999a238320114579ef2afcf06f19988fccc85b5a1f004e3c4deb84210e0db14d

Analysis

max time kernel
159s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a26010bda762c2e8308172a77c20d43.exe
Size

34KB
MD5

3a26010bda762c2e8308172a77c20d43
SHA1

8d700e94a56b313c78debfa9383fd38117a615e7
SHA256

999a238320114579ef2afcf06f19988fccc85b5a1f004e3c4deb84210e0db14d
SHA512

6e6f1d8997eadc8b84ca241b21b9648ba1cf03a4977c99d08f833a45d7e9fde3c33efe52486de2cab0f240ce42e7b5ec183070e3d069583a29f82dc1f3513655
SSDEEP

768:DcFz1Bx441UV9rc2wSg7p7VR+/ofMC74k2+Asl+5Kq6ORyltfI:wF5Bx4OUo9VRGofVEbsliIlp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4540	winhost.exe
1604	svchost.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\log	svchost.exe
File created	C:\Windows\SysWOW64\log	svchost.exe
File opened for modification	C:\Windows\SysWOW64\winhost.exe	3a26010bda762c2e8308172a77c20d43.exe
File created	C:\Windows\SysWOW64\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe
File created	C:\Windows\SysWOW64\winhost.exe	3a26010bda762c2e8308172a77c20d43.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\newlog	svchost.exe
File opened for modification	C:\Windows\SysWOW64\allId	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe
File created	C:\Windows\SysWOW64\winhost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\winhost.exe	svchost.exe
File created	C:\Windows\SysWOW64\newlog	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.exe	winhost.exe
File created	C:\Windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe
File created	C:\Windows\svchost.exe	3a26010bda762c2e8308172a77c20d43.exe
File opened for modification	C:\Windows\svchost.exe	3a26010bda762c2e8308172a77c20d43.exe
File created	C:\Windows\svchost.exe	winhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 32 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 0100000000000000465adebd0f44da01	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{596AB062-B4D2-4215-9F74-E9109B0A8153} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000004e6a4bbc0f44da01	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 62b06a59d2b415429f74e9109b0a8153e204000040c7a47b819ecf1199d300aa004ae8378d0000005d54a9a2c2a0b4429708a0b2badd77c8d80300004e3aaa90ba1c3342b8bb535773d48449bc0000000000000000000000000000000000000000000000	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000ae93babd0f44da01	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1D27F844-3A1F-4410-85AC-14651078412D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000eb61abbe0f44da01	winhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 62b06a59d2b415429f74e9109b0a8153e20400007696bfe28f5f5c4397eb11607a5bedf7710200005d54a9a2c2a0b4429708a0b2badd77c8d803000044f8271d1f3a104485ac14651078412da509000010901ef8a46ece11a7ff00aa003ca9f6e4010000	winhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	winhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 62b06a59d2b415429f74e9109b0a8153e20400007696bfe28f5f5c4397eb11607a5bedf7710200005d54a9a2c2a0b4429708a0b2badd77c8d80300004e3aaa90ba1c3342b8bb535773d48449bc00000010901ef8a46ece11a7ff00aa003ca9f6e4010000	winhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	winhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	winhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 62b06a59d2b415429f74e9109b0a8153e204000040c7a47b819ecf1199d300aa004ae8378d0000005d54a9a2c2a0b4429708a0b2badd77c8d803000000000000000000000000000000000000000000000000000000000000000000000000000000000000	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b0df06be0f44da01	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 0100000000000000b0df06be0f44da01	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{470C0EBD-5D73-4D58-9CED-E91E22E23282} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000009dffa8be0f44da01	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 62b06a59d2b415429f74e9109b0a8153e20400007696bfe28f5f5c4397eb11607a5bedf7710200005d54a9a2c2a0b4429708a0b2badd77c8d803000044f8271d1f3a104485ac14651078412da50900006024b221ea3a6910a2dc08002b30309d9a030000	winhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	winhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 62b06a59d2b415429f74e9109b0a8153e204000040c7a47b819ecf1199d300aa004ae8378d0000005d54a9a2c2a0b4429708a0b2badd77c8d80300004e3aaa90ba1c3342b8bb535773d48449bc00000010901ef8a46ece11a7ff00aa003ca9f6e4010000	winhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	winhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 62b06a59d2b415429f74e9109b0a8153e204000040c7a47b819ecf1199d300aa004ae8378d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000002c3f66be0f44da01	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 62b06a59d2b415429f74e9109b0a8153e20400007696bfe28f5f5c4397eb11607a5bedf7710200005d54a9a2c2a0b4429708a0b2badd77c8d8030000690f1723c1408a271000000100020000a601000010901ef8a46ece11a7ff00aa003ca9f6e4010000	winhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	winhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 62b06a59d2b415429f74e9109b0a8153e20400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	winhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	3a26010bda762c2e8308172a77c20d43.exe
2176	3a26010bda762c2e8308172a77c20d43.exe
4540	winhost.exe
4540	winhost.exe
1604	svchost.exe
1604	svchost.exe
1604	svchost.exe
1604	svchost.exe
4540	winhost.exe
4540	winhost.exe
1604	svchost.exe
1604	svchost.exe
4540	winhost.exe
4540	winhost.exe
1604	svchost.exe
1604	svchost.exe
4540	winhost.exe
4540	winhost.exe
1604	svchost.exe
1604	svchost.exe
4540	winhost.exe
4540	winhost.exe
1604	svchost.exe
1604	svchost.exe
4540	winhost.exe
4540	winhost.exe
4540	winhost.exe
4540	winhost.exe
1604	svchost.exe
1604	svchost.exe
4540	winhost.exe
1604	svchost.exe
4540	winhost.exe
1604	svchost.exe
4540	winhost.exe
1604	svchost.exe
4540	winhost.exe
1604	svchost.exe
1604	svchost.exe
4540	winhost.exe
4540	winhost.exe
1604	svchost.exe
4540	winhost.exe
1604	svchost.exe
4540	winhost.exe
1604	svchost.exe
4540	winhost.exe
1604	svchost.exe
4540	winhost.exe
1604	svchost.exe
1604	svchost.exe
4540	winhost.exe
4540	winhost.exe
1604	svchost.exe
4540	winhost.exe
4540	winhost.exe
1604	svchost.exe
1604	svchost.exe
4540	winhost.exe
4540	winhost.exe
1604	svchost.exe
1604	svchost.exe
4540	winhost.exe
4540	winhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 1604	4540	winhost.exe	93
PID 4540 wrote to memory of 1604	4540	winhost.exe	93
PID 4540 wrote to memory of 1604	4540	winhost.exe	93

C:\Users\Admin\AppData\Local\Temp\3a26010bda762c2e8308172a77c20d43.exe
"C:\Users\Admin\AppData\Local\Temp\3a26010bda762c2e8308172a77c20d43.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\SysWOW64\winhost.exe
C:\Windows\SysWOW64\winhost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" C:\Windows\system32
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winhost.exe

Filesize
34KB

MD5
3a26010bda762c2e8308172a77c20d43

SHA1
8d700e94a56b313c78debfa9383fd38117a615e7

SHA256
999a238320114579ef2afcf06f19988fccc85b5a1f004e3c4deb84210e0db14d

SHA512
6e6f1d8997eadc8b84ca241b21b9648ba1cf03a4977c99d08f833a45d7e9fde3c33efe52486de2cab0f240ce42e7b5ec183070e3d069583a29f82dc1f3513655

Download Submit
memory/1604-47-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1604-65-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/1604-75-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/1604-73-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/1604-61-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/1604-56-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/1604-63-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/1604-50-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/1604-69-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/1604-58-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/1604-46-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/1604-52-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/1604-54-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/2176-1-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2176-0-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/2176-13-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/4540-45-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/4540-60-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/4540-57-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/4540-55-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/4540-51-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/4540-66-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/4540-48-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/4540-72-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download
memory/4540-10-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/4540-8-0x0000000000400000-0x0000000000410655-memory.dmp

Filesize
65KB

Download