2789f1ec155c60b10980f9e2ed07bf21b68ae1ee46e782111f306d8289113233

Analysis

max time kernel
150s
max time network
164s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2789f1ec155c60b10980f9e2ed07bf21b68ae1ee46e782111f306d8289113233.exe
Size

51KB
MD5

0557408783805734cf336e6ad486217d
SHA1

454cce7d93fb7908a839a4ba73ba5edf63c9b7c0
SHA256

2789f1ec155c60b10980f9e2ed07bf21b68ae1ee46e782111f306d8289113233
SHA512

a6d962b8ee9bea03d95aa717cfb976e7873f54443ed192c1166b91726547cb2e11a0091088a831c937d077e34ea9666b81ca8552ebffdcf4a947946c58a16b35
SSDEEP

1536:d/ARS+XLldrEafUeYNq4gUw8Vn9vMU/VAMX8:FAR33IOUJNq4RpZMUbX8

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fdywrf\Parameters\ServiceDll = "%SystemRoot%\\System32\\uwupih.dll"	2789f1ec155c60b10980f9e2ed07bf21b68ae1ee46e782111f306d8289113233.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\CONTROLSET002\services\fdywrf\Parameters\ServiceDll = "%SystemRoot%\\System32\\uwupih.dll"	2789f1ec155c60b10980f9e2ed07bf21b68ae1ee46e782111f306d8289113233.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\CONTROLSET003\Services\fdywrf\Parameters\ServiceDll = "%SystemRoot%\\System32\\uwupih.dll"	2789f1ec155c60b10980f9e2ed07bf21b68ae1ee46e782111f306d8289113233.exe

Loads dropped DLL 2 IoCs

pid	Process
940	2789f1ec155c60b10980f9e2ed07bf21b68ae1ee46e782111f306d8289113233.exe
936	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0004a8ea.inf	2789f1ec155c60b10980f9e2ed07bf21b68ae1ee46e782111f306d8289113233.exe
File created	C:\Windows\SysWOW64\uwupih.dll	2789f1ec155c60b10980f9e2ed07bf21b68ae1ee46e782111f306d8289113233.exe

C:\Users\Admin\AppData\Local\Temp\2789f1ec155c60b10980f9e2ed07bf21b68ae1ee46e782111f306d8289113233.exe
"C:\Users\Admin\AppData\Local\Temp\2789f1ec155c60b10980f9e2ed07bf21b68ae1ee46e782111f306d8289113233.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k fdywrf
1⤵
- Loads dropped DLL
PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\uwupih.dll

Filesize
69KB

MD5
2bafce790d0e19cf238f29c001d83cfc

SHA1
c840a1b7aaea81185714869a0a40434dfde4c456

SHA256
88f241147c358287dd734d3a19cbbf6fb3434375ca58f2ec90cfc1498bf2eaa1

SHA512
ef16f9c8fd00ed199d4a965d5f597b75956bcb213d786063de10a2de70e5c315a18e0383d5950a4f801dd4b115697b498927fd4b2549bfe7f7e32e6db56856f8

Download Submit
\Windows\SysWOW64\uwupih.dll

Filesize
69KB

MD5
2bafce790d0e19cf238f29c001d83cfc

SHA1
c840a1b7aaea81185714869a0a40434dfde4c456

SHA256
88f241147c358287dd734d3a19cbbf6fb3434375ca58f2ec90cfc1498bf2eaa1

SHA512
ef16f9c8fd00ed199d4a965d5f597b75956bcb213d786063de10a2de70e5c315a18e0383d5950a4f801dd4b115697b498927fd4b2549bfe7f7e32e6db56856f8

Download Submit
\Windows\SysWOW64\uwupih.dll

Filesize
69KB

MD5
2bafce790d0e19cf238f29c001d83cfc

SHA1
c840a1b7aaea81185714869a0a40434dfde4c456

SHA256
88f241147c358287dd734d3a19cbbf6fb3434375ca58f2ec90cfc1498bf2eaa1

SHA512
ef16f9c8fd00ed199d4a965d5f597b75956bcb213d786063de10a2de70e5c315a18e0383d5950a4f801dd4b115697b498927fd4b2549bfe7f7e32e6db56856f8

Download Submit
memory/940-55-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download