1e3053b2305b8387506b245d7913c9073332ab59d2fd2e4d280002ba93417167

General

Target

76dbfb43f69907c4bdb333489100c126.exe
Size

633KB
MD5

76dbfb43f69907c4bdb333489100c126
SHA1

ade2fd25a2be99982d0023da91756b8353218f67
SHA256

1e3053b2305b8387506b245d7913c9073332ab59d2fd2e4d280002ba93417167
SHA512

a8be9291881e38602f0bd323d4fe83e41642b2740e4ed9e0e4ab5222700db6c12f6109604f2b97c8f00bc8d02da5c6706f3df061d9000d64e45f8f4849fb44bf
SSDEEP

12288:qt5lE6vNuYNLc2g+euYXBy/xmVDsUiZ4B+ndvXSYgvRVh1a9QCvY/:kYrYNXjs+xmVDsXZkavXSdvB1a9Y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	svchostl.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine	76dbfb43f69907c4bdb333489100c126.exe
Key opened	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine	svchostl.exe

Loads dropped DLL 4 IoCs

pid	Process
1268	76dbfb43f69907c4bdb333489100c126.exe
1268	76dbfb43f69907c4bdb333489100c126.exe
2688	svchostl.exe
2688	svchostl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchostl = "C:\\Windows\\system\\svchostl.exe"	svchostl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchostl = "C:\\Windows\\system\\svchostl.exe"	svchostl.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\svchostl.exe	76dbfb43f69907c4bdb333489100c126.exe
File created	C:\Windows\system\svchostl.exe	76dbfb43f69907c4bdb333489100c126.exe
File opened for modification	C:\Windows\system\svchostl.sys	svchostl.exe
File created	C:\Windows\system\svchostl.sys	svchostl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile	76dbfb43f69907c4bdb333489100c126.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell	76dbfb43f69907c4bdb333489100c126.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open	76dbfb43f69907c4bdb333489100c126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command\ = "rundll32.exe"	76dbfb43f69907c4bdb333489100c126.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command	76dbfb43f69907c4bdb333489100c126.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	76dbfb43f69907c4bdb333489100c126.exe
Token: SeDebugPrivilege	2688	svchostl.exe
Token: SeDebugPrivilege	2688	svchostl.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2688	1268	76dbfb43f69907c4bdb333489100c126.exe	30
PID 1268 wrote to memory of 2688	1268	76dbfb43f69907c4bdb333489100c126.exe	30
PID 1268 wrote to memory of 2688	1268	76dbfb43f69907c4bdb333489100c126.exe	30
PID 1268 wrote to memory of 2688	1268	76dbfb43f69907c4bdb333489100c126.exe	30
PID 2688 wrote to memory of 2712	2688	svchostl.exe	29
PID 2688 wrote to memory of 2712	2688	svchostl.exe	29
PID 2688 wrote to memory of 2712	2688	svchostl.exe	29
PID 2688 wrote to memory of 2712	2688	svchostl.exe	29
PID 2688 wrote to memory of 2712	2688	svchostl.exe	29
PID 2688 wrote to memory of 2712	2688	svchostl.exe	29
PID 2688 wrote to memory of 2596	2688	svchostl.exe	28
PID 2688 wrote to memory of 2596	2688	svchostl.exe	28
PID 2688 wrote to memory of 2596	2688	svchostl.exe	28
PID 2688 wrote to memory of 2596	2688	svchostl.exe	28
PID 2688 wrote to memory of 2596	2688	svchostl.exe	28
PID 2688 wrote to memory of 2596	2688	svchostl.exe	28

C:\Users\Admin\AppData\Local\Temp\76dbfb43f69907c4bdb333489100c126.exe
"C:\Users\Admin\AppData\Local\Temp\76dbfb43f69907c4bdb333489100c126.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\system\svchostl.exe
  C:\Windows\system\svchostl.exe
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
PID:2596

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\svchostl.exe

Filesize
633KB

MD5
76dbfb43f69907c4bdb333489100c126

SHA1
ade2fd25a2be99982d0023da91756b8353218f67

SHA256
1e3053b2305b8387506b245d7913c9073332ab59d2fd2e4d280002ba93417167

SHA512
a8be9291881e38602f0bd323d4fe83e41642b2740e4ed9e0e4ab5222700db6c12f6109604f2b97c8f00bc8d02da5c6706f3df061d9000d64e45f8f4849fb44bf

Download Submit
C:\Windows\system\svchostl.exe

Filesize
414KB

MD5
3d08c71aba3889b84f5e0a405888a70e

SHA1
b347093be6c94cb79d95864e1ba8befaf6e06d95

SHA256
afbfed762afccae95214cc9bd54fd4e0ff0713f55242e885b3c99058d9a7ff89

SHA512
501f71de6448ea080af3113dd6df1adb63588a89237f4eda9c78c3d6db49ace33a8c6cd9945b253dcbc341e6d6b1b185e8db14d4180be4bf6e0f9ba6b088814c

Download Submit
\Windows\system\svchostl.exe

Filesize
604KB

MD5
3cbf7d80cbe54f46a797d356a62d2e57

SHA1
1d08c62ebc0c0eab0b272d493e54b89052d6936e

SHA256
8a4dffa2cde7ea2f4fb57318b8da622013162a3199aac0282b6a51489f8fc704

SHA512
c1fb06c363fff714c9b9500139fdd6dffbafefad3b6345cb94842c37b8b2f82d1a2e585213407e829df7cb28b961a7db814841436d5b75497bdb36da6fe2f7b4

Download Submit
\Windows\system\svchostl.sys

Filesize
218KB

MD5
865d4bfb1f697a9ba4e04001eb2f1873

SHA1
d4c502f593c804db9c51d8f4c4a3e006932b42f3

SHA256
346dea3aa6a262e78c7bcd4d11c2474a424d5b7c8da5e56ee00c3be263fdd7f6

SHA512
a4e3148d8f21b90782a0d0e01e4cd3f52fde8261e2ab588a650c52fa147306f4114f1d29c25a377dd1b7c5e8546694252599821f52e267239f8568a104fcba4c

Download Submit
memory/1268-29-0x0000000004020000-0x00000000040E6000-memory.dmp

Filesize
792KB

Download
memory/1268-13-0x0000000004020000-0x00000000040E6000-memory.dmp

Filesize
792KB

Download
memory/1268-6-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/1268-0-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2596-22-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2688-25-0x0000000004920000-0x0000000004976000-memory.dmp

Filesize
344KB

Download
memory/2688-37-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-17-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-27-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-28-0x0000000004920000-0x0000000004976000-memory.dmp

Filesize
344KB

Download
memory/2688-14-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-30-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-31-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-33-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-34-0x0000000004180000-0x0000000004190000-memory.dmp

Filesize
64KB

Download
memory/2688-35-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-21-0x0000000004180000-0x0000000004190000-memory.dmp

Filesize
64KB

Download
memory/2688-39-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-42-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-44-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-46-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-48-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-50-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-52-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-54-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-56-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download
memory/2688-58-0x0000000013140000-0x0000000013206000-memory.dmp

Filesize
792KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads