Analysis
-
max time kernel
134s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 04:26
Behavioral task
behavioral1
Sample
981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe
Resource
win10v2004-20221111-en
General
-
Target
981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe
-
Size
51KB
-
MD5
55088c4d7b88dafd8d2716b890c010f9
-
SHA1
d1e802b4f4b951c499a3d5f0644c615581893c2d
-
SHA256
981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd
-
SHA512
084b1cac68764c2ec4c104bb801f71ef80d65006a277fd0d6259ef8171c36f68308dec191dac8f3f4eac40557496e0ed2fc73ea5bc5f1c062444255ab8720cf3
-
SSDEEP
768:kkYTL0bL6eLz7vydjFFw0rqEIn5CHV7M5EHdMtSL+/HVXULokCAGGYcuUHm:7qA6ynvyfFwxBn5czHmI+/+LHGGBtHm
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\beep.sys 981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MediaCenter\Parameters\ServiceDll = "C:\\Windows\\system32\\RrmmtpC.dll" 981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe -
Processes:
resource yara_rule behavioral1/memory/1688-59-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Processes:
resource yara_rule \Windows\SysWOW64\RrmmtpC.dll vmprotect \Windows\SysWOW64\RrmmtpC.dll vmprotect \??\c:\windows\SysWOW64\rrmmtpc.dll vmprotect -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2024 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exesvchost.exepid process 1688 981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe 1664 svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\RrmmtpC.dll 981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exepid process 1688 981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe 1688 981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exedescription pid process Token: SeIncBasePriorityPrivilege 1688 981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exedescription pid process target process PID 1688 wrote to memory of 2024 1688 981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe cmd.exe PID 1688 wrote to memory of 2024 1688 981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe cmd.exe PID 1688 wrote to memory of 2024 1688 981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe cmd.exe PID 1688 wrote to memory of 2024 1688 981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe"C:\Users\Admin\AppData\Local\Temp\981929d38a638cd8f0f95171b68a27c509435753539751ba2803c2621eb758fd.exe"1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\981929~1.EXE > nul2⤵
- Deletes itself
PID:2024
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k krnlsrvc1⤵PID:1032
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k krnlsrvc1⤵
- Loads dropped DLL
PID:1664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\rrmmtpc.dllFilesize
73KB
MD5aca381740b9a4ef3a0666d8064a0a3c1
SHA130d3b980d2933ce0208f2ee86774290cf48f4d54
SHA256e7b1414428a436a882b516cb9d4e228cc173441935925cbf2207cba83225b3d4
SHA512d9b392e9c0fd454fe5e965a0328e419b8a39fbe76969ac0738da621a15c826f348a37adbe0f4348e5a3413685f27009b6d40645b304e0f05a522c98ac135b69f
-
\Windows\SysWOW64\RrmmtpC.dllFilesize
73KB
MD5aca381740b9a4ef3a0666d8064a0a3c1
SHA130d3b980d2933ce0208f2ee86774290cf48f4d54
SHA256e7b1414428a436a882b516cb9d4e228cc173441935925cbf2207cba83225b3d4
SHA512d9b392e9c0fd454fe5e965a0328e419b8a39fbe76969ac0738da621a15c826f348a37adbe0f4348e5a3413685f27009b6d40645b304e0f05a522c98ac135b69f
-
\Windows\SysWOW64\RrmmtpC.dllFilesize
73KB
MD5aca381740b9a4ef3a0666d8064a0a3c1
SHA130d3b980d2933ce0208f2ee86774290cf48f4d54
SHA256e7b1414428a436a882b516cb9d4e228cc173441935925cbf2207cba83225b3d4
SHA512d9b392e9c0fd454fe5e965a0328e419b8a39fbe76969ac0738da621a15c826f348a37adbe0f4348e5a3413685f27009b6d40645b304e0f05a522c98ac135b69f
-
memory/1688-55-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/1688-59-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2024-60-0x0000000000000000-mapping.dmp