1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7

General

Target

1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
Size

30KB
MD5

dd351c87f249a95f278469ef3f58e6cf
SHA1

86ba7a82a92687bc37ba021b0c339ce2d11cbac0
SHA256

1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7
SHA512

24b2c9d5ddbd69425401d8c713d5970a96d2b7bb23c0222f498d344f495ef0331c232483275c09b47e6311fb1c3b1a394748e76c9993591acb5c0dc8b3ecc7a6
SSDEEP

384:QlC2Em7FELdqs00Lo9AHpFUHChr/h8JrGMsPu/+3XKD6peRC8UwDQIF7hDnB6PQG:gCT54sxgA/UHUr/uxw5p6kf0hDnBga

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LanmanServer\Parameters\ServiceDll = "C:\\Windows\\system32\\lld.cvsvres"	reg.exe

Deletes itself 1 IoCs

pid	Process
1852	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
984	rundll32.exe
984	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msws.dll	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
File created	C:\Windows\SysWOW64\Driver.inf	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
File created	C:\Windows\SysWOW64\lld.cvsvres	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
File opened for modification	C:\Windows\SysWOW64\lld.cvsvres	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
File created	C:\Windows\SysWOW64\msws.dll	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1924	sc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1988	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	27
PID 1872 wrote to memory of 1988	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	27
PID 1872 wrote to memory of 1988	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	27
PID 1872 wrote to memory of 1988	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	27
PID 1872 wrote to memory of 1684	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	29
PID 1872 wrote to memory of 1684	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	29
PID 1872 wrote to memory of 1684	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	29
PID 1872 wrote to memory of 1684	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	29
PID 1872 wrote to memory of 1924	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	30
PID 1872 wrote to memory of 1924	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	30
PID 1872 wrote to memory of 1924	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	30
PID 1872 wrote to memory of 1924	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	30
PID 1872 wrote to memory of 984	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	33
PID 1872 wrote to memory of 984	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	33
PID 1872 wrote to memory of 984	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	33
PID 1872 wrote to memory of 984	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	33
PID 1872 wrote to memory of 984	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	33
PID 1872 wrote to memory of 984	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	33
PID 1872 wrote to memory of 984	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	33
PID 1872 wrote to memory of 1852	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	34
PID 1872 wrote to memory of 1852	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	34
PID 1872 wrote to memory of 1852	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	34
PID 1872 wrote to memory of 1852	1872	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	34

C:\Users\Admin\AppData\Local\Temp\1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
"C:\Users\Admin\AppData\Local\Temp\1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver" /v DelayedAutoStart /t REG_DWORD /d 0 /f
  2⤵
  PID:1988
- C:\Windows\SysWOW64\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\lld.cvsvres /f
  2⤵
  - Sets DLL path for service in the registry
  PID:1684
- C:\Windows\SysWOW64\sc.exe
  sc config lanmanserver start= auto
  2⤵
  - Launches sc.exe
  PID:1924
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\lld.cvsvres StartUpA
  2⤵
  - Loads dropped DLL
  PID:984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
  2⤵
  - Deletes itself
  PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Driver.inf

Filesize
192B

MD5
9e941155a4ed04d67c1e0fc6d59b6448

SHA1
6a3959a5e67c19a3abe46495f9ef7d63c403b005

SHA256
60575ecc6610da5545819d308d4f64a027da2e4324059a7b5dbd169ff21eedcf

SHA512
38b2ebb7c7610a10d6c15ccf1b6f36a41ae36bca1835e2ff1a78d540009d8de4d90a3bcee59739476391419f0dc9717bdeddc7beace3ed05277b10df75ef1001

Download Submit
C:\Windows\SysWOW64\lld.cvsvres

Filesize
24KB

MD5
ebf107ca54ee1e13907516b81744f929

SHA1
1473a3d525f2450bf12e5c0c3d9f5dbc24ea2e7d

SHA256
04eac5cf76c27e20eb334e5f2a92020e2a0a6f2e43d66043c840b61726ae65ae

SHA512
7e128862c5915f9aaf750c7957dadc17422350ca88cc0aec2de262953ff36e5ee0cd80c705c7e3573a38706e2060e5a15a15197877d625300323962232333983

Download Submit
C:\Windows\SysWOW64\msws.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
\Windows\SysWOW64\lld.cvsvres

Filesize
24KB

MD5
ebf107ca54ee1e13907516b81744f929

SHA1
1473a3d525f2450bf12e5c0c3d9f5dbc24ea2e7d

SHA256
04eac5cf76c27e20eb334e5f2a92020e2a0a6f2e43d66043c840b61726ae65ae

SHA512
7e128862c5915f9aaf750c7957dadc17422350ca88cc0aec2de262953ff36e5ee0cd80c705c7e3573a38706e2060e5a15a15197877d625300323962232333983

Download Submit
\Windows\SysWOW64\msws.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/984-58-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing