dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 15:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe
Size

6.5MB
MD5

96d6ad7a8198d9d93ed11dc182a8dc2c
SHA1

a41d329e602d8b061e9935bfec4d3fa7dfd6f20a
SHA256

dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3
SHA512

4fe205921eabbc2a88f24ed41ddef671798d18e0d7a44435e6b35ca9ac3dce2ce549dccd21f55154963852b3ab22275e72e5090e3ff4c9867af33134308505dc
SSDEEP

24576:tiTSE+zZfbtWnFrGIacDXuxKZJExarOj/z:t2SEGTtGFr9acDLzExarW/

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Parameters\ServiceDll = "C:\\Windows\\system32\\mpeg4c32.dll"	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\RemoteAccess\Parameters\ServiceDll = "C:\\Windows\\system32\\mpeg4c32.dll"	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mpeg4c32.dll	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe
File opened for modification	C:\Windows\SysWOW64\mpeg4c32.dll	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2264	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3992	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3192	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe
3192	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe
Token: SeDebugPrivilege	2264	taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2264	3192	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe	84
PID 3192 wrote to memory of 2264	3192	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe	84
PID 3192 wrote to memory of 2264	3192	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe	84
PID 3192 wrote to memory of 312	3192	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe	90
PID 3192 wrote to memory of 312	3192	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe	90
PID 3192 wrote to memory of 312	3192	dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe	90
PID 312 wrote to memory of 3992	312	cmd.exe	92
PID 312 wrote to memory of 3992	312	cmd.exe	92
PID 312 wrote to memory of 3992	312	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe
"C:\Users\Admin\AppData\Local\Temp\dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im 360tray.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping localhost -n 1 && del "C:\Users\Admin\AppData\Local\Temp\dc34f220006531ea6f70a79fccd3176c94f1b77cc8b2ecd788a4c806d709a3f3.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 1
    3⤵
    - Runs ping.exe
    PID:3992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3192-132-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download
memory/3192-135-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download