f03bfbc45e89f11b354a70b6a0794a34cb6bd29d03c370a7e9aad3c92d013f46edb3e8caa1f76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70891adccfc2a6982b2c4247f45d239f

SHA1
f71dfc41c61935dfdca34d4e6f0f9befc6e4641b

SHA256
5b997169717396364c72ce7ecc1d753c6f2b71728c9ccdb8c2835d8a301a29ee

SHA512
83746d1cc2c275aff19edc462520beca3259cdf555238b0f389af8f15d6dd0860b99f5a74106d4f4dc2f2504d4c329628fae3eca9eaea541a033b894a1a51b31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
330a7841a58f596d53d15770ac141737

SHA1
b464336d46f841e8d9e50f33408e6f3eb5940ab6

SHA256
565d98ff047ff420838c1b8943363245949f554e009d8c8fa84d3519538c44b9

SHA512
cf9635b6601a6522a83edf70b7608ce91e6a76f004af508a1af596e8b3f8e20b7645a5a3007b58cbc7483573c777df955f1cf54c99f69ab5b6eaf9ace2676c90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8587ac3793bf89b2b41528d4dbcf47f5

SHA1
8bf20c15276f28b87e40c4d4144896903eb6cb53

SHA256
2485d9d3accbb659c712d4398e0bcd4a5014a145f8b2d12c7b5053694955c370

SHA512
4328e7858fe7c6e8f8381f257e2b4462c7470b512b651c1ba69be42a0065b3d5406c891ab99e48b917760e87cedcd847142afbe5eecf5081e5d87a27dc9273ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc2e490b5d2e23c80a449f0300f540c4

SHA1
8637ad5e615d4ba99c38c9bb39338e420c581848

SHA256
f3523dce823b041e525a3547f4a47bc37c530ba789320d0a6b0aa71d0f005f3b

SHA512
9f7f9b8fc3eefd6abf251cfb0db32ea54e162e367196376b031ffd918d01c24b898cb442fb31c7b7ff612227beb6628d9d8866a145cd028d5f764454d556d1af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5cb95c30ff3d2ab88a3b45cc1f04b73

SHA1
4717bc26f5565d5822b7ea9c838332d11b21771e

SHA256
7917641480b93e30822284fd3e495f9c4427d7672241bba1cdfc2d1350588875

SHA512
dcf3ca5cf09c453c4e887dce9f0471f4a1941b95f5f79780f9d920f0eabc5f1ecf98051cc826012c2978aa46ff97d7c80ebbc62a3ce3fc05a7bca04c72bd4d94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8141f3f91fdb13b827a0a9efb8dd9b07

SHA1
7fabad8d93afb563364247ad09204e7c5b13184a

SHA256
fcc2be6417373df79ca5883209e22d1c7205d902a1016bc73a7a75e2d34ddd35

SHA512
3fb273ce2f729367a6d85df4fcb12fdd6843889c49a6d66b0712acb920f53bd60c87da5bae409a866d83bb8028dd0422e30edc3f42e614e259050a358d1a0eb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2b584b1385e88099989389eb7c3a0b5

SHA1
2e4402da22b4ffdd6934255583105868fd207cd7

SHA256
fc755a99558ee108c31d658dd30b7d814317cbb77064a457f920d491d5311e81

SHA512
cc24539a0946b6ae506fcfd75dd13ba6e396ec34dd92a272277a17b3f5b0b3367d2a3deef1f1d68898bde5a6873df4135cc0b9af057570ba9f2a85e1274c8eed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9629393c4b390ec09ffda04f9b9bb9c8

SHA1
9708410341e61aede016ef73fbeb29e964167da0

SHA256
2e442da8919781731d88541389400d16494e15c7d85621dfc6459a23796cb09d

SHA512
9c67227f5af838b6595eb0012f964a06141cee74d0a1fa0f61b964af2c30fe9671304a27e6b6912ea7974bf04557b2d1065ca1dcb0f705c05223b5d7c9950bb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
91c75043e69f23107c904beb85fa6359

SHA1
b17a6f0425b277db94de5c86c21def167c3a3e98

SHA256
172719f1e8963a8245047e98408d4aba55671b0d790848a3dfa8a7fe1036c4a2

SHA512
899733560fa074afb41ce9f111e47f429c45b9b865625a7ff3c197756b6dc5394bb7ef8170d82b479905ec78b311d2547c0acadbb192610d129f2cf1fc09a2e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af707634d502c04fcf426fc62a8de134

SHA1
3443addacd16e1eb80eaf26b1d5b4d91d8ff27b8

SHA256
92da43c975ba8e462930988a912aa07dc82cd47649935e3f6a3113f7dd7ab4ab

SHA512
a8183cfecca79ecfa230aa1b79a2ab3f51a53aadfeae39a4551477234a57fcb271816ff1ca1a2dbf046f35c52c54e2118b4903eb1adf0edc7d5b20cbb14fecf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\388d1d5626a4192a172f9aa3351a679a.bat

Filesize
184B

MD5
7cbb1ec0b18f355997a61eeaa133ed59

SHA1
7468733aacc4ba3132aa637da1646d5d4916e5b2

SHA256
86f0d1f93945f8e099ef400379a160b10199145ea7bb6455a3fb433ad6c7d040

SHA512
9fbff810b9542635e7bacd0bf8576c381a328f09329c9693fe99bb848b5074ec0551812e2ba8f3d3feefca28298b79d4bc452997aeed7b6d17b9f83e7af422af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab766A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar78FD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\SysWOW64\Autorun.inf

Filesize
159B

MD5
1936d4487e994cdcdfd75538ad6b26b1

SHA1
7ea7c2cb2fa0efcd476bc67024782e3d6a11f1f1

SHA256
e1306be2c236374e9c5a732ab39b6f3bc633644a6a6645460aa2f3c6f9782c5d

SHA512
4d6eca70e4f00e9a8483373ed946c6d3e4fc1f258699c8b17b0520fc04aa29ba16df7a4f101402a49fdf7a7399ce1066afdd4866a4754db76829c35169ea4508

Download Submit
\Windows\SysWOW64\SVSH0ST.EXE

Filesize
25KB

MD5
388d1d5626a4192a172f9aa3351a679a

SHA1
4da2552f1e70e9882abda90409943c37c2830030

SHA256
6d163443389051e1a8c4fe585e0b97d7a16fb6855f0b13a719e401d042819354

SHA512
cfe2c7d11258fd6cb69bd37e789950e85b49c9c8a810864f8cb3e880aa252f70162757f45de423d63fa44bc807830f1349e9927c29127837ba5958f7097271a1

Download Submit
memory/2564-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2564-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2564-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2564-12-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2564-3-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2584-14-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-143-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-69-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-917-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-861-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-916-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-46-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-1350-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-144-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-1513-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-1514-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-1526-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-1560-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2584-1572-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads