a80be827637fba3f53db67de6d2af223a53e154f8b505608ee8b6e66c3ff22fa

Analysis

max time kernel
139s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a80be827637fba3f53db67de6d2af223a53e154f8b505608ee8b6e66c3ff22fa.dll
Size

22KB
MD5

f5c212313d5f94661b3c77e5a45731f0
SHA1

664a7d6ae2810d7c8032d9d91c926d0ec98f1f41
SHA256

a80be827637fba3f53db67de6d2af223a53e154f8b505608ee8b6e66c3ff22fa
SHA512

36aa18e6b78ff884266efe5e12331564e414adea81a0324261636d71b37228c47b579385aed183a84577da26a4e99cdb9acc8a0941f0fa4f8dfdb94571f79a36
SSDEEP

384:O9Iv76z12Qf41sJFSEh7GzInz808tUy6wqdSGgIbKZJo8YFGqP5vXWvwWlz:O966h2lsJXh7GEY08tgdZgIWPYFp5vc

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\MgicRc.sys	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\MgicRc.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\123.dll"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1944	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\123.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\123.dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4792	536	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
1944	svchost.exe
1944	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 536	4712	rundll32.exe	86
PID 4712 wrote to memory of 536	4712	rundll32.exe	86
PID 4712 wrote to memory of 536	4712	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a80be827637fba3f53db67de6d2af223a53e154f8b505608ee8b6e66c3ff22fa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a80be827637fba3f53db67de6d2af223a53e154f8b505608ee8b6e66c3ff22fa.dll,#1
  2⤵
  - Drops file in Drivers directory
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 696
    3⤵
    - Program crash
    PID:4792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 536 -ip 536
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\123.dll

Filesize
22KB

MD5
f5c212313d5f94661b3c77e5a45731f0

SHA1
664a7d6ae2810d7c8032d9d91c926d0ec98f1f41

SHA256
a80be827637fba3f53db67de6d2af223a53e154f8b505608ee8b6e66c3ff22fa

SHA512
36aa18e6b78ff884266efe5e12331564e414adea81a0324261636d71b37228c47b579385aed183a84577da26a4e99cdb9acc8a0941f0fa4f8dfdb94571f79a36

Download Submit
C:\Windows\SysWOW64\drivers\MgicRc.sys

Filesize
2KB

MD5
058bf2e0728e3d36308bf49ca10b9072

SHA1
ed9ca10d9ca36c94f065401c0c6ee5573a7f7de6

SHA256
9a5ae5bf51913d9c8e84dae09636d09b83359547cc9efd7acaa5e13ec6e9bf70

SHA512
e3ceadf9a09c2df7af451a7bc53c8d2419e3c94e478ad02436fbdec661304713a86c86780a6361a01ee2afece1917b92e5043580e2e697eaf05a73fb18fd26c2

Download Submit
\??\c:\windows\SysWOW64\123.dll

Filesize
22KB

MD5
f5c212313d5f94661b3c77e5a45731f0

SHA1
664a7d6ae2810d7c8032d9d91c926d0ec98f1f41

SHA256
a80be827637fba3f53db67de6d2af223a53e154f8b505608ee8b6e66c3ff22fa

SHA512
36aa18e6b78ff884266efe5e12331564e414adea81a0324261636d71b37228c47b579385aed183a84577da26a4e99cdb9acc8a0941f0fa4f8dfdb94571f79a36

Download Submit