Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02/10/2022, 19:51
General
-
Target
f460f7a6fb1b91fcb4cbcb9fd2a27833b9676f09bd134ede258c1939d46aa0a6.dll
-
Size
400KB
-
MD5
481f5ea01682ac972e793612837764b4
-
SHA1
7906d315e6a4d2504cf8e05a7a80e344bde1365d
-
SHA256
f460f7a6fb1b91fcb4cbcb9fd2a27833b9676f09bd134ede258c1939d46aa0a6
-
SHA512
635a34ca89fcbedbb9e9f4a3a7d614838adf25974f06ad0d2ce809c017000e7df738845cf73febbea3d0c57282cd9991f62af7d81e68e7764eb6b9db20aed554
-
SSDEEP
6144:W0IEu0/l7rUdoqWMvjcw3sWSAoITM+NPUHFWnPbDicWQZKlI3:P79qXvjRc5AoIY+NPUlWnTDiYuA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 4 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f460f7a6fb1b91fcb4cbcb9fd2a27833b9676f09bd134ede258c1939d46aa0a6.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f460f7a6fb1b91fcb4cbcb9fd2a27833b9676f09bd134ede258c1939d46aa0a6.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
-
-
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD57124ae1fb9a89a721e39bdb970ccd26b
SHA12bfb100d0eefcfb449cf272390077f88462c6d28
SHA256bb175585968d8c0af884de4bf645d6312f33d0026d9890ecb9749469b6646b86
SHA512990f5b8c3e2628d1af5dcb6b8a881eed8a2f176ba09cf28553abe2dda18f7f3fda92bd87a54f1d435015c061aa880039408179e8157fccbe4cc955b4a8e5e4b8
-
Filesize
65KB
MD57124ae1fb9a89a721e39bdb970ccd26b
SHA12bfb100d0eefcfb449cf272390077f88462c6d28
SHA256bb175585968d8c0af884de4bf645d6312f33d0026d9890ecb9749469b6646b86
SHA512990f5b8c3e2628d1af5dcb6b8a881eed8a2f176ba09cf28553abe2dda18f7f3fda92bd87a54f1d435015c061aa880039408179e8157fccbe4cc955b4a8e5e4b8
-
Filesize
65KB
MD57124ae1fb9a89a721e39bdb970ccd26b
SHA12bfb100d0eefcfb449cf272390077f88462c6d28
SHA256bb175585968d8c0af884de4bf645d6312f33d0026d9890ecb9749469b6646b86
SHA512990f5b8c3e2628d1af5dcb6b8a881eed8a2f176ba09cf28553abe2dda18f7f3fda92bd87a54f1d435015c061aa880039408179e8157fccbe4cc955b4a8e5e4b8
-
Filesize
65KB
MD57124ae1fb9a89a721e39bdb970ccd26b
SHA12bfb100d0eefcfb449cf272390077f88462c6d28
SHA256bb175585968d8c0af884de4bf645d6312f33d0026d9890ecb9749469b6646b86
SHA512990f5b8c3e2628d1af5dcb6b8a881eed8a2f176ba09cf28553abe2dda18f7f3fda92bd87a54f1d435015c061aa880039408179e8157fccbe4cc955b4a8e5e4b8
-
Filesize
65KB
MD57124ae1fb9a89a721e39bdb970ccd26b
SHA12bfb100d0eefcfb449cf272390077f88462c6d28
SHA256bb175585968d8c0af884de4bf645d6312f33d0026d9890ecb9749469b6646b86
SHA512990f5b8c3e2628d1af5dcb6b8a881eed8a2f176ba09cf28553abe2dda18f7f3fda92bd87a54f1d435015c061aa880039408179e8157fccbe4cc955b4a8e5e4b8
-
Filesize
65KB
MD57124ae1fb9a89a721e39bdb970ccd26b
SHA12bfb100d0eefcfb449cf272390077f88462c6d28
SHA256bb175585968d8c0af884de4bf645d6312f33d0026d9890ecb9749469b6646b86
SHA512990f5b8c3e2628d1af5dcb6b8a881eed8a2f176ba09cf28553abe2dda18f7f3fda92bd87a54f1d435015c061aa880039408179e8157fccbe4cc955b4a8e5e4b8
-
Filesize
65KB
MD57124ae1fb9a89a721e39bdb970ccd26b
SHA12bfb100d0eefcfb449cf272390077f88462c6d28
SHA256bb175585968d8c0af884de4bf645d6312f33d0026d9890ecb9749469b6646b86
SHA512990f5b8c3e2628d1af5dcb6b8a881eed8a2f176ba09cf28553abe2dda18f7f3fda92bd87a54f1d435015c061aa880039408179e8157fccbe4cc955b4a8e5e4b8
-
Filesize
65KB
MD57124ae1fb9a89a721e39bdb970ccd26b
SHA12bfb100d0eefcfb449cf272390077f88462c6d28
SHA256bb175585968d8c0af884de4bf645d6312f33d0026d9890ecb9749469b6646b86
SHA512990f5b8c3e2628d1af5dcb6b8a881eed8a2f176ba09cf28553abe2dda18f7f3fda92bd87a54f1d435015c061aa880039408179e8157fccbe4cc955b4a8e5e4b8
-
Filesize
8KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
132KB
-
Filesize
28KB
-
Filesize
132KB
-
Filesize
44KB
-
Filesize
132KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
132KB
-
Filesize
132KB