fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484

General

Target

fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Size

63KB
MD5

a19364ad5be3be8c64e4e0706be25c4d
SHA1

56d72a21a688d98c115fbc04b9280eb3451c7a0d
SHA256

fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484
SHA512

42a0224e82e3b02a5b4d36dc55d848e8f94855fd01dfbbccf19cd191dc4288436415caa594e96f09ae0ee4a15f2f0a48e0644f9c1d51419a26e8e8be7b7b6b46
SSDEEP

1536:xkYz22fdLuFjnM/smBN6Ub9bAN02rf7OS6PFgyFMkjhPHjdUh7:xRKEQMBBkURJUQuWNH5e7

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 2 IoCs

pid	Process
2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
1524	RunDll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Windows Share = "RunDll32 \"C:\\Program Files (x86)\\Common Files\\SpeechEngines\\lsamssrv.dll\",Init"	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ja-JP\Licenses\svclog.dll	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\svclog.dll	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\SpeechEngines\lsamssrv.dll	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\lsamssrv.dll	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\uploglsa.dll	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\uploglsa.dll	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1524	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	28
PID 2040 wrote to memory of 1524	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	28
PID 2040 wrote to memory of 1524	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	28
PID 2040 wrote to memory of 1524	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	28
PID 2040 wrote to memory of 1524	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	28
PID 2040 wrote to memory of 1524	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	28
PID 2040 wrote to memory of 1524	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	28
PID 2040 wrote to memory of 1120	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	12
PID 2040 wrote to memory of 1120	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	12
PID 2040 wrote to memory of 1164	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	11
PID 2040 wrote to memory of 1164	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	11
PID 2040 wrote to memory of 1196	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	10
PID 2040 wrote to memory of 1196	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	10
PID 2040 wrote to memory of 1524	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	28
PID 2040 wrote to memory of 1524	2040	fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe	28

C:\Users\Admin\AppData\Local\Temp\fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe
"C:\Users\Admin\AppData\Local\Temp\fa201757612727359dc63e4e146548deb9c16518ed4f426b3842ee3ce95dc484.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32 "C:\Users\Admin\AppData\Local\Temp\8170.tmp",Init
  2⤵
  - Loads dropped DLL
  PID:1524

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8170.tmp

Filesize
60KB

MD5
fd2c58ce5c438527eb06323963281a51

SHA1
c9d3e419c845cf7889b6cf847e389ce45dc9243d

SHA256
0f159afe42cd7c2ae759bbcdaea74c78c9ce96eb198e581619880000b23d16c4

SHA512
d4bc4e0298120f78bde64149f9990398f95b5f7d9bf2fd5d8067364e4df76bb261374cf0d55abff3957bf4b2a292616a26fc2dbef654582c025ad3ca83433d12

Download Submit
\Users\Admin\AppData\Local\Temp\8170.tmp

Filesize
60KB

MD5
fd2c58ce5c438527eb06323963281a51

SHA1
c9d3e419c845cf7889b6cf847e389ce45dc9243d

SHA256
0f159afe42cd7c2ae759bbcdaea74c78c9ce96eb198e581619880000b23d16c4

SHA512
d4bc4e0298120f78bde64149f9990398f95b5f7d9bf2fd5d8067364e4df76bb261374cf0d55abff3957bf4b2a292616a26fc2dbef654582c025ad3ca83433d12

Download Submit
\Users\Admin\AppData\Local\Temp\8170.tmp

Filesize
60KB

MD5
fd2c58ce5c438527eb06323963281a51

SHA1
c9d3e419c845cf7889b6cf847e389ce45dc9243d

SHA256
0f159afe42cd7c2ae759bbcdaea74c78c9ce96eb198e581619880000b23d16c4

SHA512
d4bc4e0298120f78bde64149f9990398f95b5f7d9bf2fd5d8067364e4df76bb261374cf0d55abff3957bf4b2a292616a26fc2dbef654582c025ad3ca83433d12

Download Submit
memory/1120-59-0x0000000001B40000-0x0000000001B41000-memory.dmp

Filesize
4KB

Download
memory/1524-58-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1524-67-0x00000000756A0000-0x00000000756C3000-memory.dmp

Filesize
140KB

Download
memory/1524-70-0x00000000756A0000-0x00000000756C3000-memory.dmp

Filesize
140KB

Download
memory/1524-72-0x00000000756A0000-0x00000000756C3000-memory.dmp

Filesize
140KB

Download
memory/2040-55-0x00000000756A0000-0x00000000756C3000-memory.dmp

Filesize
140KB

Download
memory/2040-56-0x00000000756A0000-0x00000000756C3000-memory.dmp

Filesize
140KB

Download
memory/2040-71-0x00000000756A0000-0x00000000756C3000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing