365cf2a8738e55585d84b70aa2802bd30c3e22e560f5fb9ab38cde9ab1d45bce

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 23:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

1.6MB
MD5

d7dd4e50ceb8ed99af2f22deea20dc01
SHA1

e27773eb161df7114e9342375397e60fedf60a57
SHA256

c9594974db1be34b6694f0d1e94fc5130a3668d41cdbc003e0a6547b2b4fa8d2
SHA512

7d36b63a4acd94f5be946eddfbdecf303c0cc53b6550df9d5af80b02c9a3a8046a9402493d12f51375cc9dbb0ecbacd0137832b5cfc69bd2a50e98f8fd5c0ce0
SSDEEP

24576:0vDia9o++f3uEvDGcG5qE9WerjSLWJtV54r2TYm6rohV:07iaMukA5qmJOr5m

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"c:\\users\\admin\\appdata\\local\\temp\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"c:\\users\\admin\\appdata\\local\\temp\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "xiRCon"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"c:\\users\\admin\\appdata\\local\\temp\\svchost.exe\""	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "xiRCon"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"c:\\users\\admin\\appdata\\local\\temp\\svchost.exe\""	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4644	svchost.exe
4644	svchost.exe
4644	svchost.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4644	svchost.exe
4644	svchost.exe
4644	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4644	svchost.exe
4644	svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avis.prx

Filesize
2KB

MD5
63cf09be027d0d14daa09db9ab2a49fa

SHA1
ce9dcfb697535eccbc76de118d4cd5a63cd20689

SHA256
019ae637ec9e68fc33174bdb64ae8796f706ed88e7a829e3fc0abdff5c1b2729

SHA512
f5df6848783d8d980b1d865645ac4988ab64d2ddf6f2f659bf4d6a4dd46a7b60e73527e738158d95c37d851b984d95787d38d7471b73a4248f718de862090aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\avis.prx

Filesize
2KB

MD5
330c97c8f25fb6b012dcba152f7927ee

SHA1
2a82bbe80eb0a26d6e9004a5ff2a1049db83ef61

SHA256
c0a919fd85b9f8fb3ed8a21f7c5319780a3d47280f376f6e3189318bbd00d358

SHA512
52eac6b600ce1ca2a3ecd186230535ee13206e740d8fdfa413c179cef4b3bf68c9e97b74f417f387ab6db9cb90b3faca9e20f0d6320b5c3fc1652f8b9b4f7615

Download Submit
C:\Users\Admin\AppData\Local\Temp\avis.prx

Filesize
2KB

MD5
e3de32d318a77933730243142d96fd39

SHA1
834289ec10bf12c5dde84efc6c532eb71712af11

SHA256
f9857a3e4c908ef012c540342d8548be8d73102211417e2c8401d2cba8ca3554

SHA512
e2e2cb3f412c4a3358b1767ecd60dd854c473735cd173effe9a458a62f4d426702835cb842d4f64223a1bdcaf41c11c0fff857899d55e463304f624b34b4b49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avis.prx

Filesize
2KB

MD5
1a5154a31b5c6ebcc3708f650fcb917e

SHA1
3da154088667469c4c791d46c1beee2bd4d24105

SHA256
0c2f29e4d57b532aa73eeb764d2581585f6faf53ed43e7f16b8542b112022395

SHA512
20d8469f5f4304cc631b6a50bf95d1a33cf7ef0059c00495505b11de0058c5b380fbbeb5f55163abc617f38ae2b016c6d2476cfd80ebd53a8da2e6ed65eb4969

Download Submit
C:\Users\Admin\AppData\Local\Temp\avis.prx

Filesize
2KB

MD5
04bbb2c8a5c3c7c23d605af408057bb8

SHA1
bb99df7958301ba9e9547d8a1c55aac69d389409

SHA256
61f729802c277744f4b8df7c96b1f4f2a1e8d4115bede4c5d1396e9b7d375a80

SHA512
54965646672a7935a1b1f94a7149d12c594ccbc437e57d4e5a15fc213c49ff1bbb010748d34373da73f9c49309482454329b14e2a7e08703771d977640c5a38c

Download Submit
memory/4644-121-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-126-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-120-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-118-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-122-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-124-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-125-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-119-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-127-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-128-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-129-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-130-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-132-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4644-133-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download