920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32

Analysis

max time kernel
161s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
Size

271KB
MD5

3dd67325f180bc48b0cf2c67b13d6320
SHA1

8936730b9d112152090b23b62a1442c21cfc3049
SHA256

920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32
SHA512

721ca105442d2496ce04a3e985506f65b6f27cb76ad676de5f4631154ccbe479083037077aec7b6d9a7c7e931a034fd9cf21158a2fd62cb5c10ffba629823fdb
SSDEEP

6144:pvH/Rmo/ToUatAubNawb9VOExRCiMOEoAEzPqGjfRpo:dH4WToX5bswb9VOExxLEBcPdfRp

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe

Loads dropped DLL 12 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
1000	svchost.exe
1000	svchost.exe
1564	svchost.exe
1564	svchost.exe
628	svchost.exe
628	svchost.exe
1660	svchost.exe
1660	svchost.exe
1524	svchost.exe
1524	svchost.exe
1676	svchost.exe
1676	svchost.exe

Drops file in System32 directory 7 IoCs

Processes:

920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Nla.dll	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe

pid process

1788 920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe

pid	process
1788	920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe

C:\Users\Admin\AppData\Local\Temp\920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe
"C:\Users\Admin\AppData\Local\Temp\920d45a7da1a6f9d9ccf7be5ff6c50a44d9143e1b7517663c6454725c898ea32.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1524

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1676

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\??\c:\windows\SysWOW64\irmon.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\??\c:\windows\SysWOW64\nla.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\??\c:\windows\SysWOW64\ntmssvc.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\??\c:\windows\SysWOW64\nwcworkstation.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\??\c:\windows\SysWOW64\nwsapagent.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\Irmon.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\Irmon.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\Nla.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\Nla.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\Ntmssvc.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\Ntmssvc.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\Nwsapagent.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
\Windows\SysWOW64\Nwsapagent.dll
Filesize
271KB

MD5
4a24f81fef4dca075b4808c1c669ec70

SHA1
e95271c1298c1a21fe98b527d58fa0133e0ead99

SHA256
7df3012d371bb18257e228aa61f7f7ae8e53b4e3d1e96326995d14ea1b2c9cea

SHA512
ba19026f82a0d778893bcc9720df639b25a5bd4e5884fba18635d95ab10e23baddc8bd58063adfc73ceaa0187cdc29518ec5f31856a6633c542c27b8c265faf2

Download Submit
memory/1788-57-0x0000000000120000-0x0000000000142000-memory.dmp

Filesize
136KB

Download
memory/1788-56-0x0000000000120000-0x0000000000142000-memory.dmp

Filesize
136KB

Download
memory/1788-64-0x0000000002210000-0x0000000006210000-memory.dmp

Filesize
64.0MB

Download
memory/1788-58-0x0000000002210000-0x0000000006210000-memory.dmp

Filesize
64.0MB

Download
memory/1788-55-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1788-54-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1788-63-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads