9abe52617f5243dd82f106deb57d890f2ed77a63be6de4e67c354d74941c2f0d

General

Target

ca6630338b490e1ec5803a080aa3ed37.exe
Size

158KB
MD5

ca6630338b490e1ec5803a080aa3ed37
SHA1

84af70d6b02cd39a152712bdd287ee6b551b36ca
SHA256

9abe52617f5243dd82f106deb57d890f2ed77a63be6de4e67c354d74941c2f0d
SHA512

43399342426a712a8218eca63cba1ca6000b5a73891fe91fd70cbee40e15f482b02907e4b9356912b549d1f2fa467d5fac6ebe4f02db4b20f2d9f7f75fd7759d
SSDEEP

3072:KqQ+glQWLIjZ/3HCd8tvUuEeMYCKNklApHDq109Ma4cKeurjjf7b:/PYIOnh9KNklIA8grf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1580	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	ca6630338b490e1ec5803a080aa3ed37.exe
2516	ca6630338b490e1ec5803a080aa3ed37.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\V:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\L:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\P:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\I:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\U:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\S:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\J:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\M:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\N:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\Q:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\R:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\T:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\G:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\H:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\O:	ca6630338b490e1ec5803a080aa3ed37.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\E:	ca6630338b490e1ec5803a080aa3ed37.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\svchost.exe	ca6630338b490e1ec5803a080aa3ed37.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV	ca6630338b490e1ec5803a080aa3ed37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\EFile = "052032069052044073109149049037100010164066040195194213179172045215193082156181047035233110240079014036173178175018034104088002107019059053156"	ca6630338b490e1ec5803a080aa3ed37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile	ca6630338b490e1ec5803a080aa3ed37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2516	ca6630338b490e1ec5803a080aa3ed37.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1580	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1580	2516	ca6630338b490e1ec5803a080aa3ed37.exe	28
PID 2516 wrote to memory of 1580	2516	ca6630338b490e1ec5803a080aa3ed37.exe	28
PID 2516 wrote to memory of 1580	2516	ca6630338b490e1ec5803a080aa3ed37.exe	28
PID 2516 wrote to memory of 1580	2516	ca6630338b490e1ec5803a080aa3ed37.exe	28

C:\Users\Admin\AppData\Local\Temp\ca6630338b490e1ec5803a080aa3ed37.exe
"C:\Users\Admin\AppData\Local\Temp\ca6630338b490e1ec5803a080aa3ed37.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files (x86)\svchost.exe
  "C:\Program Files (x86)\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\svchost.exe

Filesize
159KB

MD5
fb85c903b2b2f94a873e9991ed5a46ea

SHA1
4b019dd0f6a3c2092d6515dcbbd31a0718998ff6

SHA256
e19993c9583bc548d936e1d33fac34e5ba975161b601d74af06cabdbf79bc134

SHA512
ea4dc05f99f9e822834818f9f15d8756225cf91308e3786cbd5b2ece7acaa0792a1e1df9b147ea4346ae7f5429776f578ab9e241508dd32f803c05d01e59b86f

Download Submit
memory/1580-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1580-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1580-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1580-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2516-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing