5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e

Analysis

max time kernel
77s
max time network
103s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe
Size

197KB
MD5

130521f198d904fa539df1116618577e
SHA1

d802aeaa10742fb6878a847699aeb236827275db
SHA256

5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e
SHA512

a5980afb3ee4500b9fada845e8dc47311c5d10128fb795236b43c8b31724680fc264d33abb055d6f6aebd0074b29abf5f044c514726f8e25563dc12a27bff1af
SSDEEP

3072:5R9ANQza33Z4UX4NWEd5GYS3kIyZFQsvgUYi62vSJpQ8HP+aJe1mgawzxsBub864:5R9AiXCIFNPkHmTV5nxTV5n+

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1980	system

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Khvqmxu\Parameters\ServiceDll = "C:\\PROGRA~1\\Msbih\\Hwsbl.dll"	rundll32.exe

Deletes itself 1 IoCs

pid	Process
2028	svchost.exe

Loads dropped DLL 9 IoCs

pid	Process
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2028	svchost.exe
1980	system
1980	system
1980	system
1980	system

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bak8011252.log	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	system

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Msbih\Hwsbl.dll	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-3e-7d-51-b4-6f	system
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	system
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C6E8557-EF3B-4715-A0BF-7C7D4641AA55}\WpadNetworkName = "Network 2"	system
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C6E8557-EF3B-4715-A0BF-7C7D4641AA55}\WpadDecisionTime = 20145da12cf3d801	system
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	system
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	system
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-3e-7d-51-b4-6f\WpadDecisionReason = "1"	system
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-3e-7d-51-b4-6f\WpadDecisionTime = 40a6178f2cf3d801	system
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-3e-7d-51-b4-6f\WpadDecision = "0"	system
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	system
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	system
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	system
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	system
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0018000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	system
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C6E8557-EF3B-4715-A0BF-7C7D4641AA55}\76-3e-7d-51-b4-6f	system
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-3e-7d-51-b4-6f\WpadDetectedUrl	system
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C6E8557-EF3B-4715-A0BF-7C7D4641AA55}	system
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	system
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	system
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	system
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C6E8557-EF3B-4715-A0BF-7C7D4641AA55}\WpadDecisionReason = "1"	system
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C6E8557-EF3B-4715-A0BF-7C7D4641AA55}\WpadDecisionTime = 40a6178f2cf3d801	system
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	system
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0018000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	system
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	system
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	system
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C6E8557-EF3B-4715-A0BF-7C7D4641AA55}\WpadDecision = "0"	system
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-3e-7d-51-b4-6f\WpadDecisionTime = 20145da12cf3d801	system

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2044	rundll32.exe
1980	system
1980	system

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2044	1668	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe	28
PID 1668 wrote to memory of 2044	1668	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe	28
PID 1668 wrote to memory of 2044	1668	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe	28
PID 1668 wrote to memory of 2044	1668	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe	28
PID 1668 wrote to memory of 2044	1668	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe	28
PID 1668 wrote to memory of 2044	1668	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe	28
PID 1668 wrote to memory of 2044	1668	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe	28
PID 2028 wrote to memory of 1980	2028	svchost.exe	30
PID 2028 wrote to memory of 1980	2028	svchost.exe	30
PID 2028 wrote to memory of 1980	2028	svchost.exe	30
PID 2028 wrote to memory of 1980	2028	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe
"C:\Users\Admin\AppData\Local\Temp\5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1668
- C:\windows\SysWOW64\rundll32.exe
  C:\windows\system32\rundll32.exe C:\PROGRA~1\Msbih\Hwsbl.dll comdl3
  2⤵
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\system
  C:\system c:\progra~1\msbih\hwsbl.dll comdl2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Msbih\Hwsbl.dll

Filesize
30.2MB

MD5
2308c149149fa20b2ba21d7dae9b0a0b

SHA1
7590a4d0e7ac4de68a328d541a85c9d9ba342145

SHA256
ad9c7f3a43984b2db52745549feb25e7ed6a829d79e7035596ba0077cce1621c

SHA512
7704b953edb796c4cffe01799370f9fa68089ce8fa5841084a0ff3dc5a2cda2d8e29d3247b414222ae3fbea700ed0e2dc732bdb10909f75b2edd228a56ff1e52

Download Submit
C:\Windows\SysWOW64\bak8011252.log

Filesize
102B

MD5
088c8d8b9471db96d131ac89898c3714

SHA1
765c76fd882ef53238361acbd8a89949cc1353a3

SHA256
53c06375e1be83581e1fe44beae337a9b773f28fcabf65e861b239decf080365

SHA512
66d15da39c32afaaadf218fe2a665f44cca837b59fb3cfda0e663cbe187f91c814c4152654c2b58638fa94d5812786236f4f2285d48ab435a582953784296ea5

Download Submit
C:\system

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\system

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\PROGRA~1\Msbih\Hwsbl.dll

Filesize
30.2MB

MD5
2308c149149fa20b2ba21d7dae9b0a0b

SHA1
7590a4d0e7ac4de68a328d541a85c9d9ba342145

SHA256
ad9c7f3a43984b2db52745549feb25e7ed6a829d79e7035596ba0077cce1621c

SHA512
7704b953edb796c4cffe01799370f9fa68089ce8fa5841084a0ff3dc5a2cda2d8e29d3247b414222ae3fbea700ed0e2dc732bdb10909f75b2edd228a56ff1e52

Download Submit
\PROGRA~1\Msbih\Hwsbl.dll

Filesize
30.2MB

MD5
2308c149149fa20b2ba21d7dae9b0a0b

SHA1
7590a4d0e7ac4de68a328d541a85c9d9ba342145

SHA256
ad9c7f3a43984b2db52745549feb25e7ed6a829d79e7035596ba0077cce1621c

SHA512
7704b953edb796c4cffe01799370f9fa68089ce8fa5841084a0ff3dc5a2cda2d8e29d3247b414222ae3fbea700ed0e2dc732bdb10909f75b2edd228a56ff1e52

Download Submit
\PROGRA~1\Msbih\Hwsbl.dll

Filesize
30.2MB

MD5
2308c149149fa20b2ba21d7dae9b0a0b

SHA1
7590a4d0e7ac4de68a328d541a85c9d9ba342145

SHA256
ad9c7f3a43984b2db52745549feb25e7ed6a829d79e7035596ba0077cce1621c

SHA512
7704b953edb796c4cffe01799370f9fa68089ce8fa5841084a0ff3dc5a2cda2d8e29d3247b414222ae3fbea700ed0e2dc732bdb10909f75b2edd228a56ff1e52

Download Submit
\PROGRA~1\Msbih\Hwsbl.dll

Filesize
30.2MB

MD5
2308c149149fa20b2ba21d7dae9b0a0b

SHA1
7590a4d0e7ac4de68a328d541a85c9d9ba342145

SHA256
ad9c7f3a43984b2db52745549feb25e7ed6a829d79e7035596ba0077cce1621c

SHA512
7704b953edb796c4cffe01799370f9fa68089ce8fa5841084a0ff3dc5a2cda2d8e29d3247b414222ae3fbea700ed0e2dc732bdb10909f75b2edd228a56ff1e52

Download Submit
\PROGRA~1\Msbih\Hwsbl.dll

Filesize
30.2MB

MD5
2308c149149fa20b2ba21d7dae9b0a0b

SHA1
7590a4d0e7ac4de68a328d541a85c9d9ba342145

SHA256
ad9c7f3a43984b2db52745549feb25e7ed6a829d79e7035596ba0077cce1621c

SHA512
7704b953edb796c4cffe01799370f9fa68089ce8fa5841084a0ff3dc5a2cda2d8e29d3247b414222ae3fbea700ed0e2dc732bdb10909f75b2edd228a56ff1e52

Download Submit
\PROGRA~1\Msbih\Hwsbl.dll

Filesize
30.2MB

MD5
2308c149149fa20b2ba21d7dae9b0a0b

SHA1
7590a4d0e7ac4de68a328d541a85c9d9ba342145

SHA256
ad9c7f3a43984b2db52745549feb25e7ed6a829d79e7035596ba0077cce1621c

SHA512
7704b953edb796c4cffe01799370f9fa68089ce8fa5841084a0ff3dc5a2cda2d8e29d3247b414222ae3fbea700ed0e2dc732bdb10909f75b2edd228a56ff1e52

Download Submit
\PROGRA~1\Msbih\Hwsbl.dll

Filesize
30.2MB

MD5
2308c149149fa20b2ba21d7dae9b0a0b

SHA1
7590a4d0e7ac4de68a328d541a85c9d9ba342145

SHA256
ad9c7f3a43984b2db52745549feb25e7ed6a829d79e7035596ba0077cce1621c

SHA512
7704b953edb796c4cffe01799370f9fa68089ce8fa5841084a0ff3dc5a2cda2d8e29d3247b414222ae3fbea700ed0e2dc732bdb10909f75b2edd228a56ff1e52

Download Submit
\PROGRA~1\Msbih\Hwsbl.dll

Filesize
30.2MB

MD5
2308c149149fa20b2ba21d7dae9b0a0b

SHA1
7590a4d0e7ac4de68a328d541a85c9d9ba342145

SHA256
ad9c7f3a43984b2db52745549feb25e7ed6a829d79e7035596ba0077cce1621c

SHA512
7704b953edb796c4cffe01799370f9fa68089ce8fa5841084a0ff3dc5a2cda2d8e29d3247b414222ae3fbea700ed0e2dc732bdb10909f75b2edd228a56ff1e52

Download Submit
\PROGRA~1\Msbih\Hwsbl.dll

Filesize
30.2MB

MD5
2308c149149fa20b2ba21d7dae9b0a0b

SHA1
7590a4d0e7ac4de68a328d541a85c9d9ba342145

SHA256
ad9c7f3a43984b2db52745549feb25e7ed6a829d79e7035596ba0077cce1621c

SHA512
7704b953edb796c4cffe01799370f9fa68089ce8fa5841084a0ff3dc5a2cda2d8e29d3247b414222ae3fbea700ed0e2dc732bdb10909f75b2edd228a56ff1e52

Download Submit
memory/1668-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-56-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download