Overview

overview

10

Static

static

10

ScreenCapt...r1.exe

windows7-x64

1

ScreenCapt...r2.exe

windows7-x64

1

ScreenCapt...rt.exe

windows7-x64

1

ScreenCapt...er.exe

windows7-x64

1

ScreenCapt...ck.exe

windows7-x64

1

ScreenCapt...k1.exe

windows7-x64

1

ScreenCapt...k2.exe

windows7-x64

1

Setup (5).exe

windows7-x64

7

Setup (6).exe

windows7-x64

7

Supplement...16.scr

windows7-x64

3

T1.exe

windows7-x64

10

T1_b7afca7...b5.exe

windows7-x64

10

TeenTube_90767.exe

windows7-x64

10

Trojan-Ran....a.exe

windows7-x64

3

Tuyen bo c...ed.doc

windows7-x64

4

Tuyen bo c...ed.doc

windows7-x64

4

UNPACKED.exe

windows7-x64

9

Uninstall (2).exe

windows7-x64

3

Uninstall.exe

windows7-x64

3

Upx.exe

windows7-x64

5

screenshot2016.exe

windows7-x64

7

sidacertification.exe

windows7-x64

3

spora.exe

windows7-x64

10

svhost.exe

windows7-x64

10

sys100s.exe_.exe

windows7-x64

9

tordll.dll

windows7-x64

3

uacbypass.exe

windows7-x64

3

unpack.exe

windows7-x64

10

unpacked.ex_.exe

windows7-x64

9

unpacked.mem.exe

windows7-x64

10

upd.exe

windows7-x64

6

verhdiehndi.bat

windows7-x64

8

Analysis

  • max time kernel
    292s
  • max time network
    264s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svhost.exe

  • Size

    350KB

  • MD5

    6fb915548ae2ce60326488761dedbe62

  • SHA1

    cd2f503b3194f1e0987f7cfee123ffc323dbe5c1

  • SHA256

    3594a403aca3195c3e9b74f95669e33548a06bfaccf6e9bc02b86767d38d214e

  • SHA512

    51ee2953cb70a3b0ae344cc274381adebf77fc249732189c77d1e8dc8682040ad0ae6faf850a40af58fa63a13b0e75286562204e40f02da480e5444047095828

  • SSDEEP

    6144:R19M6S33QFnHZxkcdaGB/D2IlV2qDClJL3tcTzQzerIaQTt7HYRh4E7kYFIhVF38:r9pSHKHZxkMBL2IlnYa18aOt74Ry+qhc

Score
10/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe
        C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Users\Admin\AppData\Roaming\netprotocol.exe
          C:\Users\Admin\AppData\Roaming\netprotocol.exe
          4⤵
          • Executes dropped EXE
          PID:2828
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\svhost.exe" "C:\Program Files\Common Files\qip\svhost.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\SysWOW64\reg.exe
        reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:376
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\SysWOW64\reg.exe
        reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:844
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\qip\svhost.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Program Files\Common Files\qip\svhost.exe"
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:572
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\qip"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Program Files\Common Files\qip"
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe
    Filesize

    80KB

    MD5

    7f550991510e8dd336b4321d719279b7

    SHA1

    3070f320a8f184ab1193dfc8cbfde6d5f91964c3

    SHA256

    905246be7f2ac87e583b541364513dd82a10e4751c615e6490ab80be6825f48c

    SHA512

    d0b6bad92cf6d6f8a98f0f343fdc6cb6b5a1e38c0fffa4b7209e0f3677aec8ddb8d678b55c3273aa59f9924353337a898dc74d85663321cda755ff36f9f0f858

    Download Submit

  • C:\Users\Admin\AppData\Roaming\netprotocol.exe
    Filesize

    80KB

    MD5

    c6e74cb0d7e7360d2815233db46955c8

    SHA1

    02564a38bdac76485b63733636df50038f2b46c0

    SHA256

    b707cc9a8f323a32054401eb2e41dc88f49c727956cddb1f540793ba896cc41e

    SHA512

    2ef09cecec6313a5ee8b2023bb6cc2e812dd2ff7c670d2c9f7e75576f53c987cf115b84f8e2795429d431168b1c232acbea61afe00b47ed488cf03ecd9481487

    Download Submit

  • memory/1748-1-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1748-0-0x0000000000020000-0x0000000000022000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1748-24-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2692-21-0x0000000000270000-0x00000000002AA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2692-13-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2692-26-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2808-12-0x0000000000120000-0x000000000015A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2808-8-0x0000000000120000-0x000000000015A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2808-25-0x0000000000120000-0x000000000015A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2828-22-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2828-27-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download