568e942e0a1091158fd3ad3f2b8fb497bc6c8996ea0e5ff1fd0dd04fadfba31d

Analysis

max time kernel
141s
max time network
147s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1661cb3ae9edd40955afacb8c6f80d.exe
Size

51KB
MD5

ac1661cb3ae9edd40955afacb8c6f80d
SHA1

b1e19ca4d0ebe509b121ac2d75a92f29aec08d9f
SHA256

568e942e0a1091158fd3ad3f2b8fb497bc6c8996ea0e5ff1fd0dd04fadfba31d
SHA512

cd91723e79f495c328f3bfdebf1b3c9fb9b898445f5bf6e0be0128f5e11d61fb8b3662da847760cbdabaa5f9115c005c7722fabc0787c3f604cb188b0554bf2a
SSDEEP

768:WFh4uM71ea1nSlCZL2z/Ig5eOH0KHTqbb7Ky2HFf41aSFB9jEjgz4xQ:WIpvozwVq0KzRy2H13g/Ejgv

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Windows Update System = "C:\\Users\\Admin\\AppData\\Roaming\\svchots.exe"	svchots.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svchots.exe

Executes dropped EXE 2 IoCs

pid	Process
2716	svchots.exe
2588	svchots.exe

Loads dropped DLL 3 IoCs

pid	Process
2596	ac1661cb3ae9edd40955afacb8c6f80d.exe
2596	ac1661cb3ae9edd40955afacb8c6f80d.exe
2716	svchots.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update System = "C:\\Users\\Admin\\AppData\\Roaming\\svchots.exe"	svchots.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update System = "C:\\Users\\Admin\\AppData\\Roaming\\svchots.exe"	svchots.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 2596	2084	ac1661cb3ae9edd40955afacb8c6f80d.exe	28
PID 2716 set thread context of 2588	2716	svchots.exe	30

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2596	ac1661cb3ae9edd40955afacb8c6f80d.exe
2588	svchots.exe
2588	svchots.exe
2588	svchots.exe
2588	svchots.exe
2588	svchots.exe
2588	svchots.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2084	ac1661cb3ae9edd40955afacb8c6f80d.exe
2084	ac1661cb3ae9edd40955afacb8c6f80d.exe
2716	svchots.exe
2716	svchots.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2596	2084	ac1661cb3ae9edd40955afacb8c6f80d.exe	28
PID 2084 wrote to memory of 2596	2084	ac1661cb3ae9edd40955afacb8c6f80d.exe	28
PID 2084 wrote to memory of 2596	2084	ac1661cb3ae9edd40955afacb8c6f80d.exe	28
PID 2084 wrote to memory of 2596	2084	ac1661cb3ae9edd40955afacb8c6f80d.exe	28
PID 2084 wrote to memory of 2596	2084	ac1661cb3ae9edd40955afacb8c6f80d.exe	28
PID 2084 wrote to memory of 2596	2084	ac1661cb3ae9edd40955afacb8c6f80d.exe	28
PID 2084 wrote to memory of 2596	2084	ac1661cb3ae9edd40955afacb8c6f80d.exe	28
PID 2084 wrote to memory of 2596	2084	ac1661cb3ae9edd40955afacb8c6f80d.exe	28
PID 2084 wrote to memory of 2596	2084	ac1661cb3ae9edd40955afacb8c6f80d.exe	28
PID 2084 wrote to memory of 2596	2084	ac1661cb3ae9edd40955afacb8c6f80d.exe	28
PID 2596 wrote to memory of 2716	2596	ac1661cb3ae9edd40955afacb8c6f80d.exe	29
PID 2596 wrote to memory of 2716	2596	ac1661cb3ae9edd40955afacb8c6f80d.exe	29
PID 2596 wrote to memory of 2716	2596	ac1661cb3ae9edd40955afacb8c6f80d.exe	29
PID 2596 wrote to memory of 2716	2596	ac1661cb3ae9edd40955afacb8c6f80d.exe	29
PID 2716 wrote to memory of 2588	2716	svchots.exe	30
PID 2716 wrote to memory of 2588	2716	svchots.exe	30
PID 2716 wrote to memory of 2588	2716	svchots.exe	30
PID 2716 wrote to memory of 2588	2716	svchots.exe	30
PID 2716 wrote to memory of 2588	2716	svchots.exe	30
PID 2716 wrote to memory of 2588	2716	svchots.exe	30
PID 2716 wrote to memory of 2588	2716	svchots.exe	30
PID 2716 wrote to memory of 2588	2716	svchots.exe	30
PID 2716 wrote to memory of 2588	2716	svchots.exe	30
PID 2716 wrote to memory of 2588	2716	svchots.exe	30

C:\Users\Admin\AppData\Local\Temp\ac1661cb3ae9edd40955afacb8c6f80d.exe
"C:\Users\Admin\AppData\Local\Temp\ac1661cb3ae9edd40955afacb8c6f80d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\ac1661cb3ae9edd40955afacb8c6f80d.exe
  C:\Users\Admin\AppData\Local\Temp\ac1661cb3ae9edd40955afacb8c6f80d.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Roaming\svchots.exe
    "C:\Users\Admin\AppData\Roaming\svchots.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Roaming\svchots.exe
      C:\Users\Admin\AppData\Roaming\svchots.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fla7DXG8N.tmp

Filesize
7B

MD5
ba9bf05693b9fa202d922dd43a08f281

SHA1
d5244a331aad290f924ed5ed8c070d65d2e0633e

SHA256
24e6654bfd1ab85bebb1f721a4be46e6fdb9ea8974d14442d3aaecd1f971fcbb

SHA512
32f2d0cd55c93caf5f3ccc41256d316565bb4faa36b88388ba9177bd55320d851af71517e9254e348d61d8630324cec0d175a400207c75cc06205caaf7ca51a6

Download Submit
\Users\Admin\AppData\Roaming\svchots.exe

Filesize
51KB

MD5
ac1661cb3ae9edd40955afacb8c6f80d

SHA1
b1e19ca4d0ebe509b121ac2d75a92f29aec08d9f

SHA256
568e942e0a1091158fd3ad3f2b8fb497bc6c8996ea0e5ff1fd0dd04fadfba31d

SHA512
cd91723e79f495c328f3bfdebf1b3c9fb9b898445f5bf6e0be0128f5e11d61fb8b3662da847760cbdabaa5f9115c005c7722fabc0787c3f604cb188b0554bf2a

Download Submit
memory/2084-2-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2084-20-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/2084-11-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2084-15-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2084-10-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/2084-9-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download
memory/2084-8-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/2084-7-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2084-6-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2084-5-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2084-4-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2084-3-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2084-12-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/2084-1-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2084-14-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download
memory/2084-17-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/2084-0-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2084-18-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/2084-19-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/2084-16-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/2084-21-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/2084-13-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/2588-70-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2588-71-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2588-79-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2588-78-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2588-68-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2588-76-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2588-74-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2596-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2596-66-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2596-23-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2596-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2716-45-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/2716-53-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2716-44-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2716-39-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2716-46-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2716-47-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2716-48-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2716-49-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2716-50-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2716-51-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2716-52-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2716-43-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2716-54-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2716-38-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2716-37-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2716-42-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2716-41-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2716-40-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2716-55-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2716-56-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2716-57-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2716-58-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download