1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9

Analysis

max time kernel
149s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Size

88KB
MD5

15e49d6669518123528837daa809f830
SHA1

bb99059337de845366ffba902be439fafcc20d78
SHA256

1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9
SHA512

934971b4be75026f209ad6045257addca3b41b785a49b0ccedcbcaf0aafaaee7a80787f5ea4dea27a79edb7c50fba99616994a49704c03f7ce836b0d37872780
SSDEEP

1536:atZHJGPKZi+unw3uzV1c02GccppoNr9hTcOujjwGTr0aIiksSaV1K7s:o3GCZi+u93+FPNr9hoOVGToadTug

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

Loads dropped DLL 12 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
760	svchost.exe
760	svchost.exe
1956	svchost.exe
1956	svchost.exe
1632	svchost.exe
1632	svchost.exe
1980	svchost.exe
1980	svchost.exe
1400	svchost.exe
1400	svchost.exe
1720	svchost.exe
1720	svchost.exe

Drops file in System32 directory 7 IoCs

Processes:

1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ias.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

pid process

1312 1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

pid	process
1312	1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe

C:\Users\Admin\AppData\Local\Temp\1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe
"C:\Users\Admin\AppData\Local\Temp\1eca38a96ace5d89c4eab9bcd0e0df6cb2f95498466fa16b11b93b05aa8215b9.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:760

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1928

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1400

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\irmon.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\nla.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\ntmssvc.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\nwcworkstation.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\??\c:\windows\SysWOW64\nwsapagent.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\Irmon.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\Irmon.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\Nla.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\Nla.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\Ntmssvc.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\Ntmssvc.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\Nwsapagent.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
\Windows\SysWOW64\Nwsapagent.dll

Filesize
88KB

MD5
71c7173e1ab1270b71d02de2cf47479f

SHA1
54a0acf6eb38e4e2051c71d7a9200c9012cad93e

SHA256
27a88e65bace95ea3822199bd13270841655fed163ed195263c0133e7938a30b

SHA512
3e52937a8e42ff6be2c9c976973a0f9b6f3f93f200ca2457d32dd4681245ede24bdc9ebda51552263971440be4a5276e612fc3cbb73b0f3d8bdcb01031f98fd1

Download Submit
memory/760-66-0x0000000074840000-0x0000000074862000-memory.dmp

Filesize
136KB

Download
memory/760-65-0x0000000074B90000-0x0000000074BB2000-memory.dmp

Filesize
136KB

Download
memory/760-64-0x0000000074840000-0x0000000074862000-memory.dmp

Filesize
136KB

Download
memory/760-63-0x0000000074B90000-0x0000000074BB2000-memory.dmp

Filesize
136KB

Download
memory/1312-55-0x0000000000C00000-0x0000000000C22000-memory.dmp

Filesize
136KB

Download
memory/1312-56-0x00000000000F0000-0x0000000000112000-memory.dmp

Filesize
136KB

Download
memory/1312-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1312-57-0x0000000002250000-0x0000000006250000-memory.dmp

Filesize
64.0MB

Download
memory/1312-59-0x0000000002250000-0x0000000006250000-memory.dmp

Filesize
64.0MB

Download