a4418c2116da8e81254ff3b332af619f9837d913c76182a5366a3901405ecef3

Analysis

max time kernel
98s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2022, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4418c2116da8e81254ff3b332af619f9837d913c76182a5366a3901405ecef3.dll
Size

83KB
MD5

cbf791ae024ac4c4a99052267021c523
SHA1

2d003593f9be5a6aebac97b5eb4c8e09f9b18c47
SHA256

a4418c2116da8e81254ff3b332af619f9837d913c76182a5366a3901405ecef3
SHA512

75b149dfec61d9a3faf45dbdd7d2d3166f11e83aef1c00d70340150f26254e378671851bd6171d7c7daf1d2d42f71589917f90ea657487c6abd396e8d385ef90
SSDEEP

1536:a27YDGlFwnzyfwsCVvpoTpMEOyHs27YDGl6Hp6p7C7Vr3s/4gDifHj:kGzwnzyfwsCV+VkyHGG8Hp6p+dswXfj

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	hrl72C4.tmp
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	hrl72C4.tmp
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	hrl72C4.tmp
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\hrl72C4.tmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrl72C4.tmp:*:enabled:@shell32.dll,-1"	hrl72C4.tmp

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\ETC\HOSTS	hrl72C4.tmp

Executes dropped EXE 1 IoCs

pid	Process
744	hrl72C4.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1624	744	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
744	hrl72C4.tmp
744	hrl72C4.tmp

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp
744	hrl72C4.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	hrl72C4.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
744	hrl72C4.tmp
744	hrl72C4.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 3220	2108	rundll32.exe	82
PID 2108 wrote to memory of 3220	2108	rundll32.exe	82
PID 2108 wrote to memory of 3220	2108	rundll32.exe	82
PID 3220 wrote to memory of 744	3220	rundll32.exe	84
PID 3220 wrote to memory of 744	3220	rundll32.exe	84
PID 3220 wrote to memory of 744	3220	rundll32.exe	84
PID 744 wrote to memory of 600	744	hrl72C4.tmp	4
PID 744 wrote to memory of 600	744	hrl72C4.tmp	4
PID 744 wrote to memory of 600	744	hrl72C4.tmp	4
PID 744 wrote to memory of 600	744	hrl72C4.tmp	4
PID 744 wrote to memory of 600	744	hrl72C4.tmp	4
PID 744 wrote to memory of 600	744	hrl72C4.tmp	4
PID 744 wrote to memory of 656	744	hrl72C4.tmp	2
PID 744 wrote to memory of 656	744	hrl72C4.tmp	2
PID 744 wrote to memory of 656	744	hrl72C4.tmp	2
PID 744 wrote to memory of 656	744	hrl72C4.tmp	2
PID 744 wrote to memory of 656	744	hrl72C4.tmp	2
PID 744 wrote to memory of 656	744	hrl72C4.tmp	2
PID 744 wrote to memory of 772	744	hrl72C4.tmp	8
PID 744 wrote to memory of 772	744	hrl72C4.tmp	8
PID 744 wrote to memory of 772	744	hrl72C4.tmp	8
PID 744 wrote to memory of 772	744	hrl72C4.tmp	8
PID 744 wrote to memory of 772	744	hrl72C4.tmp	8
PID 744 wrote to memory of 772	744	hrl72C4.tmp	8
PID 744 wrote to memory of 780	744	hrl72C4.tmp	14
PID 744 wrote to memory of 780	744	hrl72C4.tmp	14
PID 744 wrote to memory of 780	744	hrl72C4.tmp	14
PID 744 wrote to memory of 780	744	hrl72C4.tmp	14
PID 744 wrote to memory of 780	744	hrl72C4.tmp	14
PID 744 wrote to memory of 780	744	hrl72C4.tmp	14
PID 744 wrote to memory of 788	744	hrl72C4.tmp	13
PID 744 wrote to memory of 788	744	hrl72C4.tmp	13
PID 744 wrote to memory of 788	744	hrl72C4.tmp	13
PID 744 wrote to memory of 788	744	hrl72C4.tmp	13
PID 744 wrote to memory of 788	744	hrl72C4.tmp	13
PID 744 wrote to memory of 788	744	hrl72C4.tmp	13
PID 744 wrote to memory of 904	744	hrl72C4.tmp	12
PID 744 wrote to memory of 904	744	hrl72C4.tmp	12
PID 744 wrote to memory of 904	744	hrl72C4.tmp	12
PID 744 wrote to memory of 904	744	hrl72C4.tmp	12
PID 744 wrote to memory of 904	744	hrl72C4.tmp	12
PID 744 wrote to memory of 904	744	hrl72C4.tmp	12
PID 744 wrote to memory of 952	744	hrl72C4.tmp	11
PID 744 wrote to memory of 952	744	hrl72C4.tmp	11
PID 744 wrote to memory of 952	744	hrl72C4.tmp	11
PID 744 wrote to memory of 952	744	hrl72C4.tmp	11
PID 744 wrote to memory of 952	744	hrl72C4.tmp	11
PID 744 wrote to memory of 952	744	hrl72C4.tmp	11
PID 744 wrote to memory of 312	744	hrl72C4.tmp	10
PID 744 wrote to memory of 312	744	hrl72C4.tmp	10
PID 744 wrote to memory of 312	744	hrl72C4.tmp	10
PID 744 wrote to memory of 312	744	hrl72C4.tmp	10
PID 744 wrote to memory of 312	744	hrl72C4.tmp	10
PID 744 wrote to memory of 312	744	hrl72C4.tmp	10
PID 744 wrote to memory of 388	744	hrl72C4.tmp	9
PID 744 wrote to memory of 388	744	hrl72C4.tmp	9
PID 744 wrote to memory of 388	744	hrl72C4.tmp	9
PID 744 wrote to memory of 388	744	hrl72C4.tmp	9
PID 744 wrote to memory of 388	744	hrl72C4.tmp	9
PID 744 wrote to memory of 388	744	hrl72C4.tmp	9
PID 744 wrote to memory of 608	744	hrl72C4.tmp	58
PID 744 wrote to memory of 608	744	hrl72C4.tmp	58
PID 744 wrote to memory of 608	744	hrl72C4.tmp	58
PID 744 wrote to memory of 608	744	hrl72C4.tmp	58

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:656

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:600
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:312
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:772
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3424
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3360
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3268
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4344
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
  2⤵
  PID:3508
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1064
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:2280
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4620
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4376
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3640
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3524
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2640
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4418c2116da8e81254ff3b332af619f9837d913c76182a5366a3901405ecef3.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4418c2116da8e81254ff3b332af619f9837d913c76182a5366a3901405ecef3.dll,#1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\hrl72C4.tmp
      C:\Users\Admin\AppData\Local\Temp\hrl72C4.tmp
      4⤵
      Modifies firewall policy service
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1052
        5⤵
        Program crash
        
        PID:1624

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2592

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2504

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1888

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:8

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:2996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:5076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 744 -ip 744
1⤵
PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl72C4.tmp

Filesize
71KB

MD5
3ccbb09bd8062641e5d61f3dddbca6b3

SHA1
f2e629030b59521874d1a2f7ff20a1bfaccb464b

SHA256
9504ee80b660e3ae74bd9ca742fbb5b5aba7106f046dc73fd78faecfb3748577

SHA512
b9bfd23ee9cfb63ca60693b5fb2ebd4869c72f2d1d39aea3119979b092887e6f0ed7f3c4108fcf7f82df6a3d47bb6fd3eed5f82659ff7b7056e6935f3e76c57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrl72C4.tmp

Filesize
71KB

MD5
3ccbb09bd8062641e5d61f3dddbca6b3

SHA1
f2e629030b59521874d1a2f7ff20a1bfaccb464b

SHA256
9504ee80b660e3ae74bd9ca742fbb5b5aba7106f046dc73fd78faecfb3748577

SHA512
b9bfd23ee9cfb63ca60693b5fb2ebd4869c72f2d1d39aea3119979b092887e6f0ed7f3c4108fcf7f82df6a3d47bb6fd3eed5f82659ff7b7056e6935f3e76c57e

Download Submit
memory/744-136-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/744-137-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download