Overview

overview

10

Static

static

6ffd8c0f52...a9.dll

windows7-x64

8

6ffd8c0f52...a9.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 21:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6ffd8c0f5287d6b18b096727d8415d631f57df84f9c9a728e74caf912afb19a9.dll

  • Size

    72KB

  • MD5

    33ad45d6d37b306a42e70d7a55fb5660

  • SHA1

    c36a30099ab6aa973f30371b70ace9c176991f59

  • SHA256

    6ffd8c0f5287d6b18b096727d8415d631f57df84f9c9a728e74caf912afb19a9

  • SHA512

    c2a0530e8abd9ab44fb8263f814b3954b8f2d0f919b981ae410acfb930787aa032a56e41e3354b651375f87db080aaf5a1da5a7c35df5f3587de03bbf4390e0f

  • SSDEEP

    1536:sm/6BS7LL1odo9yHSmJ0ZZTP5AXfcZdRdfufS:spBon1oWyHSiMZTP5EcZ

Score
10/10
evasion

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:656
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:604
        • C:\Windows\system32\dwm.exe
          "dwm.exe"
          2⤵
            PID:1020
          • C:\Windows\system32\fontdrvhost.exe
            "fontdrvhost.exe"
            2⤵
              PID:780
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch -p
            1⤵
              PID:764
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                2⤵
                  PID:3452
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  2⤵
                    PID:3384
                  • C:\Windows\System32\RuntimeBroker.exe
                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                    2⤵
                      PID:4708
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      2⤵
                        PID:4944
                      • C:\Windows\system32\backgroundTaskHost.exe
                        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                        2⤵
                          PID:1492
                        • C:\Windows\system32\SppExtComObj.exe
                          C:\Windows\system32\SppExtComObj.exe -Embedding
                          2⤵
                            PID:3192
                          • C:\Windows\system32\wbem\wmiprvse.exe
                            C:\Windows\system32\wbem\wmiprvse.exe
                            2⤵
                              PID:4796
                            • C:\Windows\system32\DllHost.exe
                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                              2⤵
                                PID:4404
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                2⤵
                                  PID:3736
                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  2⤵
                                    PID:3536
                                  • C:\Windows\system32\DllHost.exe
                                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                    2⤵
                                      PID:3296
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                    1⤵
                                      PID:432
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                      1⤵
                                        PID:940
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k RPCSS -p
                                        1⤵
                                          PID:892
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                          1⤵
                                            PID:744
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                            1⤵
                                              PID:1036
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                              1⤵
                                                PID:1124
                                                • C:\Windows\system32\taskhostw.exe
                                                  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                  2⤵
                                                    PID:2516
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                  1⤵
                                                    PID:1208
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                    1⤵
                                                      PID:1420
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                      1⤵
                                                        PID:1656
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                        1⤵
                                                          PID:1796
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                          1⤵
                                                            PID:1952
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                            1⤵
                                                              PID:2176
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                              1⤵
                                                                PID:2448
                                                              • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                1⤵
                                                                  PID:2608
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                  1⤵
                                                                    PID:2708
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                    1⤵
                                                                      PID:3128
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                      1⤵
                                                                        PID:4256
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                        1⤵
                                                                          PID:4592
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                          1⤵
                                                                            PID:3488
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                            1⤵
                                                                              PID:2752
                                                                            • C:\Windows\System32\svchost.exe
                                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                              1⤵
                                                                                PID:2432
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                1⤵
                                                                                  PID:4216
                                                                                • C:\Windows\System32\svchost.exe
                                                                                  C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                  1⤵
                                                                                    PID:3600
                                                                                  • C:\Windows\Explorer.EXE
                                                                                    C:\Windows\Explorer.EXE
                                                                                    1⤵
                                                                                      PID:2864
                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                        rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffd8c0f5287d6b18b096727d8415d631f57df84f9c9a728e74caf912afb19a9.dll,#1
                                                                                        2⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:4928
                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                          rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffd8c0f5287d6b18b096727d8415d631f57df84f9c9a728e74caf912afb19a9.dll,#1
                                                                                          3⤵
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:4940
                                                                                          • C:\Users\Admin\AppData\Local\Temp\hrl9455.tmp
                                                                                            C:\Users\Admin\AppData\Local\Temp\hrl9455.tmp
                                                                                            4⤵
                                                                                            • Modifies firewall policy service
                                                                                            • Drops file in Drivers directory
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:2240
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                      1⤵
                                                                                        PID:2716
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                        1⤵
                                                                                          PID:2692
                                                                                        • C:\Windows\System32\svchost.exe
                                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                          1⤵
                                                                                            PID:2684
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                            1⤵
                                                                                              PID:2616
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                              1⤵
                                                                                                PID:2456
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                1⤵
                                                                                                  PID:2404
                                                                                                • C:\Windows\system32\sihost.exe
                                                                                                  sihost.exe
                                                                                                  1⤵
                                                                                                    PID:2364
                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                                    1⤵
                                                                                                      PID:2196
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                                                      1⤵
                                                                                                        PID:2144
                                                                                                      • C:\Windows\System32\spoolsv.exe
                                                                                                        C:\Windows\System32\spoolsv.exe
                                                                                                        1⤵
                                                                                                          PID:1844
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                                          1⤵
                                                                                                            PID:2024
                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                            C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                                            1⤵
                                                                                                              PID:2012
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                                              1⤵
                                                                                                                PID:1944
                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                1⤵
                                                                                                                  PID:1804
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                                                  1⤵
                                                                                                                    PID:1712
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                                    1⤵
                                                                                                                      PID:1676
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                                      1⤵
                                                                                                                        PID:1604
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                                        1⤵
                                                                                                                          PID:1524
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                                          1⤵
                                                                                                                            PID:1384
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                                            1⤵
                                                                                                                              PID:1360
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                              1⤵
                                                                                                                                PID:1344
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                                1⤵
                                                                                                                                  PID:1252
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                                                  1⤵
                                                                                                                                    PID:1168
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                                    1⤵
                                                                                                                                      PID:1028
                                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                      1⤵
                                                                                                                                        PID:504
                                                                                                                                      • C:\Windows\system32\fontdrvhost.exe
                                                                                                                                        "fontdrvhost.exe"
                                                                                                                                        1⤵
                                                                                                                                          PID:776
                                                                                                                                        • C:\Windows\SysWOW64\hmrfma.exe
                                                                                                                                          C:\Windows\SysWOW64\hmrfma.exe
                                                                                                                                          1⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:2276
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 400
                                                                                                                                            2⤵
                                                                                                                                            • Program crash
                                                                                                                                            PID:3940
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2276 -ip 2276
                                                                                                                                          1⤵
                                                                                                                                            PID:2984

                                                                                                                                          Network

                                                                                                                                                MITRE ATT&CK Enterprise v6

                                                                                                                                                Replay Monitor

                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                Downloads

                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\hrl9455.tmp
                                                                                                                                                  Filesize

                                                                                                                                                  64KB

                                                                                                                                                  MD5

                                                                                                                                                  d18def3c81c878133df563a30aa842d8

                                                                                                                                                  SHA1

                                                                                                                                                  41a902f646e22d2ec5c38bb72df861d825ad0f91

                                                                                                                                                  SHA256

                                                                                                                                                  30fdee8bbf6e3ea0c6a58c1c3ebdf2c5d33ef31b6c053e981329203a785b39b0

                                                                                                                                                  SHA512

                                                                                                                                                  693b7fb8b71d83e12f3548b0a042aaca19194da2e9aebdfc6a6ba38229c5e12c67286cfcdebefaf6e747ba4c651685916a558a5d59681d9d5fb86d48991948b2

                                                                                                                                                  Download Submit

                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\hrl9455.tmp
                                                                                                                                                  Filesize

                                                                                                                                                  64KB

                                                                                                                                                  MD5

                                                                                                                                                  d18def3c81c878133df563a30aa842d8

                                                                                                                                                  SHA1

                                                                                                                                                  41a902f646e22d2ec5c38bb72df861d825ad0f91

                                                                                                                                                  SHA256

                                                                                                                                                  30fdee8bbf6e3ea0c6a58c1c3ebdf2c5d33ef31b6c053e981329203a785b39b0

                                                                                                                                                  SHA512

                                                                                                                                                  693b7fb8b71d83e12f3548b0a042aaca19194da2e9aebdfc6a6ba38229c5e12c67286cfcdebefaf6e747ba4c651685916a558a5d59681d9d5fb86d48991948b2

                                                                                                                                                  Download Submit

                                                                                                                                                • C:\Windows\SysWOW64\hmrfma.exe
                                                                                                                                                  Filesize

                                                                                                                                                  64KB

                                                                                                                                                  MD5

                                                                                                                                                  d18def3c81c878133df563a30aa842d8

                                                                                                                                                  SHA1

                                                                                                                                                  41a902f646e22d2ec5c38bb72df861d825ad0f91

                                                                                                                                                  SHA256

                                                                                                                                                  30fdee8bbf6e3ea0c6a58c1c3ebdf2c5d33ef31b6c053e981329203a785b39b0

                                                                                                                                                  SHA512

                                                                                                                                                  693b7fb8b71d83e12f3548b0a042aaca19194da2e9aebdfc6a6ba38229c5e12c67286cfcdebefaf6e747ba4c651685916a558a5d59681d9d5fb86d48991948b2

                                                                                                                                                  Download Submit

                                                                                                                                                • C:\Windows\SysWOW64\hmrfma.exe
                                                                                                                                                  Filesize

                                                                                                                                                  64KB

                                                                                                                                                  MD5

                                                                                                                                                  d18def3c81c878133df563a30aa842d8

                                                                                                                                                  SHA1

                                                                                                                                                  41a902f646e22d2ec5c38bb72df861d825ad0f91

                                                                                                                                                  SHA256

                                                                                                                                                  30fdee8bbf6e3ea0c6a58c1c3ebdf2c5d33ef31b6c053e981329203a785b39b0

                                                                                                                                                  SHA512

                                                                                                                                                  693b7fb8b71d83e12f3548b0a042aaca19194da2e9aebdfc6a6ba38229c5e12c67286cfcdebefaf6e747ba4c651685916a558a5d59681d9d5fb86d48991948b2

                                                                                                                                                  Download Submit

                                                                                                                                                • memory/2240-136-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  80KB

                                                                                                                                                  Download

                                                                                                                                                • memory/2240-140-0x000000007FE30000-0x000000007FE3C000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  48KB

                                                                                                                                                  Download

                                                                                                                                                • memory/2240-142-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  80KB

                                                                                                                                                  Download

                                                                                                                                                • memory/2240-143-0x000000007FE30000-0x000000007FE3C000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  48KB

                                                                                                                                                  Download

                                                                                                                                                • memory/2276-139-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  80KB

                                                                                                                                                  Download

                                                                                                                                                • memory/2276-141-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                  Filesize

                                                                                                                                                  80KB

                                                                                                                                                  Download