ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3

Analysis

max time kernel
128s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe
Size

76KB
MD5

25fe35eab2bda27cb13dcdc3c604f17f
SHA1

be36aa7f1febbde1455fc655e115d4741704f5ff
SHA256

ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3
SHA512

a3436aea88e2115c8efe5f5f996302175155d0c74f8c4b3089e64994c36548aa7d9b154a001493a37f6ab2c57efd711899527be1faab22abf6431c329bdabb62
SSDEEP

768:2u17djCLTWQ+LMmdjjQ4hKMg8jfVjIbdu+KdoJzc5XvHFcoIPwHCO1XSBcb9KEsh:2uzCveYzsfZmboCq5ahO+c5KEsh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
956	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	cmd.exe
1724	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\x86kernel2 = "c:\\users\\admin\\appdata\\roaming\\35786745\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\x86kernel2 = "c:\\users\\admin\\appdata\\roaming\\35786745\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	regini.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1160	sc.exe

Runs net.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1624	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	28
PID 1908 wrote to memory of 1624	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	28
PID 1908 wrote to memory of 1624	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	28
PID 1908 wrote to memory of 1624	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	28
PID 1624 wrote to memory of 1916	1624	cmd.exe	30
PID 1624 wrote to memory of 1916	1624	cmd.exe	30
PID 1624 wrote to memory of 1916	1624	cmd.exe	30
PID 1624 wrote to memory of 1916	1624	cmd.exe	30
PID 1624 wrote to memory of 2044	1624	cmd.exe	31
PID 1624 wrote to memory of 2044	1624	cmd.exe	31
PID 1624 wrote to memory of 2044	1624	cmd.exe	31
PID 1624 wrote to memory of 2044	1624	cmd.exe	31
PID 1908 wrote to memory of 1768	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	32
PID 1908 wrote to memory of 1768	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	32
PID 1908 wrote to memory of 1768	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	32
PID 1908 wrote to memory of 1768	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	32
PID 1768 wrote to memory of 1976	1768	cmd.exe	34
PID 1768 wrote to memory of 1976	1768	cmd.exe	34
PID 1768 wrote to memory of 1976	1768	cmd.exe	34
PID 1768 wrote to memory of 1976	1768	cmd.exe	34
PID 1768 wrote to memory of 2024	1768	cmd.exe	35
PID 1768 wrote to memory of 2024	1768	cmd.exe	35
PID 1768 wrote to memory of 2024	1768	cmd.exe	35
PID 1768 wrote to memory of 2024	1768	cmd.exe	35
PID 1908 wrote to memory of 1724	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	36
PID 1908 wrote to memory of 1724	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	36
PID 1908 wrote to memory of 1724	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	36
PID 1908 wrote to memory of 1724	1908	ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe	36
PID 1724 wrote to memory of 956	1724	cmd.exe	38
PID 1724 wrote to memory of 956	1724	cmd.exe	38
PID 1724 wrote to memory of 956	1724	cmd.exe	38
PID 1724 wrote to memory of 956	1724	cmd.exe	38
PID 956 wrote to memory of 768	956	svchost.exe	39
PID 956 wrote to memory of 768	956	svchost.exe	39
PID 956 wrote to memory of 768	956	svchost.exe	39
PID 956 wrote to memory of 768	956	svchost.exe	39
PID 956 wrote to memory of 868	956	svchost.exe	40
PID 956 wrote to memory of 868	956	svchost.exe	40
PID 956 wrote to memory of 868	956	svchost.exe	40
PID 956 wrote to memory of 868	956	svchost.exe	40
PID 956 wrote to memory of 1160	956	svchost.exe	42
PID 956 wrote to memory of 1160	956	svchost.exe	42
PID 956 wrote to memory of 1160	956	svchost.exe	42
PID 956 wrote to memory of 1160	956	svchost.exe	42
PID 956 wrote to memory of 1296	956	svchost.exe	45
PID 956 wrote to memory of 1296	956	svchost.exe	45
PID 956 wrote to memory of 1296	956	svchost.exe	45
PID 956 wrote to memory of 1296	956	svchost.exe	45
PID 768 wrote to memory of 1540	768	net.exe	47
PID 768 wrote to memory of 1540	768	net.exe	47
PID 768 wrote to memory of 1540	768	net.exe	47
PID 768 wrote to memory of 1540	768	net.exe	47
PID 956 wrote to memory of 1880	956	svchost.exe	48
PID 956 wrote to memory of 1880	956	svchost.exe	48
PID 956 wrote to memory of 1880	956	svchost.exe	48
PID 956 wrote to memory of 1880	956	svchost.exe	48
PID 956 wrote to memory of 1396	956	svchost.exe	50
PID 956 wrote to memory of 1396	956	svchost.exe	50
PID 956 wrote to memory of 1396	956	svchost.exe	50
PID 956 wrote to memory of 1396	956	svchost.exe	50

C:\Users\Admin\AppData\Local\Temp\ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe
"C:\Users\Admin\AppData\Local\Temp\ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|CACLS "c:\users\admin\appdata\roaming\35786745\svchost.exe" /P "Admin:R"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "c:\users\admin\appdata\roaming\35786745\svchost.exe" /P "Admin:R"
    3⤵
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|CACLS "c:\users\admin\appdata\roaming\35786745" /P "Admin:R"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "c:\users\admin\appdata\roaming\35786745" /P "Admin:R"
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\35786745\svchost.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Roaming\35786745\svchost.exe
    C:\Users\Admin\AppData\Roaming\35786745\svchost.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:1540
  - - C:\Windows\SysWOW64\regini.exe
      regini per
      4⤵
      Adds Run key to start application
      PID:868
  - - C:\Windows\SysWOW64\sc.exe
      sc config MpsSvc start= disabled
      4⤵
      Launches sc.exe
      PID:1160
  - - C:\Windows\SysWOW64\regini.exe
      regini perper
      4⤵
      Adds Run key to start application
      PID:1296
  - - C:\Windows\SysWOW64\regini.exe
      regini perperper
      4⤵
      Adds Run key to start application
      PID:1880
  - - C:\Windows\SysWOW64\regini.exe
      regini perperperper
      4⤵
      Adds Run key to start application
      PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\per

Filesize
68B

MD5
77612e763aacc6671e0c81713b419a41

SHA1
99c986a0e3bc15532bbca5a18ff90de93fefe7fc

SHA256
08f53032b63ada0a816ab77088624bef24a5451b7c7e0de05f958e5bd4e6977b

SHA512
99f94d1016eb7bff8deed9eb68c6d26756b2b02a30c4aa5dcc111429e0117acfbc15d7f4119fe06abead5039ee241afc1e6756d2e2250a08fcc818a50598b6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\perper

Filesize
68B

MD5
a6585d9cf9d692905da3ed6c1b9dd4c1

SHA1
166b3aece6d5a7d172acd0a1327af9265a5bf5d4

SHA256
50a38aee5de374bab740c163c3debc500041a2ee3aad01d466347eecf2540015

SHA512
a402fcebe80023edc9322adeecc89b8df845a80061008c26b890e33636869817460b57a326ee65dcd2bd7275933f9407be96aba7bfeae17530b55985ad00c65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\perperper

Filesize
67B

MD5
e4bcd320585af9f77671cc6e91fe9de6

SHA1
15f12439eb3e133affb37b29e41e57d89fc90e06

SHA256
a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8

SHA512
00497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112

Download Submit
C:\Users\Admin\AppData\Local\Temp\perperperper

Filesize
67B

MD5
58b2f90cc0182925ae0bab51700b14ab

SHA1
d2975adeb8dc68f2f5e10edee524de78e79828db

SHA256
8114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964

SHA512
de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782

Download Submit
C:\Users\Admin\AppData\Roaming\35786745\svchost.exe

Filesize
76KB

MD5
25fe35eab2bda27cb13dcdc3c604f17f

SHA1
be36aa7f1febbde1455fc655e115d4741704f5ff

SHA256
ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3

SHA512
a3436aea88e2115c8efe5f5f996302175155d0c74f8c4b3089e64994c36548aa7d9b154a001493a37f6ab2c57efd711899527be1faab22abf6431c329bdabb62

Download Submit
\??\c:\users\admin\appdata\roaming\35786745\svchost.exe

Filesize
76KB

MD5
25fe35eab2bda27cb13dcdc3c604f17f

SHA1
be36aa7f1febbde1455fc655e115d4741704f5ff

SHA256
ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3

SHA512
a3436aea88e2115c8efe5f5f996302175155d0c74f8c4b3089e64994c36548aa7d9b154a001493a37f6ab2c57efd711899527be1faab22abf6431c329bdabb62

Download Submit
\Users\Admin\AppData\Roaming\35786745\svchost.exe

Filesize
76KB

MD5
25fe35eab2bda27cb13dcdc3c604f17f

SHA1
be36aa7f1febbde1455fc655e115d4741704f5ff

SHA256
ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3

SHA512
a3436aea88e2115c8efe5f5f996302175155d0c74f8c4b3089e64994c36548aa7d9b154a001493a37f6ab2c57efd711899527be1faab22abf6431c329bdabb62

Download Submit
\Users\Admin\AppData\Roaming\35786745\svchost.exe

Filesize
76KB

MD5
25fe35eab2bda27cb13dcdc3c604f17f

SHA1
be36aa7f1febbde1455fc655e115d4741704f5ff

SHA256
ad5d0cc3dfd89127eb92aaa50d14cf48759a60b56019120de68fe42a655fdbc3

SHA512
a3436aea88e2115c8efe5f5f996302175155d0c74f8c4b3089e64994c36548aa7d9b154a001493a37f6ab2c57efd711899527be1faab22abf6431c329bdabb62

Download Submit
memory/1908-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download