831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
Size

4.9MB
MD5

2b03146531dd5016ed68d30abf45ab58
SHA1

28491f4ef4a236129522d2dcd582d9b1ecc0211c
SHA256

831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc
SHA512

7c853681ce07ed584510af9529007cda1c51252ddf166851d63cf07fa3d92a679ca2775e72b6d172c4f7b58ba7f1cb4e37b5a8263c26dc8a86bbbc99d4f876ea
SSDEEP

98304:QT7ynCwGOC7Nf1+zWC+aOVP1YkXW3GzvFWYoDY+pIyDUoTPM+yMprj0hodPanLzy:0yCwGOYNf6WC+aOVtYh32vFRopdsMV0y

Score

8^/10

discovery persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 8 IoCs

Processes:

831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exerundll32.exerundll32.exe

pid process

1628 831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1556 rundll32.exe
4328 rundll32.exe
4328 rundll32.exe
4256
4416
2844
2864
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 1 IoCs

Processes:

831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe

description ioc process

File created \??\c:\progra~3\assist~1\AssistantSvc.dll 831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe

description	ioc	process
File created	\??\c:\progra~3\assist~1\AssistantSvc.dll	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exerundll32.exe

pid	process
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
4328	rundll32.exe
4328	rundll32.exe
4328	rundll32.exe
4328	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe

pid process

1628 831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exerundll32.exe

description	pid	process	target process
PID 1628 wrote to memory of 1556	1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe	rundll32.exe
PID 1628 wrote to memory of 1556	1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe	rundll32.exe
PID 1628 wrote to memory of 1556	1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe	rundll32.exe
PID 4784 wrote to memory of 4328	4784	rundll32.exe	rundll32.exe
PID 4784 wrote to memory of 4328	4784	rundll32.exe	rundll32.exe
PID 4784 wrote to memory of 4328	4784	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
"C:\Users\Admin\AppData\Local\Temp\831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\progra~3\assist~1\AssistantSvc.dll",service -install
2⤵
- Loads dropped DLL
PID:1556

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\progra~3\assist~1\AssistantSvc.dll",service
1⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\progra~3\assist~1\AssistantSvc.dll",service
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Assistant\Assistant.dll

Filesize
4.3MB

MD5
b32be388c4974d9b74f9782afeea865b

SHA1
18bb72942239e9453b1f1dd614626d875bcf3c04

SHA256
4d65a5a26eeaf00915659baed63e4cb0cae305b8a4c911730b476b2ededd3b8f

SHA512
cd66cfcafe690c0eb0eb184473f94f6020b127682323faad9983aedc2d75e7de3b3846d938ef6d05c5ba1d8041c3c85901b3cc4de381c98993eef89e055e71ea

Download Submit
C:\ProgramData\Assistant\AssistantSvc.dll

Filesize
175KB

MD5
f93454d62071353c10f266641f838c7f

SHA1
5774ed0c0ea6bab4813e6c3502590ee4870df27b

SHA256
369c2641ff54603e21dd216f3e823aca15495a76f4e82f2b9f665b57d7d149b5

SHA512
22bb85068989b8bea056a68a740fb0fb0dc64e925b871b8a073a045a44bf5f78d90853b274f670b16f28d84725d6e7d3120b4256338fe07caa35f978f96cd399

Download Submit
C:\ProgramData\Assistant\AssistantSvc.dll

Filesize
175KB

MD5
f93454d62071353c10f266641f838c7f

SHA1
5774ed0c0ea6bab4813e6c3502590ee4870df27b

SHA256
369c2641ff54603e21dd216f3e823aca15495a76f4e82f2b9f665b57d7d149b5

SHA512
22bb85068989b8bea056a68a740fb0fb0dc64e925b871b8a073a045a44bf5f78d90853b274f670b16f28d84725d6e7d3120b4256338fe07caa35f978f96cd399

Download Submit
C:\ProgramData\Assistant\Assistant_x64.dll

Filesize
4.2MB

MD5
72568eb5089b58b358473758e3f0ebfe

SHA1
135e3569852a727dc9bf87488605db9adbde0a03

SHA256
193f1b827ce2ffb536f567aaa466cf71cedeceb557a0b6ade63603ecb86e0c7b

SHA512
52201072a58f30e985374a4be6bf175d823091c7134ae03a3756d39cd3d58f90c42f25cde9f2120e0ade7ca2f500b529c4569f4e8868c6422273924612fc95ba

Download Submit
C:\ProgramData\Assistant\Assistant_x64.dll

Filesize
4.2MB

MD5
72568eb5089b58b358473758e3f0ebfe

SHA1
135e3569852a727dc9bf87488605db9adbde0a03

SHA256
193f1b827ce2ffb536f567aaa466cf71cedeceb557a0b6ade63603ecb86e0c7b

SHA512
52201072a58f30e985374a4be6bf175d823091c7134ae03a3756d39cd3d58f90c42f25cde9f2120e0ade7ca2f500b529c4569f4e8868c6422273924612fc95ba

Download Submit
C:\ProgramData\Assistant\Assistant_x64.dll

Filesize
4.2MB

MD5
72568eb5089b58b358473758e3f0ebfe

SHA1
135e3569852a727dc9bf87488605db9adbde0a03

SHA256
193f1b827ce2ffb536f567aaa466cf71cedeceb557a0b6ade63603ecb86e0c7b

SHA512
52201072a58f30e985374a4be6bf175d823091c7134ae03a3756d39cd3d58f90c42f25cde9f2120e0ade7ca2f500b529c4569f4e8868c6422273924612fc95ba

Download Submit
C:\ProgramData\Assistant\Assistant_x64.dll

Filesize
4.2MB

MD5
72568eb5089b58b358473758e3f0ebfe

SHA1
135e3569852a727dc9bf87488605db9adbde0a03

SHA256
193f1b827ce2ffb536f567aaa466cf71cedeceb557a0b6ade63603ecb86e0c7b

SHA512
52201072a58f30e985374a4be6bf175d823091c7134ae03a3756d39cd3d58f90c42f25cde9f2120e0ade7ca2f500b529c4569f4e8868c6422273924612fc95ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tf00294823.dll

Filesize
4.3MB

MD5
b32be388c4974d9b74f9782afeea865b

SHA1
18bb72942239e9453b1f1dd614626d875bcf3c04

SHA256
4d65a5a26eeaf00915659baed63e4cb0cae305b8a4c911730b476b2ededd3b8f

SHA512
cd66cfcafe690c0eb0eb184473f94f6020b127682323faad9983aedc2d75e7de3b3846d938ef6d05c5ba1d8041c3c85901b3cc4de381c98993eef89e055e71ea

Download Submit
\??\c:\progra~3\assist~1\AssistantSvc.dll

Filesize
175KB

MD5
f93454d62071353c10f266641f838c7f

SHA1
5774ed0c0ea6bab4813e6c3502590ee4870df27b

SHA256
369c2641ff54603e21dd216f3e823aca15495a76f4e82f2b9f665b57d7d149b5

SHA512
22bb85068989b8bea056a68a740fb0fb0dc64e925b871b8a073a045a44bf5f78d90853b274f670b16f28d84725d6e7d3120b4256338fe07caa35f978f96cd399

Download Submit
\??\c:\progra~3\assist~1\assist~1.dll

Filesize
4.3MB

MD5
b32be388c4974d9b74f9782afeea865b

SHA1
18bb72942239e9453b1f1dd614626d875bcf3c04

SHA256
4d65a5a26eeaf00915659baed63e4cb0cae305b8a4c911730b476b2ededd3b8f

SHA512
cd66cfcafe690c0eb0eb184473f94f6020b127682323faad9983aedc2d75e7de3b3846d938ef6d05c5ba1d8041c3c85901b3cc4de381c98993eef89e055e71ea

Download Submit
memory/1556-133-0x0000000000000000-mapping.dmp

Download
memory/4328-136-0x0000000000000000-mapping.dmp

Download

pid	process
1628	831bdafac182ed74305f9a612cd00cfec52a675c880e01a0cbad84e1e76a24cc.exe
1556	rundll32.exe
4328	rundll32.exe
4328	rundll32.exe
4256
4416
2844
2864