817772f595507cd54cbd1a3135441dc917959072d5a3da459eab635529870954

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a0b0cd42fdeccf2d6ae9020e687949e.exe
Size

1.2MB
MD5

4a0b0cd42fdeccf2d6ae9020e687949e
SHA1

f760cbbedf778975a67834ed58819b879c310156
SHA256

817772f595507cd54cbd1a3135441dc917959072d5a3da459eab635529870954
SHA512

d08358dd20c2ffb6c1ee331516c530bab38aca166644a98620d7e96a8d26fe022f46ae5584d43336b8f5fc74e48929fd3c97a25d50a196b3bbc6556f54b2e3d3
SSDEEP

24576:HK4dNvwTStssp2ZoZXqqhRmFobXo1X2tlUb8q:HXwT5u5qqhE441E+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2656	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	svchost.exe
2656	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BfuvjH\svchost.exe	4a0b0cd42fdeccf2d6ae9020e687949e.exe
File opened for modification	C:\Program Files (x86)\BfuvjH\svchost.exe	4a0b0cd42fdeccf2d6ae9020e687949e.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\uGYcIEQ\kXhKunMPe.tmp	svchost.exe
File created	C:\Windows\fAsybiGQ.dll	4a0b0cd42fdeccf2d6ae9020e687949e.exe
File opened for modification	C:\Windows\CLOG.txt	svchost.exe
File opened for modification	C:\Windows\uGYcIEQ\deYWOIqL.dll	svchost.exe
File opened for modification	C:\Windows\uGYcIEQ\gOTNcMD.dll	svchost.exe
File created	C:\Windows\RgmLRV.dll	svchost.exe
File created	C:\Windows\CLOG.txt	svchost.exe
File created	C:\Windows\uGYcIEQ\deYWOIqL.dll	svchost.exe
File created	C:\Windows\uGYcIEQ\gOTNcMD.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe
2656	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2656	2164	4a0b0cd42fdeccf2d6ae9020e687949e.exe	88
PID 2164 wrote to memory of 2656	2164	4a0b0cd42fdeccf2d6ae9020e687949e.exe	88
PID 2164 wrote to memory of 2656	2164	4a0b0cd42fdeccf2d6ae9020e687949e.exe	88

C:\Users\Admin\AppData\Local\Temp\4a0b0cd42fdeccf2d6ae9020e687949e.exe
"C:\Users\Admin\AppData\Local\Temp\4a0b0cd42fdeccf2d6ae9020e687949e.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Program Files (x86)\BfuvjH\svchost.exe
  "C:\Program Files (x86)\BfuvjH\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BfuvjH\svchost.exe

Filesize
555KB

MD5
c745bbfe5e45e164696352de4b4ee4bf

SHA1
c5f9620f1bf24b5d5bac2fb259f29c81d16b406a

SHA256
31b721e790e65486dfc83c7db9c8b4adeb7fb20d62dd533ed5d0d132b6bac99d

SHA512
75ffa94cccf4acd2bf32eb402057522be5947021d465c9505f6b1331f7faf83da3bb28483c3f8ba06cdb8aa4eaa2b74277e49e5657b7a1220fdbb5f97a8424d4

Download Submit
C:\Program Files (x86)\BfuvjH\svchost.exe

Filesize
220KB

MD5
d86c53c0dfdb9d153de20cb4a5300c62

SHA1
e9010edc213a31e52a087890b4480437b0747f66

SHA256
21bd07edde4eef3306380c617c614b7b98a321e2235d37ff4db797111413b4bd

SHA512
184c5cd6712f44bf60e68fefce1a65ab71e41c55a09359890e72cbedcbe0eab31e0f53d98d7862b1607881d556aa49a3e9369033af9ca95106486643a5a01c2f

Download Submit
C:\Windows\uGYcIEQ\gOTNcMD.dll

Filesize
185KB

MD5
d3d9acd19230dabebc361c5e6162f366

SHA1
8e67c7e1046c025ab6d4f3657d062d5912b906a4

SHA256
98242dee33936336fd4ceb8a744c9a877de386d28be5a353d46ef5a111e9bd19

SHA512
001348fe6c4f49ca681f1f1ae89da801d36f4775e24c70b646d0dbd6717049ec598591137cb34a8827b9c21c4143983d151bdce0923f465466802d4c25313cd9

Download Submit
C:\Windows\uGYcIEQ\gOTNcMD.dll

Filesize
829KB

MD5
e28ec44b2edcf454c6c51935705eb126

SHA1
49d543b053428542588e6308dbb8039ca2599b7c

SHA256
7d32af55038604a04dafd92ac7f8062ab875f67554002ada82abf6077f7570e7

SHA512
2c640f74bbd0343b8c02806af0306c92327b28a8287c979234872412648c22b1d4923baa0a56821841cbad2799a56de17ab3afc6f662b1fac7699aa7ec3ff3bd

Download Submit
memory/2164-0-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2164-11-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2656-8-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2656-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2656-45-0x0000000002DC0000-0x0000000002F42000-memory.dmp

Filesize
1.5MB

Download
memory/2656-48-0x00000000025C0000-0x00000000025C3000-memory.dmp

Filesize
12KB

Download
memory/2656-47-0x0000000002DC0000-0x0000000002F42000-memory.dmp

Filesize
1.5MB

Download
memory/2656-53-0x0000000002DC0000-0x0000000002F42000-memory.dmp

Filesize
1.5MB

Download