16abb80e73599e6bbcb353667a743ff48b87a68ee2fb7489562325d6acd1d95a

Analysis

max time kernel
35s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f78832d0481f5a37990941ca2c78ed1.exe
Size

21KB
MD5

8f78832d0481f5a37990941ca2c78ed1
SHA1

d2d951940a5633ae594c05fbe4ccb9a544bd457d
SHA256

16abb80e73599e6bbcb353667a743ff48b87a68ee2fb7489562325d6acd1d95a
SHA512

a7fdb2979b24675131a7a1385f695cd70db58d0720544e97decc3db744b6cbf31ad3e9102e73ef5367cbc81a981cc521c14d5f8691e8f4d1410a14672f08422b
SSDEEP

384:Z8sCHeP5IEA2ZUBTFSrR1ufAtUXNfQE7:ZlCH7EVZUBTFK1uZXNT

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\""	winexec.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\""	Scan.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\""	8f78832d0481f5a37990941ca2c78ed1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\""	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\""	Scan.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\""	Scan.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\""	winlog.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\winlog.com\""	caudio.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	scvhost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	scvhost.exe

Disables RegEdit via registry modification 8 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	scvhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Scan.com
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Scan.com
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlog.com
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	caudio.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winexec.com
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Scan.com
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8f78832d0481f5a37990941ca2c78ed1.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Scan.com
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Scan.com
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	winlog.com
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	caudio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	winexec.com
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Scan.com
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	8f78832d0481f5a37990941ca2c78ed1.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan.com	8f78832d0481f5a37990941ca2c78ed1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan.com	8f78832d0481f5a37990941ca2c78ed1.exe

Executes dropped EXE 32 IoCs

pid	Process
2568	scvhost.exe
3544	scvhost.exe
2616	Scan.com
3020	Scan.com
4544	scvhost.exe
2276	scvhost.exe
2656	Scan.com
4728	Scan.com
316	winlog.com
2340	caudio.exe
1968	scvhost.exe
464	winexec.com
2776	scvhost.exe
2052	winlog.com
3600	winlog.com
2856	sihclient.exe
3912	scvhost.exe
2376	caudio.exe
4836	winexec.com
3636	scvhost.exe
5104	winexec.com
4816	scvhost.exe
1256	Scan.com
3412	scvhost.exe
2268	Scan.com
3900	scvhost.exe
3012	Scan.com
4888	Scan.com
4616	winlog.com
1980	caudio.exe
2420	scvhost.exe
1364	winexec.com

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com"	Scan.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com"	8f78832d0481f5a37990941ca2c78ed1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com"	8f78832d0481f5a37990941ca2c78ed1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com"	Scan.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com"	Scan.com
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe"	Scan.com
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe"	8f78832d0481f5a37990941ca2c78ed1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com"	Scan.com
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe"	Scan.com
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe"	winlog.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com"	winlog.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com"	winlog.com
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe"	caudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com"	caudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe"	Scan.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com"	Scan.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com"	winexec.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com"	scvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com"	Scan.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccApp = "C:\\Windows\\system\\winexec.com"	caudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio = "C:\\Windows\\system32\\caudio.exe"	winexec.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com"	winexec.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Logon = "C:\\Windows\\winlog.com"	scvhost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	winlog.com
File opened (read-only)	\??\R:	winlog.com
File opened (read-only)	\??\V:	winlog.com
File opened (read-only)	\??\E:	winlog.com
File opened (read-only)	\??\J:	winlog.com
File opened (read-only)	\??\K:	winlog.com
File opened (read-only)	\??\P:	winlog.com
File opened (read-only)	\??\U:	winlog.com
File opened (read-only)	\??\Z:	winlog.com
File opened (read-only)	\??\I:	winlog.com
File opened (read-only)	\??\L:	winlog.com
File opened (read-only)	\??\M:	winlog.com
File opened (read-only)	\??\Q:	winlog.com
File opened (read-only)	\??\X:	winlog.com
File opened (read-only)	\??\A:	winlog.com
File opened (read-only)	\??\G:	winlog.com
File opened (read-only)	\??\H:	winlog.com
File opened (read-only)	\??\Y:	winlog.com
File opened (read-only)	\??\T:	winlog.com
File opened (read-only)	\??\W:	winlog.com
File opened (read-only)	\??\B:	winlog.com
File opened (read-only)	\??\O:	winlog.com
File opened (read-only)	\??\S:	winlog.com

Drops file in System32 directory 46 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Startup\scvhost.exe	Scan.com
File opened for modification	C:\Windows\SysWOW64\caudio.exe	winlog.com
File opened for modification	C:\Windows\SysWOW64\Startup\Scan.com	caudio.exe
File opened for modification	C:\Windows\SysWOW64\Startup\Scan.com	winexec.com
File created	C:\Windows\SysWOW64\Startup\scvhost.exe	winexec.com
File opened for modification	C:\Windows\SysWOW64\caudio.exe	Scan.com
File created	C:\Windows\SysWOW64\Startup\Scan.com	Scan.com
File created	C:\Windows\SysWOW64\Startup\scvhost.exe	Scan.com
File opened for modification	C:\Windows\SysWOW64\Startup\Scan.com	winlog.com
File opened for modification	C:\Windows\SysWOW64\Startup\scvhost.exe	winlog.com
File created	C:\Windows\SysWOW64\caudio.exe	winexec.com
File opened for modification	C:\Windows\SysWOW64\Startup\Scan.com	Scan.com
File opened for modification	C:\Windows\SysWOW64\Startup\scvhost.exe	Scan.com
File created	C:\Windows\SysWOW64\Startup\Scan.com	winlog.com
File created	C:\Windows\SysWOW64\caudio.exe	caudio.exe
File created	C:\Windows\SysWOW64\Startup\scvhost.exe	caudio.exe
File opened for modification	C:\Windows\SysWOW64\Startup\scvhost.exe	winexec.com
File opened for modification	C:\Windows\SysWOW64\caudio.exe	Scan.com
File opened for modification	C:\Windows\SysWOW64\Startup\scvhost.exe	8f78832d0481f5a37990941ca2c78ed1.exe
File opened for modification	C:\Windows\SysWOW64\Startup\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\Startup\Scan.com	Scan.com
File created	C:\Windows\SysWOW64\caudio.exe	Scan.com
File created	C:\Windows\SysWOW64\Startup\scvhost.exe	winlog.com
File created	C:\Windows\SysWOW64\Startup\Scan.com	Scan.com
File opened for modification	C:\Windows\SysWOW64\caudio.exe	caudio.exe
File created	C:\Windows\SysWOW64\Startup\Scan.com	Scan.com
File created	C:\Windows\SysWOW64\caudio.exe	8f78832d0481f5a37990941ca2c78ed1.exe
File opened for modification	C:\Windows\SysWOW64\caudio.exe	scvhost.exe
File created	C:\Windows\SysWOW64\caudio.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\caudio.exe	Scan.com
File opened for modification	C:\Windows\SysWOW64\Startup\Scan.com	Scan.com
File opened for modification	C:\Windows\SysWOW64\Startup\scvhost.exe	caudio.exe
File created	C:\Windows\SysWOW64\Startup\scvhost.exe	Scan.com
File opened for modification	C:\Windows\SysWOW64\Startup\Scan.com	scvhost.exe
File created	C:\Windows\SysWOW64\Startup\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\caudio.exe	Scan.com
File opened for modification	C:\Windows\SysWOW64\Startup\scvhost.exe	Scan.com
File opened for modification	C:\Windows\SysWOW64\Startup\scvhost.exe	Scan.com
File created	C:\Windows\SysWOW64\caudio.exe	winlog.com
File opened for modification	C:\Windows\SysWOW64\caudio.exe	winexec.com
File created	C:\Windows\SysWOW64\caudio.exe	Scan.com
File opened for modification	C:\Windows\SysWOW64\caudio.exe	8f78832d0481f5a37990941ca2c78ed1.exe
File created	C:\Windows\SysWOW64\Startup\scvhost.exe	8f78832d0481f5a37990941ca2c78ed1.exe
File created	C:\Windows\SysWOW64\Startup\Scan.com	scvhost.exe
File created	C:\Windows\SysWOW64\Startup\Scan.com	caudio.exe
File created	C:\Windows\SysWOW64\Startup\Scan.com	winexec.com

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winlog.com	8f78832d0481f5a37990941ca2c78ed1.exe
File created	C:\Windows\winlog.com	scvhost.exe
File opened for modification	C:\Windows\winlog.com	winexec.com
File created	C:\Windows\winlog.com	winexec.com
File opened for modification	C:\Windows\system\winexec.com	scvhost.exe
File created	C:\Windows\winlog.com	caudio.exe
File opened for modification	C:\Windows\winlog.com	Scan.com
File created	C:\Windows\system\winexec.com	Scan.com
File opened for modification	C:\Windows\system\winexec.com	Scan.com
File created	C:\Windows\system\winexec.com	winlog.com
File opened for modification	C:\Windows\system\winexec.com	caudio.exe
File created	C:\Windows\system\winexec.com	8f78832d0481f5a37990941ca2c78ed1.exe
File opened for modification	C:\Windows\system\winexec.com	Scan.com
File opened for modification	C:\Windows\winlog.com	caudio.exe
File created	C:\Windows\winlog.com	8f78832d0481f5a37990941ca2c78ed1.exe
File opened for modification	C:\Windows\winlog.com	winlog.com
File opened for modification	C:\Windows\system\winexec.com	winexec.com
File created	C:\Windows\winlog.com	Scan.com
File created	C:\Windows\system\winexec.com	Scan.com
File opened for modification	C:\Windows\system\winexec.com	winlog.com
File created	C:\Windows\winlog.com	winlog.com
File created	C:\Windows\system\winexec.com	caudio.exe
File opened for modification	C:\Windows\system\winexec.com	Scan.com
File opened for modification	C:\Windows\system\winexec.com	8f78832d0481f5a37990941ca2c78ed1.exe
File created	C:\Windows\system\winexec.com	scvhost.exe
File created	C:\Windows\winlog.com	Scan.com
File created	C:\Windows\winlog.com	Scan.com
File opened for modification	C:\Windows\winlog.com	scvhost.exe
File opened for modification	C:\Windows\winlog.com	Scan.com
File opened for modification	C:\Windows\winlog.com	Scan.com
File created	C:\Windows\system\winexec.com	winexec.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Scan.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Scan.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8f78832d0481f5a37990941ca2c78ed1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Scan.com

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
4160	8f78832d0481f5a37990941ca2c78ed1.exe
2568	scvhost.exe
3544	scvhost.exe
2616	Scan.com
3020	Scan.com
2276	scvhost.exe
4544	scvhost.exe
2656	Scan.com
4728	Scan.com
316	winlog.com
2340	caudio.exe
1968	scvhost.exe
464	winexec.com
2776	scvhost.exe
2052	winlog.com
3600	winlog.com
4836	winexec.com
2856	sihclient.exe
2376	caudio.exe
3636	scvhost.exe
3912	scvhost.exe
5104	winexec.com
4816	scvhost.exe
1256	Scan.com
3412	scvhost.exe
2268	Scan.com
3900	scvhost.exe
3012	Scan.com
4888	Scan.com
4616	winlog.com
1980	caudio.exe
2420	scvhost.exe
1364	winexec.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 2568	4160	8f78832d0481f5a37990941ca2c78ed1.exe	85
PID 4160 wrote to memory of 2568	4160	8f78832d0481f5a37990941ca2c78ed1.exe	85
PID 4160 wrote to memory of 2568	4160	8f78832d0481f5a37990941ca2c78ed1.exe	85
PID 2568 wrote to memory of 3544	2568	scvhost.exe	86
PID 2568 wrote to memory of 3544	2568	scvhost.exe	86
PID 2568 wrote to memory of 3544	2568	scvhost.exe	86
PID 4160 wrote to memory of 2616	4160	8f78832d0481f5a37990941ca2c78ed1.exe	90
PID 4160 wrote to memory of 2616	4160	8f78832d0481f5a37990941ca2c78ed1.exe	90
PID 4160 wrote to memory of 2616	4160	8f78832d0481f5a37990941ca2c78ed1.exe	90
PID 2568 wrote to memory of 3020	2568	scvhost.exe	87
PID 2568 wrote to memory of 3020	2568	scvhost.exe	87
PID 2568 wrote to memory of 3020	2568	scvhost.exe	87
PID 2616 wrote to memory of 4544	2616	Scan.com	89
PID 2616 wrote to memory of 4544	2616	Scan.com	89
PID 2616 wrote to memory of 4544	2616	Scan.com	89
PID 3020 wrote to memory of 2276	3020	Scan.com	88
PID 3020 wrote to memory of 2276	3020	Scan.com	88
PID 3020 wrote to memory of 2276	3020	Scan.com	88
PID 3020 wrote to memory of 2656	3020	Scan.com	91
PID 3020 wrote to memory of 2656	3020	Scan.com	91
PID 3020 wrote to memory of 2656	3020	Scan.com	91
PID 2616 wrote to memory of 4728	2616	Scan.com	92
PID 2616 wrote to memory of 4728	2616	Scan.com	92
PID 2616 wrote to memory of 4728	2616	Scan.com	92
PID 4160 wrote to memory of 316	4160	8f78832d0481f5a37990941ca2c78ed1.exe	94
PID 4160 wrote to memory of 316	4160	8f78832d0481f5a37990941ca2c78ed1.exe	94
PID 4160 wrote to memory of 316	4160	8f78832d0481f5a37990941ca2c78ed1.exe	94
PID 4160 wrote to memory of 2340	4160	8f78832d0481f5a37990941ca2c78ed1.exe	95
PID 4160 wrote to memory of 2340	4160	8f78832d0481f5a37990941ca2c78ed1.exe	95
PID 4160 wrote to memory of 2340	4160	8f78832d0481f5a37990941ca2c78ed1.exe	95
PID 4160 wrote to memory of 1968	4160	8f78832d0481f5a37990941ca2c78ed1.exe	120
PID 4160 wrote to memory of 1968	4160	8f78832d0481f5a37990941ca2c78ed1.exe	120
PID 4160 wrote to memory of 1968	4160	8f78832d0481f5a37990941ca2c78ed1.exe	120
PID 4160 wrote to memory of 464	4160	8f78832d0481f5a37990941ca2c78ed1.exe	96
PID 4160 wrote to memory of 464	4160	8f78832d0481f5a37990941ca2c78ed1.exe	96
PID 4160 wrote to memory of 464	4160	8f78832d0481f5a37990941ca2c78ed1.exe	96
PID 316 wrote to memory of 2776	316	winlog.com	97
PID 316 wrote to memory of 2776	316	winlog.com	97
PID 316 wrote to memory of 2776	316	winlog.com	97
PID 2616 wrote to memory of 2052	2616	Scan.com	98
PID 2616 wrote to memory of 2052	2616	Scan.com	98
PID 2616 wrote to memory of 2052	2616	Scan.com	98
PID 3020 wrote to memory of 3600	3020	Scan.com	119
PID 3020 wrote to memory of 3600	3020	Scan.com	119
PID 3020 wrote to memory of 3600	3020	Scan.com	119
PID 3020 wrote to memory of 2856	3020	Scan.com	124
PID 3020 wrote to memory of 2856	3020	Scan.com	124
PID 3020 wrote to memory of 2856	3020	Scan.com	124
PID 3020 wrote to memory of 3912	3020	Scan.com	117
PID 3020 wrote to memory of 3912	3020	Scan.com	117
PID 3020 wrote to memory of 3912	3020	Scan.com	117
PID 2616 wrote to memory of 2376	2616	Scan.com	116
PID 2616 wrote to memory of 2376	2616	Scan.com	116
PID 2616 wrote to memory of 2376	2616	Scan.com	116
PID 3020 wrote to memory of 4836	3020	Scan.com	115
PID 3020 wrote to memory of 4836	3020	Scan.com	115
PID 3020 wrote to memory of 4836	3020	Scan.com	115
PID 2616 wrote to memory of 3636	2616	Scan.com	99
PID 2616 wrote to memory of 3636	2616	Scan.com	99
PID 2616 wrote to memory of 3636	2616	Scan.com	99
PID 2616 wrote to memory of 5104	2616	Scan.com	114
PID 2616 wrote to memory of 5104	2616	Scan.com	114
PID 2616 wrote to memory of 5104	2616	Scan.com	114
PID 2340 wrote to memory of 4816	2340	caudio.exe	113

C:\Users\Admin\AppData\Local\Temp\8f78832d0481f5a37990941ca2c78ed1.exe
"C:\Users\Admin\AppData\Local\Temp\8f78832d0481f5a37990941ca2c78ed1.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\SysWOW64\Startup\scvhost.exe
  "C:\Windows\system32\Startup\scvhost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\Startup\scvhost.exe
    "C:\Windows\system32\Startup\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3544
- - C:\Windows\SysWOW64\Startup\Scan.com
    "C:\Windows\System32\Startup\Scan.com"
    3⤵
    - Modifies WinLogon for persistence
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\Startup\scvhost.exe
      "C:\Windows\system32\Startup\scvhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2276
  - - C:\Windows\SysWOW64\Startup\Scan.com
      "C:\Windows\System32\Startup\Scan.com"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2656
  - - C:\Windows\system\winexec.com
      "C:\Windows\system\winexec.com"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4836
  - - C:\Windows\SysWOW64\Startup\scvhost.exe
      "C:\Windows\system32\Startup\scvhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3912
  - - C:\Windows\SysWOW64\caudio.exe
      "C:\Windows\system32\caudio.exe"
      4⤵
      PID:2856
  - - C:\Windows\winlog.com
      "C:\Windows\winlog.com"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3600
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan.com
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan.com"
  2⤵
  - Modifies WinLogon for persistence
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\Startup\Scan.com
    "C:\Windows\System32\Startup\Scan.com"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4728
- - C:\Windows\winlog.com
    "C:\Windows\winlog.com"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2052
- - C:\Windows\SysWOW64\Startup\scvhost.exe
    "C:\Windows\system32\Startup\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3636
- - C:\Windows\system\winexec.com
    "C:\Windows\system\winexec.com"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5104
- - C:\Windows\SysWOW64\caudio.exe
    "C:\Windows\system32\caudio.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2376
- C:\Windows\winlog.com
  "C:\Windows\winlog.com"
  2⤵
  - Modifies WinLogon for persistence
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\Startup\scvhost.exe
    "C:\Windows\system32\Startup\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2776
- - C:\Windows\SysWOW64\Startup\Scan.com
    "C:\Windows\System32\Startup\Scan.com"
    3⤵
    - Modifies WinLogon for persistence
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1256
- C:\Windows\SysWOW64\caudio.exe
  "C:\Windows\system32\caudio.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\Startup\Scan.com
    "C:\Windows\System32\Startup\Scan.com"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2268
- - C:\Windows\SysWOW64\Startup\scvhost.exe
    "C:\Windows\system32\Startup\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4816
- C:\Windows\system\winexec.com
  "C:\Windows\system\winexec.com"
  2⤵
  - Modifies WinLogon for persistence
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:464
- - C:\Windows\SysWOW64\Startup\scvhost.exe
    "C:\Windows\system32\Startup\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3412
- - C:\Windows\SysWOW64\Startup\Scan.com
    "C:\Windows\System32\Startup\Scan.com"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3012
- C:\Windows\SysWOW64\Startup\scvhost.exe
  "C:\Windows\system32\Startup\scvhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1968

C:\Windows\SysWOW64\Startup\scvhost.exe
"C:\Windows\system32\Startup\scvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Windows\SysWOW64\Startup\scvhost.exe
"C:\Windows\system32\Startup\scvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\SysWOW64\Startup\Scan.com
"C:\Windows\System32\Startup\Scan.com"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Windows\SysWOW64\Startup\scvhost.exe
"C:\Windows\system32\Startup\scvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Windows\system\winexec.com
"C:\Windows\system\winexec.com"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1364

C:\Windows\SysWOW64\caudio.exe
"C:\Windows\system32\caudio.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Windows\winlog.com
"C:\Windows\winlog.com"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv uElzg+y1x0qW6k/54cBaeg.0.2
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Melati.bat

Filesize
25B

MD5
b28b76dd27531fb71240e74117201437

SHA1
128f5be3f1d22da817cf5bded45c59360447de38

SHA256
f8931c13a85927c02d741e619b9f3d9a97366a7ba5b5abc2903e6986a647c53d

SHA512
7377f74e81c42f3bf4d4ba8bb593801d0e049a63b800e7cce5ad055107fcd4aa754cb73a387b0eb61f4a9b6787532ba0672c5aa280b73231fe1d8b86f30b5e98

Download Submit
C:\Windows\System\winexec.com

Filesize
21KB

MD5
8f78832d0481f5a37990941ca2c78ed1

SHA1
d2d951940a5633ae594c05fbe4ccb9a544bd457d

SHA256
16abb80e73599e6bbcb353667a743ff48b87a68ee2fb7489562325d6acd1d95a

SHA512
a7fdb2979b24675131a7a1385f695cd70db58d0720544e97decc3db744b6cbf31ad3e9102e73ef5367cbc81a981cc521c14d5f8691e8f4d1410a14672f08422b

Download Submit
memory/316-169-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/316-304-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/316-252-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/464-480-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/464-191-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1256-218-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1364-222-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1968-133-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1980-220-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2052-163-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2268-190-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2276-103-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2340-180-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2376-175-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2420-221-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-331-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-131-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-291-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-251-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-423-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-464-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-383-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-637-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-597-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-511-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2616-138-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2616-165-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2656-112-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2776-139-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2856-173-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3012-198-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3020-159-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3020-143-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3412-187-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3544-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3544-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3600-164-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3636-174-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3900-194-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3912-177-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4160-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4160-127-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4544-104-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4616-213-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4728-111-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4816-182-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4836-171-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4888-202-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5104-181-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads