d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe
Size

63KB
MD5

ac0569464a8817dc6dbbafb6daf4ef0d
SHA1

90622529e549e1ed077a200bdf67ff9b90b3c273
SHA256

d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1
SHA512

64bd1ed62c514ed8f572a399bed8865d4d770c4c7e031f26af74df3485a5f1c3c691b0bccc7146bb499f7642b5d92f7aa1f3bbb2508179ea7455b947867b5a29
SSDEEP

1536:/BXUmg9ujppHxFARYUPjjAv6fU6zvpL6YjXyFNtt:/BPFvU7jAv686rv+z

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zqeyud\Parameters\ServiceDll = "%SystemRoot%\\System32\\trvlbh.dll"	d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe
4136	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0005c39b.001	d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe
File created	C:\Windows\SysWOW64\trvlbh.dll	d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe

C:\Users\Admin\AppData\Local\Temp\d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe
"C:\Users\Admin\AppData\Local\Temp\d4b35e677351055d1d4ea0237f189042945108329f04211643e0c84aa65ad9c1.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:2032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k zqeyud
1⤵
- Loads dropped DLL
PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\trvlbh.dll

Filesize
91KB

MD5
8da71146fd3136c45c2762af7467caad

SHA1
4bdd9339c7f00aeb154988f04e6605d3992690dd

SHA256
050674497d473c1aa64dbb30de1dc7bfdf51331ca4c461346ecc856faa840b31

SHA512
9ffea4f53912b1403a67d18785bdf69168b119aeafae893bbbd4c560c621994a17972f4013a4215451cd99396ee2b204e59eecf54727d3b01c95ddebedff9d3c

Download Submit
C:\Windows\SysWOW64\trvlbh.dll

Filesize
91KB

MD5
8da71146fd3136c45c2762af7467caad

SHA1
4bdd9339c7f00aeb154988f04e6605d3992690dd

SHA256
050674497d473c1aa64dbb30de1dc7bfdf51331ca4c461346ecc856faa840b31

SHA512
9ffea4f53912b1403a67d18785bdf69168b119aeafae893bbbd4c560c621994a17972f4013a4215451cd99396ee2b204e59eecf54727d3b01c95ddebedff9d3c

Download Submit
\??\c:\windows\SysWOW64\trvlbh.dll

Filesize
91KB

MD5
8da71146fd3136c45c2762af7467caad

SHA1
4bdd9339c7f00aeb154988f04e6605d3992690dd

SHA256
050674497d473c1aa64dbb30de1dc7bfdf51331ca4c461346ecc856faa840b31

SHA512
9ffea4f53912b1403a67d18785bdf69168b119aeafae893bbbd4c560c621994a17972f4013a4215451cd99396ee2b204e59eecf54727d3b01c95ddebedff9d3c

Download Submit
memory/2032-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2032-134-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4136-137-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4136-138-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download