3343e5a078cd92995946f991cf456e7b50ede34834cd685510857bded3ca7aba

Analysis

max time kernel
154s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79fd2696749321cb9c3eb5e354807af7.exe
Size

1.1MB
MD5

79fd2696749321cb9c3eb5e354807af7
SHA1

4bdfa2a18c49920bf6aa5f8f66b03497d7aaeca2
SHA256

3343e5a078cd92995946f991cf456e7b50ede34834cd685510857bded3ca7aba
SHA512

b24f815c4d6aba69fe285f63a20b5990ffd139d52c05cf6f9cd4a77c4248ae16ff3eee29678a850ebf7df67a5815fb3359c36bde753dd05374bbcf6f9b697905
SSDEEP

24576:LXQKznLsKA4bTlV9vwSfeqsxC3oh4Rj5xrYIKsIdHM:fFTl7vyYUQ9Km

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002314e-24.dat	acprotect
behavioral2/files/0x000600000002314f-20.dat	acprotect

Executes dropped EXE 9 IoCs

pid	Process
3792	IUB.EXE
216	ashsvc.exe
3228	COM2.EXE
3476	SVCHOSI.EXE
3188	COM1.EXE
3260	SVCHOSI.EXE
848	ashsvc.exe
5084	IUB.EXE
4028	COM2.EXE

Loads dropped DLL 6 IoCs

pid	Process
216	ashsvc.exe
216	ashsvc.exe
216	ashsvc.exe
848	ashsvc.exe
848	ashsvc.exe
848	ashsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinSix = "C:\\Windows\\System32\\SVCHOSI.EXE"	REG.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.exe	SVCHOSI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.EXE	COM2.EXE
File created	C:\Windows\SysWOW64\SVCHOSI.EXE	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\ssleay32.dll	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.EXE	IUB.EXE
File created	C:\Windows\SysWOW64\SVCHOSI.EXE	IUB.EXE
File opened for modification	C:\Windows\SysWOW64\2026\desktop.ini	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\ssleay32.dll	COM2.EXE
File created	C:\Windows\SysWOW64\2026\desktop.ini	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\ashsvc.exe	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\ashsvc.exe	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\libeay32.dll	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\libeay32.dll	COM2.EXE

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1612	REG.exe
2680	REG.exe
5060	REG.exe
4520	REG.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
216	ashsvc.exe
216	ashsvc.exe
848	ashsvc.exe
848	ashsvc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2524	79fd2696749321cb9c3eb5e354807af7.exe
3792	IUB.EXE
3228	COM2.EXE
3476	SVCHOSI.EXE
3188	COM1.EXE
3260	SVCHOSI.EXE
5084	IUB.EXE
4028	COM2.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3792	2524	79fd2696749321cb9c3eb5e354807af7.exe	92
PID 2524 wrote to memory of 3792	2524	79fd2696749321cb9c3eb5e354807af7.exe	92
PID 2524 wrote to memory of 3792	2524	79fd2696749321cb9c3eb5e354807af7.exe	92
PID 3792 wrote to memory of 216	3792	IUB.EXE	97
PID 3792 wrote to memory of 216	3792	IUB.EXE	97
PID 3792 wrote to memory of 216	3792	IUB.EXE	97
PID 2524 wrote to memory of 3228	2524	79fd2696749321cb9c3eb5e354807af7.exe	98
PID 2524 wrote to memory of 3228	2524	79fd2696749321cb9c3eb5e354807af7.exe	98
PID 2524 wrote to memory of 3228	2524	79fd2696749321cb9c3eb5e354807af7.exe	98
PID 3792 wrote to memory of 3476	3792	IUB.EXE	99
PID 3792 wrote to memory of 3476	3792	IUB.EXE	99
PID 3792 wrote to memory of 3476	3792	IUB.EXE	99
PID 3228 wrote to memory of 1612	3228	COM2.EXE	100
PID 3228 wrote to memory of 1612	3228	COM2.EXE	100
PID 3228 wrote to memory of 1612	3228	COM2.EXE	100
PID 3792 wrote to memory of 3188	3792	IUB.EXE	102
PID 3792 wrote to memory of 3188	3792	IUB.EXE	102
PID 3792 wrote to memory of 3188	3792	IUB.EXE	102
PID 3228 wrote to memory of 2680	3228	COM2.EXE	103
PID 3228 wrote to memory of 2680	3228	COM2.EXE	103
PID 3228 wrote to memory of 2680	3228	COM2.EXE	103
PID 3228 wrote to memory of 3260	3228	COM2.EXE	104
PID 3228 wrote to memory of 3260	3228	COM2.EXE	104
PID 3228 wrote to memory of 3260	3228	COM2.EXE	104
PID 3228 wrote to memory of 5060	3228	COM2.EXE	106
PID 3228 wrote to memory of 5060	3228	COM2.EXE	106
PID 3228 wrote to memory of 5060	3228	COM2.EXE	106
PID 3228 wrote to memory of 4520	3228	COM2.EXE	107
PID 3228 wrote to memory of 4520	3228	COM2.EXE	107
PID 3228 wrote to memory of 4520	3228	COM2.EXE	107
PID 3228 wrote to memory of 848	3228	COM2.EXE	110
PID 3228 wrote to memory of 848	3228	COM2.EXE	110
PID 3228 wrote to memory of 848	3228	COM2.EXE	110
PID 3476 wrote to memory of 5084	3476	SVCHOSI.EXE	111
PID 3476 wrote to memory of 5084	3476	SVCHOSI.EXE	111
PID 3476 wrote to memory of 5084	3476	SVCHOSI.EXE	111
PID 3476 wrote to memory of 4028	3476	SVCHOSI.EXE	112
PID 3476 wrote to memory of 4028	3476	SVCHOSI.EXE	112
PID 3476 wrote to memory of 4028	3476	SVCHOSI.EXE	112

C:\Users\Admin\AppData\Local\Temp\79fd2696749321cb9c3eb5e354807af7.exe
"C:\Users\Admin\AppData\Local\Temp\79fd2696749321cb9c3eb5e354807af7.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
  C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe
    C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:216
- - C:\Windows\SysWOW64\SVCHOSI.EXE
    C:\Windows\System32\SVCHOSI.EXE
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5084
  - - C:\COM2.EXE
      \\.\C:\COM2.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4028
- - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3188
- C:\COM2.EXE
  \\.\C:\COM2.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v NTLOADER REG_SZ /d "C:\COM2.EXE"
    3⤵
    - Modifies registry key
    PID:1612
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v WinSix /t REG_SZ /d "C:\Windows\System32\SVCHOSI.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2680
- - C:\Windows\SysWOW64\SVCHOSI.EXE
    C:\Windows\System32\SVCHOSI.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3260
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState /f /v FullPath /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5060
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState /f /v FullPath /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4520
- - C:\Windows\SysWOW64\2026\2045\ashsvc.exe
    C:\Windows\System32\2026\2045\ashsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\COM2.EXE

Filesize
1.1MB

MD5
571a5b2fb8e71745837b4e3eb0d4a7db

SHA1
a754f33e81f35da40be5741e147cebcb7f748dda

SHA256
ebcc82244e99dd4f5d8d4fe7003a05ab9c13fc9ba0e53111f37c0798653ec515

SHA512
a1cc41c2a1c61943faa7a061af6d83b53f5db165218b3df9e05d9dc33ddf7e0f4bf8b1c3e26a6f752b2e3161b5d9a0fc99ffb235b349402bcd07b3ceef1db099

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE

Filesize
1.1MB

MD5
3a7f6265cafc85064434dab7950104a8

SHA1
f12957a47d8704f19f7c2fec03a6a1028be7f2aa

SHA256
6eeb1bd7d6a956e81f7bd808c58b782accee55fa0d6ec29d7e029687d8572278

SHA512
0dbf69de4b901b34cca85f38f8178e44770bbda7919253f8f7c58b67a4c309fa14e56f5a8064d3f8ed1a962a863859400bad2c21f2f6cb693d1ff7d98b3c2648

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE

Filesize
1.1MB

MD5
4b7182a569f39b8adee5db1152d81d70

SHA1
301b157979dc8ae47451601036e8ccf9faaab597

SHA256
57b1bff3444c7d5e8ba2e3215ebef29fda8668e03c3a5c54a82907a6e831882a

SHA512
78e10bc537c4be60f74894d01a93beddf6dbb4a3beb5549b532801f3d67ae5c6f92ed8b6316ca1b790d8bac996eb91700aafaf45342058465b23ee7df89e2852

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE

Filesize
896KB

MD5
39844ea5ae2d89b90f66d07cc1e9fca2

SHA1
2e59a95880438a6c5943fe55ee2e4fe077aa8086

SHA256
647cc106f7f97c83827abb8bb6bbc21b205662b3ab4bbbec77713ffa6d6ab143

SHA512
4e654dd678b66ed3a1d79a05260f8639e2ba6bc44e2cd41513a3bed387d371c28f6cd540564bb5a60524e850048b3057ef8b71a7b912310e6b5a7432f51f2885

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe

Filesize
125KB

MD5
b33db6ac948c4b6e8d0e5c082b9a303a

SHA1
261fd70fb578503c770d0aaccc4fb861cf9ce7fe

SHA256
b50406caf4b61ca379c6408631d4916f33b87efd3d5f23fb9a7433dd4ff78121

SHA512
24123ecb50205122dbaf595822a5165e2eb370c78bea45122ef1af95c128ced2f1834a5e3d301047bf62bf104cf7038e8e47fa5b926c28f4b29406cdfac17045

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\libeay32.dll

Filesize
494KB

MD5
198d065bd0714482011917307c9ebf46

SHA1
b834c8a5396e59b0fd051dda8849cf9b999aa625

SHA256
acee024120921b1f406d6d7f6d5facf054083ab55993ce4c1ba5ebd6595c7e43

SHA512
489d38aee5d95a9611aff4b170113250d1608e9dc3f496f73018e9980de91f30e58edec0e37d4468f093867d5848044136b0934ee35345daa5a63c73b3e96120

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ssleay32.dll

Filesize
117KB

MD5
c1afdf88451258af208c2eaf90a3e074

SHA1
cc3473b7949e631c4ca0bec21d9430e34e310f2f

SHA256
295331b60026555ea5f27f0e87d5b9d90a5c5fedb656c945d80a3470d4851cc8

SHA512
768330c2bc3ec9ac6803532d833200569442fc5d95193562d8811695b649400eba2ea8166d4f7806a7d9bf6ffbd80c74983f5d05d6698b8f877796f542913609

Download Submit
C:\Windows\SysWOW64\SVCHOSI.EXE

Filesize
1.1MB

MD5
d2af043b6558e11b3ffe7c7211c86d91

SHA1
52579a55ab99d6b2a39bdec039894e90a37a3a8c

SHA256
60b627a936d479f1bc60baf0bdde5382561042a79fce2f44e671e314d4da679d

SHA512
eb60ab0f52a7ccff7c1b311887ebffcb51334c4ab4c44ba4e7e361ef8ecfded081d2acf7d15434da251a3677b980d7b0342e20d11b6db11c1de971fecbcdfc44

Download Submit
memory/216-29-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/216-25-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/216-27-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/216-26-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/216-28-0x00000000006B0000-0x00000000006FB000-memory.dmp

Filesize
300KB

Download
memory/848-84-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/848-86-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/848-87-0x0000000000670000-0x00000000006BB000-memory.dmp

Filesize
300KB

Download
memory/2524-3-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2524-11-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2524-47-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2524-0-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3188-66-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3188-89-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3188-55-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3228-49-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3228-35-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3228-90-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3260-59-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3260-62-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3476-42-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3476-50-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3792-8-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3792-22-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/3792-76-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4028-107-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4028-110-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/5084-100-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/5084-104-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download