Analysis
-
max time kernel
145s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
19-11-2022 02:40
Behavioral task
behavioral1
Sample
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe
Resource
win10v2004-20220812-en
General
-
Target
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe
-
Size
96KB
-
MD5
2be2ce8ae439e80ea99fa51320cbc9f0
-
SHA1
36b9e9d1345bca7abb7f5e7fe907715227961fae
-
SHA256
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8
-
SHA512
8b15d17450d29dde654bcfbc6f76d6421d7a81401af67516f52aad073ea3f4213a340ac7979cf30eba674aa4e1bfdd997715d24ecdf58a2894f16fe809e6c880
-
SSDEEP
1536:Jgtv4HxETPkgcky/Vht7ILmkAP3e3pzJuhyicgcqd33+9fX+:uv4HWT3yCfvZfucU3sf+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AxInstSVS.exepid process 1784 AxInstSVS.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AxInstSVS\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7099371.dll" 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe -
Loads dropped DLL 7 IoCs
Processes:
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exesvchost.exeAxInstSVS.exepid process 1092 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 2008 svchost.exe 2008 svchost.exe 1784 AxInstSVS.exe 1784 AxInstSVS.exe 1784 AxInstSVS.exe 1784 AxInstSVS.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\AxInstSVS.exe svchost.exe File opened for modification C:\Windows\SysWOW64\AxInstSVS.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exepid process 1092 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1092 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1092 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1092 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1092 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1092 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exepid process 1092 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1092 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
svchost.exedescription pid process target process PID 2008 wrote to memory of 1784 2008 svchost.exe AxInstSVS.exe PID 2008 wrote to memory of 1784 2008 svchost.exe AxInstSVS.exe PID 2008 wrote to memory of 1784 2008 svchost.exe AxInstSVS.exe PID 2008 wrote to memory of 1784 2008 svchost.exe AxInstSVS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe"C:\Users\Admin\AppData\Local\Temp\22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1092
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "AxInstSVS"1⤵PID:1044
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "AxInstSVS"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\AxInstSVS.exeC:\Windows\system32\AxInstSVS.exe "c:\users\admin\appdata\local\temp\7099371.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
29KB
MD54f20adf798f7b1e0dce5870dbafea689
SHA149f7bd54b99daa7f0b9a9427c8ec0e93feb11b72
SHA25651dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2
SHA5120169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a
-
Filesize
29KB
MD54f20adf798f7b1e0dce5870dbafea689
SHA149f7bd54b99daa7f0b9a9427c8ec0e93feb11b72
SHA25651dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2
SHA5120169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a
-
Filesize
29KB
MD54f20adf798f7b1e0dce5870dbafea689
SHA149f7bd54b99daa7f0b9a9427c8ec0e93feb11b72
SHA25651dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2
SHA5120169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a
-
Filesize
29KB
MD54f20adf798f7b1e0dce5870dbafea689
SHA149f7bd54b99daa7f0b9a9427c8ec0e93feb11b72
SHA25651dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2
SHA5120169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a
-
Filesize
29KB
MD54f20adf798f7b1e0dce5870dbafea689
SHA149f7bd54b99daa7f0b9a9427c8ec0e93feb11b72
SHA25651dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2
SHA5120169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a
-
Filesize
29KB
MD54f20adf798f7b1e0dce5870dbafea689
SHA149f7bd54b99daa7f0b9a9427c8ec0e93feb11b72
SHA25651dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2
SHA5120169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a
-
Filesize
29KB
MD54f20adf798f7b1e0dce5870dbafea689
SHA149f7bd54b99daa7f0b9a9427c8ec0e93feb11b72
SHA25651dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2
SHA5120169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d