c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372

Analysis

max time kernel
200s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe
Size

244KB
MD5

ab40c7966052b2fbd00e50409fdd2ff2
SHA1

13d87178de58083105011a108afbf4041f64809e
SHA256

c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372
SHA512

372841c3c0153e44ae653841be1de768079bd97ab9798179a6c41753ccc4e90f1411b233da5702c918eeec8858f99d57d17f3302596f7e983a434b10171b2d0f
SSDEEP

6144:PfhVQamKyy+l3r7d3UmgdRAbjPNexdRh8:Pfh5mKylb7LgvAbjPkx+

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ongadf2fad1\Parameters\ServiceDll = "C:\\Windows\\system32\\mt6df5d4m.dll"	c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe

Loads dropped DLL 1 IoCs

Processes:

c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe

pid process

772 c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe

pid	process
772	c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe

Drops file in System32 directory 2 IoCs

Processes:

c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\RCXF651.tmp	c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe
File created	C:\Windows\SysWOW64\mt6df5d4m.dll	c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe

pid process

772 c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe

pid	process
772	c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe

C:\Users\Admin\AppData\Local\Temp\c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe
"C:\Users\Admin\AppData\Local\Temp\c377c0fe48c01b00f1d7f9e26b845705e562cc528a3117ca75b702ca6adba372.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "ongadf2fad1"
1⤵
PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\mt6df5d4m.dll

Filesize
12.5MB

MD5
caf45efaff0d4c4c8b6d27c0bb4f4de8

SHA1
a61955c4e47b27aa37176845e3b404076403b4df

SHA256
3e67b1550ec98f748a777bbb84869f3bd1c79985a9026f4f98d921bbf007e721

SHA512
ad721d7d2be9ab5c444cb3479cd541999f6d2b39bf9ea6690fd146f468ff349eb95b39ba1bf802c0256140a3dfc20c66950590d4abe77a8839bd22e5fe233fca

Download Submit