76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273

General

Target

76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe
Size

1021KB
MD5

3cc0d0740491861616c3a6a0a728e2e6
SHA1

402011eadfbdc2440cfee0783d76a2499f004c83
SHA256

76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273
SHA512

5f6c4b4348e83e3cf55f6ed502802b6e5464fe289abb35ff27ddc2869f19b34c11619145188ae859d323e4d1143f36a54eefc79f2e7cae45179fa02888aaff85
SSDEEP

24576:gvmqGi12npB+mjFXOXvAkEp3W8AD/Dhd+y4lqJ8QdCYDoDNQ:gvmbi1mpB+KtdsvD/DX+y4onCYDoDK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4752	temp1.tem
4304	temp2.tem

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kzxypf\Parameters\ServiceDll = "%SystemRoot%\\System32\\xanfvn.dll"	temp1.tem
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\kzxypf\Parameters\ServiceDll = "%SystemRoot%\\System32\\xanfvn.dll"	temp1.tem
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\kzxypf\Parameters\ServiceDll = "%SystemRoot%\\System32\\xanfvn.dll"	temp1.tem

Loads dropped DLL 3 IoCs

pid	Process
2972	76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe
4752	temp1.tem
4608	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xanfvn.dll	temp1.tem
File created	C:\Windows\SysWOW64\xanfvn.sys	temp1.tem
File created	C:\Windows\SysWOW64\0000500df.001	temp1.tem

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2972	76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe
2972	76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 4752	2972	76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe	84
PID 2972 wrote to memory of 4752	2972	76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe	84
PID 2972 wrote to memory of 4752	2972	76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe	84
PID 2972 wrote to memory of 4304	2972	76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe	86
PID 2972 wrote to memory of 4304	2972	76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe	86
PID 2972 wrote to memory of 4304	2972	76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe	86

C:\Users\Admin\AppData\Local\Temp\76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe
"C:\Users\Admin\AppData\Local\Temp\76665f37f480c1124bed319c55457d7909e9179fa791bbf2971c4b3f072c0273.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\temp1.tem
  C:\Users\Admin\AppData\Local\Temp\temp1.tem
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:4752
- C:\Users\Admin\AppData\Local\Temp\temp2.tem
  C:\Users\Admin\AppData\Local\Temp\temp2.tem
  2⤵
  - Executes dropped EXE
  PID:4304

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k kzxypf
1⤵
- Loads dropped DLL
PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
97c8fe752e354b2945e4c593a87e4a8b

SHA1
03ab4c91535ecf14b13e0258f3a7be459a7957f9

SHA256
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

SHA512
af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp1.tem

Filesize
65KB

MD5
2aff65180ccd860c84c6de7877fa6b0f

SHA1
0dca808db5c8dd7a699fdd0765afbbe509817ce8

SHA256
6c91830c440b3ce211f6b075a2db681ca51403f53f17d74b35d5d8b9340d70e3

SHA512
8dcb62863954fdc45e3efc508c02b5d0ba8fdc120e5cc8a6b28a509750e406654390adc3df5b954349de6a2175783d010a2a53d532ec641217978b3331075629

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp1.tem

Filesize
65KB

MD5
2aff65180ccd860c84c6de7877fa6b0f

SHA1
0dca808db5c8dd7a699fdd0765afbbe509817ce8

SHA256
6c91830c440b3ce211f6b075a2db681ca51403f53f17d74b35d5d8b9340d70e3

SHA512
8dcb62863954fdc45e3efc508c02b5d0ba8fdc120e5cc8a6b28a509750e406654390adc3df5b954349de6a2175783d010a2a53d532ec641217978b3331075629

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp2.tem

Filesize
420KB

MD5
f121f878287d20558f185006bc121bd7

SHA1
1291c85d9735a6f4133277e72bfb53a68c7ce0f4

SHA256
b27a3c23fac022e262cec31716d744fc6dddb2224a7b6022ee4784fd55253c85

SHA512
a44cf979f759d57755e2b78203c0f670e7c7ee58fac2c3aea6113b4aebcd679660398f7cbb7689c6d47246752b5926925b189406550afeca11d8ca1f84cc66c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp2.tem

Filesize
420KB

MD5
f121f878287d20558f185006bc121bd7

SHA1
1291c85d9735a6f4133277e72bfb53a68c7ce0f4

SHA256
b27a3c23fac022e262cec31716d744fc6dddb2224a7b6022ee4784fd55253c85

SHA512
a44cf979f759d57755e2b78203c0f670e7c7ee58fac2c3aea6113b4aebcd679660398f7cbb7689c6d47246752b5926925b189406550afeca11d8ca1f84cc66c9

Download Submit
C:\Windows\SysWOW64\xanfvn.dll

Filesize
91KB

MD5
910678b2bb3c3fb821d0ae44e4acf28c

SHA1
00c864e929b99098939b94b800435f8067043ed3

SHA256
e4d5dc68ced34bcfd756a16e23cea3308af3b1c7bba570aec911015ea6542788

SHA512
5f3ea0c7723c28850725d1953084da4a678038d86147ca3bd1edf8634ca4a1eea6810a6a062bfb7ecd117c38e8b3fa1fbaa3f8b838bd6daf98fb2f6d4018eb66

Download Submit
C:\Windows\SysWOW64\xanfvn.dll

Filesize
91KB

MD5
910678b2bb3c3fb821d0ae44e4acf28c

SHA1
00c864e929b99098939b94b800435f8067043ed3

SHA256
e4d5dc68ced34bcfd756a16e23cea3308af3b1c7bba570aec911015ea6542788

SHA512
5f3ea0c7723c28850725d1953084da4a678038d86147ca3bd1edf8634ca4a1eea6810a6a062bfb7ecd117c38e8b3fa1fbaa3f8b838bd6daf98fb2f6d4018eb66

Download Submit
\??\c:\windows\SysWOW64\xanfvn.dll

Filesize
91KB

MD5
910678b2bb3c3fb821d0ae44e4acf28c

SHA1
00c864e929b99098939b94b800435f8067043ed3

SHA256
e4d5dc68ced34bcfd756a16e23cea3308af3b1c7bba570aec911015ea6542788

SHA512
5f3ea0c7723c28850725d1953084da4a678038d86147ca3bd1edf8634ca4a1eea6810a6a062bfb7ecd117c38e8b3fa1fbaa3f8b838bd6daf98fb2f6d4018eb66

Download Submit
memory/2972-144-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4304-143-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4304-145-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4304-146-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/4752-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing