837035316f11f0769687ab0cf9a8eb2a87b8a8f93e70bd182762c2d63eb4a76d

Analysis

max time kernel
201s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

837035316f11f0769687ab0cf9a8eb2a87b8a8f93e70bd182762c2d63eb4a76d.dll
Size

29KB
MD5

5aa9154323333d7856e4b9903b7c5e50
SHA1

ca9f9493aa3f245a5af2e3b951e3a07f944c50bf
SHA256

837035316f11f0769687ab0cf9a8eb2a87b8a8f93e70bd182762c2d63eb4a76d
SHA512

e64803fcee0868e4e927b891a0ade00719520720e1831a05523836115983c4573f53ac4a12dd1250517d3399071d24429529e60f681716881ebd341a29207598
SSDEEP

768:7w8z/CdUZfPNzYedSCw3g4e7T1fyGj4wkPrl2KY:T7CdUZtEiL+gVj4PB1Y

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dmserveice\Parameters\ServiceDll = "C:\\Windows\\system32\\msflxgrd.ocx.dll"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4556	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msflxgrd.ocx.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msflxgrd.ocx.dll	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4716	3416	rundll32.exe	80
PID 3416 wrote to memory of 4716	3416	rundll32.exe	80
PID 3416 wrote to memory of 4716	3416	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\837035316f11f0769687ab0cf9a8eb2a87b8a8f93e70bd182762c2d63eb4a76d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\837035316f11f0769687ab0cf9a8eb2a87b8a8f93e70bd182762c2d63eb4a76d.dll,#1
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  PID:4716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:4556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msflxgrd.ocx.dll

Filesize
29KB

MD5
5aa9154323333d7856e4b9903b7c5e50

SHA1
ca9f9493aa3f245a5af2e3b951e3a07f944c50bf

SHA256
837035316f11f0769687ab0cf9a8eb2a87b8a8f93e70bd182762c2d63eb4a76d

SHA512
e64803fcee0868e4e927b891a0ade00719520720e1831a05523836115983c4573f53ac4a12dd1250517d3399071d24429529e60f681716881ebd341a29207598

Download Submit
\??\c:\windows\SysWOW64\msflxgrd.ocx.dll

Filesize
29KB

MD5
5aa9154323333d7856e4b9903b7c5e50

SHA1
ca9f9493aa3f245a5af2e3b951e3a07f944c50bf

SHA256
837035316f11f0769687ab0cf9a8eb2a87b8a8f93e70bd182762c2d63eb4a76d

SHA512
e64803fcee0868e4e927b891a0ade00719520720e1831a05523836115983c4573f53ac4a12dd1250517d3399071d24429529e60f681716881ebd341a29207598

Download Submit
memory/4556-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4556-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4556-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4716-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4716-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4716-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download