1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe
Size

38KB
MD5

103b81c71b1b7fe734658b60088c65b6
SHA1

24f754e259be5c3ee82460c6322d8df9dfe1e044
SHA256

1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce
SHA512

5e5d8403cf4182a858c4989cc3309aec9b20af02db584b890f8a145b0cc8b18597a00598e092607f16d8eee4ab33cefaf0af534ce9da8bc2245678ed2983d9a3
SSDEEP

768:jwKT1cZrs2IL/8kGOTCPfKYJpxg+dR6N8kXGMsPBV2OW:cKT1MED8kGECv7TdRq8kXGMggf

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\stisvc\Parameters\ServiceDll = "C:\\Windows\\system32\\msoe.dll"	rundll32.exe

Deletes itself 1 IoCs

pid	Process
1940	cmd.exe

Loads dropped DLL 12 IoCs

pid	Process
1948	rundll32.exe
1948	rundll32.exe
1948	rundll32.exe
1948	rundll32.exe
664	rundll32.exe
664	rundll32.exe
664	rundll32.exe
664	rundll32.exe
556	rundll32.exe
556	rundll32.exe
556	rundll32.exe
556	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msoe.dll	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
556	rundll32.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1948	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	27
PID 1444 wrote to memory of 1948	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	27
PID 1444 wrote to memory of 1948	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	27
PID 1444 wrote to memory of 1948	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	27
PID 1444 wrote to memory of 1948	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	27
PID 1444 wrote to memory of 1948	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	27
PID 1444 wrote to memory of 1948	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	27
PID 1444 wrote to memory of 664	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	28
PID 1444 wrote to memory of 664	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	28
PID 1444 wrote to memory of 664	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	28
PID 1444 wrote to memory of 664	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	28
PID 1444 wrote to memory of 664	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	28
PID 1444 wrote to memory of 664	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	28
PID 1444 wrote to memory of 664	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	28
PID 1444 wrote to memory of 556	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	29
PID 1444 wrote to memory of 556	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	29
PID 1444 wrote to memory of 556	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	29
PID 1444 wrote to memory of 556	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	29
PID 1444 wrote to memory of 556	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	29
PID 1444 wrote to memory of 556	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	29
PID 1444 wrote to memory of 556	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	29
PID 1444 wrote to memory of 1940	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	30
PID 1444 wrote to memory of 1940	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	30
PID 1444 wrote to memory of 1940	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	30
PID 1444 wrote to memory of 1940	1444	1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe	30

C:\Users\Admin\AppData\Local\Temp\1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe
"C:\Users\Admin\AppData\Local\Temp\1b59cdb5febc933a3ae26b6361f1d0d3492ce85c1fa9b8343852359439903bce.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 C:\Windows\system32\msoe.dll F2 stisvc
  2⤵
  - Loads dropped DLL
  PID:1948
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 C:\Windows\system32\msoe.dll F1 stisvc
  2⤵
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  PID:664
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 C:\Windows\system32\msoe.dll F3 msnmsgr.exe,wuauclt.exe,outlook.exe,iexplore.exe,explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$$$$$$$fjc.bat
  2⤵
  - Deletes itself
  PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$$$$$$$fjc.bat

Filesize
145B

MD5
78de0338df5478327def6b9d3ddd07eb

SHA1
7e087453802f8f289ca40b63f9bcc75cd574d917

SHA256
ec7755f5cb3e57f7b414dbc07221459ff684b932cffbd0ba57f29167029f304f

SHA512
3faaf9c3b65281f2383701e2ac2ed51ed6bfe045fd466aa375074c486958ec83cdb1b68ecaf2728ec83f11057817b06762e79c33d5b9b09b3508c85d0aa1b9f5

Download Submit
C:\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
\Windows\SysWOW64\msoe.dll

Filesize
71KB

MD5
4c5072cc5590c6b320fba45542cb0faf

SHA1
c222e253781b17308ff06e33efe92ccae2021d9d

SHA256
3a23a3a6cdef4aef0a646f2a45e4278b213d15e8210893e0156ab31dd02e9390

SHA512
4f87cb2b46e78cdaaf8c46849ab9ff2f6eba33c3d432d46014b1783fc579bd680c37aa1f95e9f341d0d859ef558bef779ac31b576d04108db0d2603c74a7e66c

Download Submit
memory/1948-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download