360fabfed6012b75c71ad592029662aa60655237b5196554958a6d12a1614db8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b1c0139de262799dca2bb054e3db974.exe
Size

1.1MB
MD5

7b1c0139de262799dca2bb054e3db974
SHA1

813a541911b719a91d374b01dc213cfafac8a5a8
SHA256

360fabfed6012b75c71ad592029662aa60655237b5196554958a6d12a1614db8
SHA512

4782f79350f6401354156c67195031e2d13b5d8b3c82f305fa4c06ed7a75a321d1df7f2fa905d44f9d31a034d8d9422c2d1ec74a5a460f0ba2a41e25c30b086a
SSDEEP

24576:nXQKznLsKA4bTlV9vwSfeqsxC3oh4Rj5xrYIKsIdHf:DFTl7vyYUQ9KZ

Score

7^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023234-17.dat	acprotect
behavioral2/files/0x0006000000023233-21.dat	acprotect

Executes dropped EXE 11 IoCs

pid	Process
2780	IUB.EXE
1936	ashsvc.exe
1592	SVCHOSI.EXE
1380	COM2.EXE
5000	SVCHOSI.EXE
4592	COM1.EXE
4452	ashsvc.exe
2448	IUB.EXE
4408	COM2.EXE
4612	IUB.EXE
4596	COM2.EXE

Loads dropped DLL 6 IoCs

pid	Process
1936	ashsvc.exe
1936	ashsvc.exe
1936	ashsvc.exe
4452	ashsvc.exe
4452	ashsvc.exe
4452	ashsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinSix = "C:\\Windows\\System32\\SVCHOSI.EXE"	REG.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.exe	SVCHOSI.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.EXE	COM2.EXE
File created	C:\Windows\SysWOW64\2026\desktop.ini	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\ssleay32.dll	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\SVCHOSI.EXE	IUB.EXE
File opened for modification	C:\Windows\SysWOW64\2026\desktop.ini	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\ashsvc.exe	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\ashsvc.exe	COM2.EXE
File created	C:\Windows\SysWOW64\SVCHOSI.EXE	COM2.EXE
File opened for modification	C:\Windows\SysWOW64\2026\2045\libeay32.dll	COM2.EXE
File created	C:\Windows\SysWOW64\SVCHOSI.EXE	IUB.EXE
File opened for modification	C:\Windows\SysWOW64\2026\	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\ssleay32.dll	COM2.EXE
File created	C:\Windows\SysWOW64\2026\2045\libeay32.dll	COM2.EXE

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2296	REG.exe
3972	REG.exe
2572	REG.exe
2688	REG.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1936	ashsvc.exe
1936	ashsvc.exe
4452	ashsvc.exe
4452	ashsvc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
996	7b1c0139de262799dca2bb054e3db974.exe
2780	IUB.EXE
1592	SVCHOSI.EXE
1380	COM2.EXE
5000	SVCHOSI.EXE
4592	COM1.EXE
2448	IUB.EXE
4408	COM2.EXE
4612	IUB.EXE

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 2780	996	7b1c0139de262799dca2bb054e3db974.exe	95
PID 996 wrote to memory of 2780	996	7b1c0139de262799dca2bb054e3db974.exe	95
PID 996 wrote to memory of 2780	996	7b1c0139de262799dca2bb054e3db974.exe	95
PID 2780 wrote to memory of 1936	2780	IUB.EXE	96
PID 2780 wrote to memory of 1936	2780	IUB.EXE	96
PID 2780 wrote to memory of 1936	2780	IUB.EXE	96
PID 2780 wrote to memory of 1592	2780	IUB.EXE	97
PID 2780 wrote to memory of 1592	2780	IUB.EXE	97
PID 2780 wrote to memory of 1592	2780	IUB.EXE	97
PID 996 wrote to memory of 1380	996	7b1c0139de262799dca2bb054e3db974.exe	98
PID 996 wrote to memory of 1380	996	7b1c0139de262799dca2bb054e3db974.exe	98
PID 996 wrote to memory of 1380	996	7b1c0139de262799dca2bb054e3db974.exe	98
PID 1380 wrote to memory of 2296	1380	COM2.EXE	100
PID 1380 wrote to memory of 2296	1380	COM2.EXE	100
PID 1380 wrote to memory of 2296	1380	COM2.EXE	100
PID 1380 wrote to memory of 3972	1380	COM2.EXE	102
PID 1380 wrote to memory of 3972	1380	COM2.EXE	102
PID 1380 wrote to memory of 3972	1380	COM2.EXE	102
PID 1380 wrote to memory of 5000	1380	COM2.EXE	103
PID 1380 wrote to memory of 5000	1380	COM2.EXE	103
PID 1380 wrote to memory of 5000	1380	COM2.EXE	103
PID 2780 wrote to memory of 4592	2780	IUB.EXE	105
PID 2780 wrote to memory of 4592	2780	IUB.EXE	105
PID 2780 wrote to memory of 4592	2780	IUB.EXE	105
PID 1380 wrote to memory of 2572	1380	COM2.EXE	106
PID 1380 wrote to memory of 2572	1380	COM2.EXE	106
PID 1380 wrote to memory of 2572	1380	COM2.EXE	106
PID 1380 wrote to memory of 2688	1380	COM2.EXE	107
PID 1380 wrote to memory of 2688	1380	COM2.EXE	107
PID 1380 wrote to memory of 2688	1380	COM2.EXE	107
PID 1380 wrote to memory of 4452	1380	COM2.EXE	110
PID 1380 wrote to memory of 4452	1380	COM2.EXE	110
PID 1380 wrote to memory of 4452	1380	COM2.EXE	110
PID 1592 wrote to memory of 2448	1592	SVCHOSI.EXE	111
PID 1592 wrote to memory of 2448	1592	SVCHOSI.EXE	111
PID 1592 wrote to memory of 2448	1592	SVCHOSI.EXE	111
PID 1592 wrote to memory of 4408	1592	SVCHOSI.EXE	112
PID 1592 wrote to memory of 4408	1592	SVCHOSI.EXE	112
PID 1592 wrote to memory of 4408	1592	SVCHOSI.EXE	112
PID 1592 wrote to memory of 4612	1592	SVCHOSI.EXE	113
PID 1592 wrote to memory of 4612	1592	SVCHOSI.EXE	113
PID 1592 wrote to memory of 4612	1592	SVCHOSI.EXE	113
PID 1592 wrote to memory of 4596	1592	SVCHOSI.EXE	114
PID 1592 wrote to memory of 4596	1592	SVCHOSI.EXE	114
PID 1592 wrote to memory of 4596	1592	SVCHOSI.EXE	114

C:\Users\Admin\AppData\Local\Temp\7b1c0139de262799dca2bb054e3db974.exe
"C:\Users\Admin\AppData\Local\Temp\7b1c0139de262799dca2bb054e3db974.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
  C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe
    C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1936
- - C:\Windows\SysWOW64\SVCHOSI.EXE
    C:\Windows\System32\SVCHOSI.EXE
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2448
  - - C:\COM2.EXE
      \\.\C:\COM2.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4612
  - - C:\COM2.EXE
      \\.\C:\COM2.EXE
      4⤵
      Executes dropped EXE
      PID:4596
- - C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4592
- C:\COM2.EXE
  \\.\C:\COM2.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v NTLOADER REG_SZ /d "C:\COM2.EXE"
    3⤵
    - Modifies registry key
    PID:2296
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v WinSix /t REG_SZ /d "C:\Windows\System32\SVCHOSI.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3972
- - C:\Windows\SysWOW64\SVCHOSI.EXE
    C:\Windows\System32\SVCHOSI.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5000
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState /f /v FullPath /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2572
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState /f /v FullPath /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2688
- - C:\Windows\SysWOW64\2026\2045\ashsvc.exe
    C:\Windows\System32\2026\2045\ashsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\COM2.EXE

Filesize
965KB

MD5
5fd09c6f62d0db821e1f93524aeb9d93

SHA1
0affbc229b400f478c855166c1b46711b7d903f8

SHA256
290abcc77cf070b5c7b9e0cfc8bb3b1e83749ff913c6c01ae488a133a04f8f48

SHA512
69c83c5ca65d9a45a1e40a08bcc3f5bd0b92b95fa9de97e70eac757ad875e6f3ce4bc4db908137bb410374ee559b50adc4b608ba3abe6eca164725c310ac3f6a

Download Submit
C:\COM2.EXE

Filesize
1.1MB

MD5
e181dd6b90bac104b94cea307e8957ed

SHA1
408b9edf455eb19f1484db5aee4367df42cfe326

SHA256
e1e5c90c83ae8dc699f747d6596539a9108a6089fa58a2d200ec39b3d7b9b1ec

SHA512
34057aae3bff244962a77f88b4737a063e7dcf8631086dc04b34c7eb834cf003d23283f5da49b618725fb1c58df1e66197abb5c384befda0536ba2f4b2fe94bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE

Filesize
953KB

MD5
6902e0f80015c82037143d92bab2af7c

SHA1
1c77977cecc1893e623a5d2751519eb9251cc004

SHA256
6d5e764b061a9be2dac13b21354b07218a688c8c5087e151ce92c0cbba60c742

SHA512
e81f624915c902562de3517f438201b5280075f22e5c30717f74dc9cc2d92d15e3990afaacead6052764abfe43e9e5b06305ec37a43340871c76006b45172a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\COM1.EXE

Filesize
1.1MB

MD5
c1a0abd665a806e74cbc28510aeaace5

SHA1
7647c2b71c879f3fefdcd82215ebe296dbfd07ad

SHA256
e771e3b0bdf0703b69cf103a41de9c9096954c33c645b2e7776346c3f0610c04

SHA512
b84999481045efa7ac9edfafb9257cdcbb3abc23008c731e5f482dd593a5b70c45e837df177d04d17dc9a753060ce09fbace20b79f9cb22b432fa53462916ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE

Filesize
558KB

MD5
a6d0f3b105abdf0241904a58c76df72c

SHA1
54dd39dfcc7dcd89f52de564df33b0ad7a6d9352

SHA256
c69726b895c385396ce16b5bbb0f9c42a45922be94a88ad7e25426ed62dcf545

SHA512
5885a318009813e38c67dacd1e3b545c52bbadc52f62e59f5f139e90788752ba8185a27729d779111f88e85cb0859d00b6c99c91fea454456265e3e19895bbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE

Filesize
923KB

MD5
4af8fa6dc0d0559ab2d6421b4548ef57

SHA1
cc373b7bd3046b719cea49e122d2876ea09bb1c8

SHA256
8da830c26badcfb57ade2ac719bcccc6ebbd92ccf859dfbc7f1c7a26c61455dc

SHA512
41b3bf36faca1505ba21988baff6657001682e72c78b5a0eb0369b74f8b033f10c45a40d0b733c36f6fd127a0986b64cf0289593d65e15bc4d5038b8f7bd4766

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\IUB.EXE

Filesize
1.1MB

MD5
8c548f29daec3a392c2e793f9aaf9bb9

SHA1
e082814099ce6eba40cae7a538dee42a76ce3238

SHA256
b63378d9b03470493fc80b8ab68d66c145a3c9abd87380ae2d5c571a9510527e

SHA512
d486eee0bc642813e8b64e77d11997824a3d80e8311ceb62f4e395cc22cebfb3a104255a1297594153627365426108431cd38e198fb1cd8c9fdb5bcd03441ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\LIBEAY32.dll

Filesize
494KB

MD5
198d065bd0714482011917307c9ebf46

SHA1
b834c8a5396e59b0fd051dda8849cf9b999aa625

SHA256
acee024120921b1f406d6d7f6d5facf054083ab55993ce4c1ba5ebd6595c7e43

SHA512
489d38aee5d95a9611aff4b170113250d1608e9dc3f496f73018e9980de91f30e58edec0e37d4468f093867d5848044136b0934ee35345daa5a63c73b3e96120

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ashsvc.exe

Filesize
125KB

MD5
b33db6ac948c4b6e8d0e5c082b9a303a

SHA1
261fd70fb578503c770d0aaccc4fb861cf9ce7fe

SHA256
b50406caf4b61ca379c6408631d4916f33b87efd3d5f23fb9a7433dd4ff78121

SHA512
24123ecb50205122dbaf595822a5165e2eb370c78bea45122ef1af95c128ced2f1834a5e3d301047bf62bf104cf7038e8e47fa5b926c28f4b29406cdfac17045

Download Submit
C:\Users\Admin\AppData\Local\Temp\$Tmp~12026\ssleay32.dll

Filesize
117KB

MD5
c1afdf88451258af208c2eaf90a3e074

SHA1
cc3473b7949e631c4ca0bec21d9430e34e310f2f

SHA256
295331b60026555ea5f27f0e87d5b9d90a5c5fedb656c945d80a3470d4851cc8

SHA512
768330c2bc3ec9ac6803532d833200569442fc5d95193562d8811695b649400eba2ea8166d4f7806a7d9bf6ffbd80c74983f5d05d6698b8f877796f542913609

Download Submit
C:\Windows\SysWOW64\SVCHOSI.EXE

Filesize
1.1MB

MD5
0da31aec474bf8c8feae9a2085dc58c1

SHA1
23ce1124036f8072f633aa8fb4d874bc42f5b056

SHA256
0489f75a389e73f75a623ea2f5e9a790e2230355626401721b0267c3b0b0a183

SHA512
68cc5ab8b400697c5c754501945744474ca83f2056d9af4a395824b556658633a5045c38393fa41905a9c11470ce461a8accd9979de74056f347137bbc662c66

Download Submit
C:\Windows\SysWOW64\SVCHOSI.EXE

Filesize
851KB

MD5
62168aa307564d22d6438a9092dc1130

SHA1
f5beede89e7a5e608d518f29568d779698ab73d3

SHA256
a3c0b602e56950df0e4d1338f8eb38b511c5aaf01651a5b5863e6b65de883c3a

SHA512
cf20395ec2720d281608b7ee127fbd9f80ab69a9125aac08ae5a071e94cad96e053c735d6639b0414fc82394ff69851430c7e80a4e2fd1be04ddbc743da34ee7

Download Submit
memory/996-0-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/996-49-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/996-8-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1380-91-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1380-48-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1380-42-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1592-47-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1592-35-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1936-25-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1936-19-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1936-26-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/1936-22-0x0000000000C10000-0x0000000000C5B000-memory.dmp

Filesize
300KB

Download
memory/1936-24-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/1936-27-0x0000000000E50000-0x0000000000E9B000-memory.dmp

Filesize
300KB

Download
memory/2448-102-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2448-99-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2780-7-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2780-30-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2780-88-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4408-110-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4408-107-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4452-87-0x0000000000BC0000-0x0000000000C0B000-memory.dmp

Filesize
300KB

Download
memory/4452-85-0x0000000010000000-0x0000000010135000-memory.dmp

Filesize
1.2MB

Download
memory/4452-83-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4592-60-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4592-66-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4596-139-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4596-142-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4612-134-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/5000-52-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/5000-55-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download