be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5

Analysis

max time kernel
175s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
Size

101KB
MD5

4fcdaf11b23c3b8dffb1c866023f120a
SHA1

9c72a53afc85190b54cf89a0ff505c0a695ab0c6
SHA256

be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5
SHA512

656506f4bc8d3e446f7306e9f45d41e08a6097c7cc9e90b5d7a896042bebac21d72e59cdf75e255088b1ab9c4b5b3bdd5f6a57a44ede022f4c2ec7431bd4004b
SSDEEP

768:vbQkO1yZcPwwK2atrsuXLcVkHm3V/cl3RovJC2dyeVJlJUFFFOWdJpposqFJHQa1:TrePPqouXL+kHmF/cAvIAlwZppos8H1

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe

Loads dropped DLL 14 IoCs

pid	Process
1292	svchost.exe
1292	svchost.exe
1376	svchost.exe
1376	svchost.exe
1672	svchost.exe
1672	svchost.exe
320	svchost.exe
320	svchost.exe
2016	svchost.exe
2016	svchost.exe
1372	svchost.exe
1372	svchost.exe
756	svchost.exe
756	svchost.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1192	be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe

C:\Users\Admin\AppData\Local\Temp\be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe
"C:\Users\Admin\AppData\Local\Temp\be9e1f08f9b0ac72b09d04a603e67a98436017738344fcd21a8fe7b602b26cf5.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1292

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1096

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1672

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1372

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:756

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\??\c:\windows\SysWOW64\irmon.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\??\c:\windows\SysWOW64\nla.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\??\c:\windows\SysWOW64\ntmssvc.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\??\c:\windows\SysWOW64\nwcworkstation.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\??\c:\windows\SysWOW64\nwsapagent.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\??\c:\windows\SysWOW64\srservice.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\Irmon.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\Irmon.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\Nla.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\Nla.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\Ntmssvc.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\Ntmssvc.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\Nwsapagent.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\Nwsapagent.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\SRService.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
\Windows\SysWOW64\SRService.dll

Filesize
101KB

MD5
713399c6ec2d45b1f4f2a477bed36b1d

SHA1
dbabae267de16080cd423ca24be4e781283f995e

SHA256
b9c0d89a814103e18691414565ce62fde17457c50007bce4918a3a41fe7384c6

SHA512
6f9583e47f0fe794e05d938aeb837e3df53e247795021ab45ec91854db40789a8367bf4ac18eaf56f2c8ebb9d7d478765457b8870d26d4930d216878ec9dc5f7

Download Submit
memory/1192-64-0x0000000002270000-0x0000000006270000-memory.dmp

Filesize
64.0MB

Download
memory/1192-68-0x0000000002270000-0x0000000006270000-memory.dmp

Filesize
64.0MB

Download
memory/1192-63-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/1192-62-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/1192-61-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/1192-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1192-65-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1192-55-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1192-66-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download
memory/1192-67-0x0000000000020000-0x0000000000039000-memory.dmp

Filesize
100KB

Download