5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76

Analysis

max time kernel
152s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
Size

88KB
MD5

813fe7107834cf1e1e19dec84fdf3e84
SHA1

ba3645d689aeec50468f1233d3555613b4029535
SHA256

5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76
SHA512

ae6c9aac8dd2b59157874d3994d4e94c035295793db3895c07894db45dfd7d20bc233012689d4f5ff525fb013840c67208ccc4778709d0505e5a7cbf379dd7d0
SSDEEP

1536:etZHJGPKZi+unw3uzV1cuuAVBljDxppoNr9hTcOujjwGTr0aIiksSaV1K7ZN9:M3GCZi+u93XVBR2Nr9hoOVGToadTutN9

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe

Loads dropped DLL 12 IoCs

pid	Process
1076	svchost.exe
1076	svchost.exe
1348	svchost.exe
1348	svchost.exe
1504	svchost.exe
1504	svchost.exe
1960	svchost.exe
1960	svchost.exe
1648	svchost.exe
1648	svchost.exe
972	svchost.exe
972	svchost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ias.dll	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1028	5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe

C:\Users\Admin\AppData\Local\Temp\5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe
"C:\Users\Admin\AppData\Local\Temp\5b0a41b08ecc03202d07df43055ec8d463b2009e727d481aac89f49742236d76.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1076

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:2016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1348

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1504

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1960

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\??\c:\windows\SysWOW64\irmon.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\??\c:\windows\SysWOW64\nla.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\??\c:\windows\SysWOW64\ntmssvc.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\??\c:\windows\SysWOW64\nwcworkstation.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\??\c:\windows\SysWOW64\nwsapagent.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\??\c:\windows\SysWOW64\srservice.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\Irmon.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\Irmon.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\Nla.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\Nla.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\Ntmssvc.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\Ntmssvc.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\Nwsapagent.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\Nwsapagent.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\SRService.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
\Windows\SysWOW64\SRService.dll

Filesize
88KB

MD5
543bdf2833dcd23f552b99f4366dd6a4

SHA1
7e07932bd4a19f03c357a3eda2443bf1d169e7a1

SHA256
1b45d9bc4cad1729f04d8ecab824fcd6fa926b941f9276f340871ca9088f51e3

SHA512
1b7c49b0db1bc7473290f48396e8fb29f6b11eaf3844252ad05d7ee52b2833c4bc19b82a44cc74a653327f739223ea9a1472389c3af6127cc5edea4c8955f314

Download Submit
memory/1028-58-0x0000000001F60000-0x0000000005F60000-memory.dmp

Filesize
64.0MB

Download
memory/1028-54-0x0000000000B30000-0x0000000000B52000-memory.dmp

Filesize
136KB

Download
memory/1028-56-0x00000000001D0000-0x00000000001F2000-memory.dmp

Filesize
136KB

Download
memory/1028-63-0x0000000000B30000-0x0000000000B52000-memory.dmp

Filesize
136KB

Download
memory/1028-65-0x00000000001D0000-0x00000000001F2000-memory.dmp

Filesize
136KB

Download
memory/1028-57-0x00000000001D0000-0x00000000001F2000-memory.dmp

Filesize
136KB

Download
memory/1028-64-0x0000000001F60000-0x0000000005F60000-memory.dmp

Filesize
64.0MB

Download
memory/1028-55-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download