7127dba998c2fc80e2e9fdea9cd271de4327bfee850c55145cf917c0dcea4843

General

Target

5a993a09c6e73b996fdafa05cc3f8122.exe
Size

63KB
MD5

5a993a09c6e73b996fdafa05cc3f8122
SHA1

9bd4d9ed6916796b749806020ec99879bd507f4c
SHA256

7127dba998c2fc80e2e9fdea9cd271de4327bfee850c55145cf917c0dcea4843
SHA512

79b9047f5050690b74215e5069f75852d8e7f8d5166eee1f4bd01b14ca7f4638e85bc7bb4b0b68246ae3a95e2713528f43be305553715fa17ed32fbb5c45bf1d
SSDEEP

1536:93LAMoJxnqiAna+uNgflub3IueuGtnyX7dwMnSr1WTTwfz:RAMovcna+uNB3bGsXtSWT6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2964	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2932	svohcst.exe
1372	svohcst.exe

Loads dropped DLL 3 IoCs

pid	Process
2964	cmd.exe
2964	cmd.exe
2932	svohcst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Download = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svohcst.exe"	svohcst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2352	5a993a09c6e73b996fdafa05cc3f8122.exe
2220	5a993a09c6e73b996fdafa05cc3f8122.exe
2932	svohcst.exe
1372	svohcst.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe
1372	svohcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2220	2352	5a993a09c6e73b996fdafa05cc3f8122.exe	20
PID 2352 wrote to memory of 2220	2352	5a993a09c6e73b996fdafa05cc3f8122.exe	20
PID 2352 wrote to memory of 2220	2352	5a993a09c6e73b996fdafa05cc3f8122.exe	20
PID 2352 wrote to memory of 2220	2352	5a993a09c6e73b996fdafa05cc3f8122.exe	20
PID 2220 wrote to memory of 2964	2220	5a993a09c6e73b996fdafa05cc3f8122.exe	24
PID 2220 wrote to memory of 2964	2220	5a993a09c6e73b996fdafa05cc3f8122.exe	24
PID 2220 wrote to memory of 2964	2220	5a993a09c6e73b996fdafa05cc3f8122.exe	24
PID 2220 wrote to memory of 2964	2220	5a993a09c6e73b996fdafa05cc3f8122.exe	24
PID 2964 wrote to memory of 2932	2964	cmd.exe	23
PID 2964 wrote to memory of 2932	2964	cmd.exe	23
PID 2964 wrote to memory of 2932	2964	cmd.exe	23
PID 2964 wrote to memory of 2932	2964	cmd.exe	23
PID 2932 wrote to memory of 1372	2932	svohcst.exe	22
PID 2932 wrote to memory of 1372	2932	svohcst.exe	22
PID 2932 wrote to memory of 1372	2932	svohcst.exe	22
PID 2932 wrote to memory of 1372	2932	svohcst.exe	22

C:\Users\Admin\AppData\Local\Temp\5a993a09c6e73b996fdafa05cc3f8122.exe
"C:\Users\Admin\AppData\Local\Temp\5a993a09c6e73b996fdafa05cc3f8122.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\5a993a09c6e73b996fdafa05cc3f8122.exe
  C:\Users\Admin\AppData\Local\Temp\5a993a09c6e73b996fdafa05cc3f8122.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\run.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2964

C:\Users\Admin\AppData\Local\Temp\svohcst.exe
C:\Users\Admin\AppData\Local\Temp\svohcst.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Users\Admin\AppData\Local\Temp\svohcst.exe
"C:\Users\Admin\AppData\Local\Temp\svohcst.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9383f0a06d3b82764d375f5e724b2e27

SHA1
5305f5ee5553ce6da5131b6fbaf6176ccd014367

SHA256
bd085dfe1834fa124911ef7d83b143417419692ae7aea9bbba93dced66d80a3d

SHA512
093af3db7ab0fbc1c1434b623e0562792411252315b66a402527223f130eb4ca73588d5a9acc6d2d0a61b132732127feff5545ebc4afa17c8bafcd06734e4e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5A36.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
238B

MD5
77fbf41066105a4899d49459deee9dd7

SHA1
504b0d8d819b7407f2fc762fb028dc7054ef4532

SHA256
e72b42549d938df105157e7b286bce3cd73c68f3e18f8175fad27756efa157c5

SHA512
2a3dd1c57e204e88f5e25f05d8920b539baca058b9f18534cca8121c2735c1f6d3fa663a1f40f119e1d55fef6b51d5c1d46535e0240e0d94dd439bc8d350f267

Download Submit
C:\Users\Admin\AppData\Local\Temp\svohcst.exe

Filesize
63KB

MD5
5a993a09c6e73b996fdafa05cc3f8122

SHA1
9bd4d9ed6916796b749806020ec99879bd507f4c

SHA256
7127dba998c2fc80e2e9fdea9cd271de4327bfee850c55145cf917c0dcea4843

SHA512
79b9047f5050690b74215e5069f75852d8e7f8d5166eee1f4bd01b14ca7f4638e85bc7bb4b0b68246ae3a95e2713528f43be305553715fa17ed32fbb5c45bf1d

Download Submit
memory/1372-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1372-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2220-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2220-2-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2352-1-0x00000000001B0000-0x00000000001CE000-memory.dmp

Filesize
120KB

Download
memory/2352-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2352-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2932-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2932-23-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/2932-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2964-16-0x0000000000130000-0x000000000014E000-memory.dmp

Filesize
120KB

Download
memory/2964-21-0x0000000000130000-0x000000000014E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads