817772f595507cd54cbd1a3135441dc917959072d5a3da459eab635529870954

General

Target

4a0b0cd42fdeccf2d6ae9020e687949e.exe
Size

1.2MB
MD5

4a0b0cd42fdeccf2d6ae9020e687949e
SHA1

f760cbbedf778975a67834ed58819b879c310156
SHA256

817772f595507cd54cbd1a3135441dc917959072d5a3da459eab635529870954
SHA512

d08358dd20c2ffb6c1ee331516c530bab38aca166644a98620d7e96a8d26fe022f46ae5584d43336b8f5fc74e48929fd3c97a25d50a196b3bbc6556f54b2e3d3
SSDEEP

24576:HK4dNvwTStssp2ZoZXqqhRmFobXo1X2tlUb8q:HXwT5u5qqhE441E+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1632	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	4a0b0cd42fdeccf2d6ae9020e687949e.exe
1632	svchost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\VBcqdLQL\nWeMry.dll	svchost.exe
File created	C:\Windows\SysWOW64\VBcqdLQL\OOxFvir.dll	svchost.exe
File created	C:\Windows\SysWOW64\wYfaMQkf\xKYfCwC.dll	svchost.exe
File created	C:\Windows\SysWOW64\wYfaMQkf\bUJLUXc.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\wYfaMQkf\bUJLUXc.dll	svchost.exe
File created	C:\Windows\SysWOW64\wYfaMQkf\PJvAVICx.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\wYfaMQkf\PJvAVICx.dll	svchost.exe
File created	C:\Windows\SysWOW64\wYfaMQkf\FOnWoQY.tmp	svchost.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TVEweO\nSMpNvkh.dll	svchost.exe
File created	C:\Program Files (x86)\TVEweO\nhqvcRsl.dll	svchost.exe
File created	C:\Program Files (x86)\uBABhqD\GlegHjcH.dll	svchost.exe
File created	C:\Program Files (x86)\uBABhqD\hAbtPQu.dll	svchost.exe
File created	C:\Program Files (x86)\HgAekIkf\kJSNxy.dll	svchost.exe
File created	C:\Program Files (x86)\HgAekIkf\pnWdqT.dll	svchost.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CLOG.txt	svchost.exe
File created	C:\Windows\YtYFJfNi\QbAOLmAX.dll	svchost.exe
File created	C:\Windows\MqCcwnR.dll	svchost.exe
File created	C:\Windows\CLOG.txt	svchost.exe
File created	C:\Windows\YtYFJfNi\mtgxouun.dll	svchost.exe
File created	C:\Windows\jkObBF\xUuDWD.dll	svchost.exe
File created	C:\Windows\vTcWBd.dll	4a0b0cd42fdeccf2d6ae9020e687949e.exe
File created	C:\Windows\MRmKbm\wOfXPJ.dll	svchost.exe
File created	C:\Windows\EuaMmH\KajAYKTL.dll	svchost.exe
File created	C:\Windows\jkObBF\xeDQjcN.dll	svchost.exe
File opened for modification	C:\Windows\MRmKbm\wOfXPJ.dll	svchost.exe
File created	C:\Windows\EuaMmH\hudiHmTN.dll	svchost.exe
File created	C:\Windows\CnILIvkM\hIxYrp.dll	svchost.exe
File created	C:\Windows\CnILIvkM\dFHAGBBC.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1632	svchost.exe
1632	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1632	1724	4a0b0cd42fdeccf2d6ae9020e687949e.exe	28
PID 1724 wrote to memory of 1632	1724	4a0b0cd42fdeccf2d6ae9020e687949e.exe	28
PID 1724 wrote to memory of 1632	1724	4a0b0cd42fdeccf2d6ae9020e687949e.exe	28
PID 1724 wrote to memory of 1632	1724	4a0b0cd42fdeccf2d6ae9020e687949e.exe	28

C:\Users\Admin\AppData\Local\Temp\4a0b0cd42fdeccf2d6ae9020e687949e.exe
"C:\Users\Admin\AppData\Local\Temp\4a0b0cd42fdeccf2d6ae9020e687949e.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1724
- C:\ProgramData\LLnHxXB\svchost.exe
  "C:\ProgramData\LLnHxXB\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LLnHxXB\svchost.exe

Filesize
135KB

MD5
0207806b4935d060452c997a57d16a31

SHA1
b21a8ecb2082f2f0d9c82568af689b968e6d7c5c

SHA256
196bdcdc76f7dd6cb5c8ea103bfee8a3b1c499ef41e57b77be10f6a9fa369708

SHA512
f317efb7711c6d965355ba22db0dafdac13d1ac73f21bbbcc3e3679ce46b243bcb306e9ffe5227a1cd0726b6772769b845dba125a1b4eae0a2eeb962c2f952f2

Download Submit
C:\ProgramData\LLnHxXB\svchost.exe

Filesize
128KB

MD5
f8c3fb75187fc44d1d9947ccb44744ad

SHA1
6771eea7e38ff00962dae627bf789b02b49b6fc4

SHA256
df88c576457a88de1d911ed72420d76be2cf2776609db77161792712a70de9e5

SHA512
c5261683f51bd66c486bbabff6ac9afedac673bd929f9147e6aca2dee8e7d110ad9ac010df9dedfa2a6a973b7ec0594c9c300c1675a607a58e04ead30551eec8

Download Submit
C:\Windows\CLOG.txt

Filesize
4KB

MD5
d6df4da5740225408f9878b9763b35fd

SHA1
08077e979c4758c050d35c23303543e5bc48f254

SHA256
2bff43c61f51fd400b45f1a6c7fda9035abf6a02d78d4e5914bed1d4ee4ac4cc

SHA512
f26212ff8c51d81603c0b1b48f07ca52f285035e486f4d67f25d45ff9a47a01623aeb384ef5a8496271d8c90a20468d7b09f209d3ded0cd9c21ad00cf1f97d02

Download Submit
C:\Windows\CLOG.txt

Filesize
3KB

MD5
f8368fb72fc8fc9fa9e5d76a56c084c6

SHA1
998a062ded7c94dcd3c91576e173aa34ff45397b

SHA256
ea7b18cf73708da639c3c3a70a14f941d454bcacb7b09c16b0175ec8e336df3a

SHA512
915f186b79563027d1a2387f7da0ae7258ed6ab463a8017dd31978b392977ad1d9c88aad7f4831ebb676287cec715cb9c532b66d8e192303d43c0c1c20712723

Download Submit
\ProgramData\LLnHxXB\svchost.exe

Filesize
1024KB

MD5
dcce0c8efb1ab55dc3116d3a7e610c52

SHA1
52163814bc456011c49d76f341dd226bc4d47fcf

SHA256
4ca999aa7fd0e50d3fcef6f938b4793d0fbdd7597cdf8589562d83a0336b915d

SHA512
e94e3697986d46b7ad4e9508ae131a315771a79b05fd6fbec937a4101ef945d46d8ded00c9d46f094925b66a92b515ffa7469d47adbd5268d87b55bf3525eb44

Download Submit
\Windows\SysWOW64\wYfaMQkf\PJvAVICx.dll

Filesize
825KB

MD5
764f12adc46ca2576f696f6c2eb85e2b

SHA1
41676a8b2f7a32afc1ff1e0ef050e397a91941a1

SHA256
d7fa023826bf288e7c67deea5634680a7fa6a1e4d66547df24fb1269d2533197

SHA512
6604a370dfda56e0a7c729efdc65193668ae4a773608a934285e93fa6a379c5125b3f4110c952f7501bf4315271e6500ab72c285236d72e37fff9cc24e6b4dca

Download Submit
memory/1632-11-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1632-17-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1632-125-0x0000000003140000-0x00000000032C2000-memory.dmp

Filesize
1.5MB

Download
memory/1632-126-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/1724-7-0x0000000002AF0000-0x0000000002C1E000-memory.dmp

Filesize
1.2MB

Download
memory/1724-9-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1724-15-0x0000000002AF0000-0x0000000002C1E000-memory.dmp

Filesize
1.2MB

Download
memory/1724-0-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing