1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7

General

Target

1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
Size

30KB
MD5

dd351c87f249a95f278469ef3f58e6cf
SHA1

86ba7a82a92687bc37ba021b0c339ce2d11cbac0
SHA256

1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7
SHA512

24b2c9d5ddbd69425401d8c713d5970a96d2b7bb23c0222f498d344f495ef0331c232483275c09b47e6311fb1c3b1a394748e76c9993591acb5c0dc8b3ecc7a6
SSDEEP

384:QlC2Em7FELdqs00Lo9AHpFUHChr/h8JrGMsPu/+3XKD6peRC8UwDQIF7hDnB6PQG:gCT54sxgA/UHUr/uxw5p6kf0hDnBga

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\ServiceDll = "C:\\Windows\\system32\\lld.cvsvres"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	rundll32.exe
2160	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msws.dll	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
File opened for modification	C:\Windows\SysWOW64\msws.dll	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
File created	C:\Windows\SysWOW64\Driver.inf	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
File created	C:\Windows\SysWOW64\lld.cvsvres	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
File opened for modification	C:\Windows\SysWOW64\lld.cvsvres	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2108	sc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4392	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	79
PID 3644 wrote to memory of 4392	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	79
PID 3644 wrote to memory of 4392	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	79
PID 3644 wrote to memory of 392	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	80
PID 3644 wrote to memory of 392	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	80
PID 3644 wrote to memory of 392	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	80
PID 3644 wrote to memory of 2108	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	83
PID 3644 wrote to memory of 2108	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	83
PID 3644 wrote to memory of 2108	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	83
PID 3644 wrote to memory of 2160	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	86
PID 3644 wrote to memory of 2160	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	86
PID 3644 wrote to memory of 2160	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	86
PID 3644 wrote to memory of 2272	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	87
PID 3644 wrote to memory of 2272	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	87
PID 3644 wrote to memory of 2272	3644	1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe	87

C:\Users\Admin\AppData\Local\Temp\1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
"C:\Users\Admin\AppData\Local\Temp\1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SysWOW64\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver" /v DelayedAutoStart /t REG_DWORD /d 0 /f
  2⤵
  PID:4392
- C:\Windows\SysWOW64\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\lld.cvsvres /f
  2⤵
  - Sets DLL path for service in the registry
  PID:392
- C:\Windows\SysWOW64\sc.exe
  sc config lanmanserver start= auto
  2⤵
  - Launches sc.exe
  PID:2108
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\lld.cvsvres StartUpA
  2⤵
  - Loads dropped DLL
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1941d9aa0326be385466758e6267110435a121ee709b4e347d23b8d7055adfc7.exe
  2⤵
  PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Driver.inf

Filesize
192B

MD5
9e941155a4ed04d67c1e0fc6d59b6448

SHA1
6a3959a5e67c19a3abe46495f9ef7d63c403b005

SHA256
60575ecc6610da5545819d308d4f64a027da2e4324059a7b5dbd169ff21eedcf

SHA512
38b2ebb7c7610a10d6c15ccf1b6f36a41ae36bca1835e2ff1a78d540009d8de4d90a3bcee59739476391419f0dc9717bdeddc7beace3ed05277b10df75ef1001

Download Submit
C:\Windows\SysWOW64\lld.cvsvres

Filesize
24KB

MD5
ebf107ca54ee1e13907516b81744f929

SHA1
1473a3d525f2450bf12e5c0c3d9f5dbc24ea2e7d

SHA256
04eac5cf76c27e20eb334e5f2a92020e2a0a6f2e43d66043c840b61726ae65ae

SHA512
7e128862c5915f9aaf750c7957dadc17422350ca88cc0aec2de262953ff36e5ee0cd80c705c7e3573a38706e2060e5a15a15197877d625300323962232333983

Download Submit
C:\Windows\SysWOW64\lld.cvsvres

Filesize
24KB

MD5
ebf107ca54ee1e13907516b81744f929

SHA1
1473a3d525f2450bf12e5c0c3d9f5dbc24ea2e7d

SHA256
04eac5cf76c27e20eb334e5f2a92020e2a0a6f2e43d66043c840b61726ae65ae

SHA512
7e128862c5915f9aaf750c7957dadc17422350ca88cc0aec2de262953ff36e5ee0cd80c705c7e3573a38706e2060e5a15a15197877d625300323962232333983

Download Submit
C:\Windows\SysWOW64\msws.dll

Filesize
388KB

MD5
8d7db101a7211fe3309dc4dc8cf2dd0a

SHA1
6c2781eadf53b3742d16dab2f164baf813f7ac85

SHA256
93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

SHA512
8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

Download Submit
C:\Windows\SysWOW64\msws.dll

Filesize
388KB

MD5
8d7db101a7211fe3309dc4dc8cf2dd0a

SHA1
6c2781eadf53b3742d16dab2f164baf813f7ac85

SHA256
93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

SHA512
8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

Download Submit

Analysis

Sharing