Analysis
-
max time kernel
149s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 02:02
Behavioral task
behavioral1
Sample
393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe
Resource
win10v2004-20220812-en
General
-
Target
393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe
-
Size
272KB
-
MD5
a2e4beb2753ac7ed189ae4df9e051650
-
SHA1
98179438d7954cf9843dd1441e575e00e376feec
-
SHA256
393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e
-
SHA512
d6f59d5f8facb8b1880fa46c328e38896fd2a199e939140207f2f5711993d43a97ed43a88522fb3caa1425c4ebf14091c620c11778a820d9611ef1880a66e4bf
-
SSDEEP
6144:XvixE++swhjnZSBxnHNvPmOu+QUrT610gj7Q:XYEldAB7vPBLZ
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x00140000000054ab-56.dat aspack_v212_v242 behavioral1/files/0x00140000000054ab-58.dat aspack_v212_v242 behavioral1/memory/1908-65-0x00000000002F0000-0x000000000033E000-memory.dmp aspack_v212_v242 behavioral1/files/0x00080000000126c9-66.dat aspack_v212_v242 behavioral1/files/0x00080000000126c9-67.dat aspack_v212_v242 behavioral1/files/0x0008000000012744-75.dat aspack_v212_v242 behavioral1/files/0x0008000000012744-76.dat aspack_v212_v242 behavioral1/files/0x0007000000012758-81.dat aspack_v212_v242 behavioral1/files/0x0007000000012758-82.dat aspack_v212_v242 behavioral1/files/0x000700000001311a-88.dat aspack_v212_v242 behavioral1/files/0x000700000001311a-87.dat aspack_v212_v242 behavioral1/files/0x0007000000013170-93.dat aspack_v212_v242 behavioral1/files/0x0007000000013170-92.dat aspack_v212_v242 behavioral1/files/0x00070000000131fd-99.dat aspack_v212_v242 behavioral1/files/0x00070000000131fd-98.dat aspack_v212_v242 behavioral1/files/0x0007000000013300-103.dat aspack_v212_v242 behavioral1/files/0x0007000000013300-104.dat aspack_v212_v242 behavioral1/memory/1908-109-0x00000000002F0000-0x000000000033E000-memory.dmp aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 1908 7fa05b4f.exe -
Sets DLL path for service in the registry 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll" 7fa05b4f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll" 7fa05b4f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll" 7fa05b4f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll" 7fa05b4f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" 7fa05b4f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll" 7fa05b4f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll" 7fa05b4f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll" 7fa05b4f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll" 7fa05b4f.exe -
resource yara_rule behavioral1/files/0x00140000000054ab-56.dat upx behavioral1/memory/748-59-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral1/files/0x00140000000054ab-58.dat upx behavioral1/memory/1908-62-0x0000000000800000-0x000000000084E000-memory.dmp upx behavioral1/memory/1908-63-0x0000000000800000-0x000000000084E000-memory.dmp upx behavioral1/memory/1908-64-0x0000000000800000-0x000000000084E000-memory.dmp upx behavioral1/memory/1908-65-0x00000000002F0000-0x000000000033E000-memory.dmp upx behavioral1/files/0x00080000000126c9-66.dat upx behavioral1/files/0x00080000000126c9-67.dat upx behavioral1/memory/916-69-0x0000000074990000-0x00000000749DE000-memory.dmp upx behavioral1/memory/916-70-0x0000000074990000-0x00000000749DE000-memory.dmp upx behavioral1/memory/916-71-0x0000000074990000-0x00000000749DE000-memory.dmp upx behavioral1/files/0x0008000000012744-75.dat upx behavioral1/files/0x0008000000012744-76.dat upx behavioral1/memory/1756-78-0x0000000074440000-0x000000007448E000-memory.dmp upx behavioral1/memory/1756-79-0x0000000074440000-0x000000007448E000-memory.dmp upx behavioral1/memory/1756-80-0x0000000074440000-0x000000007448E000-memory.dmp upx behavioral1/files/0x0007000000012758-81.dat upx behavioral1/files/0x0007000000012758-82.dat upx behavioral1/memory/1608-84-0x0000000074990000-0x00000000749DE000-memory.dmp upx behavioral1/memory/1608-85-0x0000000074990000-0x00000000749DE000-memory.dmp upx behavioral1/memory/1608-86-0x0000000074990000-0x00000000749DE000-memory.dmp upx behavioral1/files/0x000700000001311a-88.dat upx behavioral1/files/0x000700000001311a-87.dat upx behavioral1/memory/1584-96-0x0000000074990000-0x00000000749DE000-memory.dmp upx behavioral1/memory/1584-95-0x0000000074990000-0x00000000749DE000-memory.dmp upx behavioral1/files/0x0007000000013170-93.dat upx behavioral1/memory/1584-97-0x0000000074990000-0x00000000749DE000-memory.dmp upx behavioral1/files/0x0007000000013170-92.dat upx behavioral1/files/0x00070000000131fd-99.dat upx behavioral1/files/0x00070000000131fd-98.dat upx behavioral1/files/0x0007000000013300-103.dat upx behavioral1/files/0x0007000000013300-104.dat upx behavioral1/memory/1908-108-0x0000000000800000-0x000000000084E000-memory.dmp upx behavioral1/memory/1908-109-0x00000000002F0000-0x000000000033E000-memory.dmp upx -
Loads dropped DLL 7 IoCs
pid Process 916 svchost.exe 1756 svchost.exe 1608 svchost.exe 1448 svchost.exe 1584 svchost.exe 776 svchost.exe 1552 svchost.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll 7fa05b4f.exe File opened for modification C:\Windows\SysWOW64\Ias.dll 7fa05b4f.exe File opened for modification C:\Windows\SysWOW64\Nwsapagent.dll 7fa05b4f.exe File opened for modification C:\Windows\SysWOW64\Wmi.dll 7fa05b4f.exe File opened for modification C:\Windows\SysWOW64\Irmon.dll 7fa05b4f.exe File opened for modification C:\Windows\SysWOW64\Nla.dll 7fa05b4f.exe File opened for modification C:\Windows\SysWOW64\Ntmssvc.dll 7fa05b4f.exe File opened for modification C:\Windows\SysWOW64\NWCWorkstation.dll 7fa05b4f.exe File opened for modification C:\Windows\SysWOW64\SRService.dll 7fa05b4f.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1908 7fa05b4f.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 748 wrote to memory of 1908 748 393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe 28 PID 748 wrote to memory of 1908 748 393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe 28 PID 748 wrote to memory of 1908 748 393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe 28 PID 748 wrote to memory of 1908 748 393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe 28 PID 748 wrote to memory of 1908 748 393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe 28 PID 748 wrote to memory of 1908 748 393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe 28 PID 748 wrote to memory of 1908 748 393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe"C:\Users\Admin\AppData\Local\Temp\393ffb7500d45536f4e95784628fef73786b26ef5095e56b27eda0bc6a4c955e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\7fa05b4f.exeC:\7fa05b4f.exe2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1908
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
PID:916
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
PID:1756
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
PID:1608
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
PID:1448
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
PID:1584
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
PID:776
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
PID:1552
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵PID:1492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238KB
MD5683d0370e535bbb21489bd0255c26256
SHA1c49011481ff216759ea0632f04a5cd3fa5cc743c
SHA256e897feca67c0c2e0c539f8040b5b5ac254196a11495c236cd296e678d692e082
SHA5120ebdedbf2534fd6939b132c9f1cf6d64d88a4b9f60c23c459c7c2f0ec7e5d0203bfa7a2bb33fa57a141b8440cce5a044e160717ed30777e833f07936bb4bdd40
-
Filesize
238KB
MD5683d0370e535bbb21489bd0255c26256
SHA1c49011481ff216759ea0632f04a5cd3fa5cc743c
SHA256e897feca67c0c2e0c539f8040b5b5ac254196a11495c236cd296e678d692e082
SHA5120ebdedbf2534fd6939b132c9f1cf6d64d88a4b9f60c23c459c7c2f0ec7e5d0203bfa7a2bb33fa57a141b8440cce5a044e160717ed30777e833f07936bb4bdd40
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1
-
Filesize
238KB
MD55bde78cbb6156f62b8a8fd3ce0f477df
SHA18290372f48fe98c65566f6aee6eaa2b313329716
SHA256b4c11b4dc871f5e52fb0666e4e7b3a82da86f2422a00c59c555a04554f7dcbaf
SHA5123f07a68524ec9d6766520118584574f5a5c7c2d7eccd308c8555fb8dc428151ee0e441ff55dca303b06dc14aab2b79d7a375a9b72e565cf3c410d0360baa13d1