bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c

Analysis

max time kernel
142s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe
Size

56KB
MD5

ac24102d53e85c33e5091ea061404fd7
SHA1

4963f62f5e064eb21f6e292ed3380902e661659e
SHA256

bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c
SHA512

5f1cd4cbed516757e52a2630ca91ccbd87628eb0cc8cbac3e79d45bf1b0975d327d40ee774134feb410a8a635e59ecca911cd5faddb7aa2b707a7982c30fe66d
SSDEEP

1536:qI7MesowLFZTdOwCzzWzDLdl+bLpBeifuUebK:z3sP5ZTdnCzzCDLrcpBeUuRG

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lsp5F50.exe

pid process

1824 lsp5F50.exe

pid	process
1824	lsp5F50.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\stqdonmoxlSv\Parameters\ServiceDll = "C:\\Windows\\SysWOW64\\svcstqdonm.dll"	bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe

Loads dropped DLL 6 IoCs

Processes:

bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exesvchost.execmd.exelsp5F50.exe

pid	process
1456	bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe
1704	svchost.exe
1328	cmd.exe
1328	cmd.exe
1824	lsp5F50.exe
1824	lsp5F50.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kfkjyxwbgvcbufghub = "C:\\Windows\\SysWOW64\\srv2648.exe"	bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe

Drops file in System32 directory 4 IoCs

Processes:

bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\srv2648.exe	bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe
File created	C:\Windows\SysWOW64\svcstqdonm.dll	bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe
File opened for modification	C:\Windows\SysWOW64\svcstqdonm.dll	bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe
File created	C:\Windows\SysWOW64\srv2648.exe	bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost.exe

pid process

1704 svchost.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exelsp5F50.exe

pid process

1456 bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe
1824 lsp5F50.exe
1824 lsp5F50.exe

pid	process
1704	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

svchost.execmd.exe

description	pid	process	target process
PID 1704 wrote to memory of 1328	1704	svchost.exe	cmd.exe
PID 1704 wrote to memory of 1328	1704	svchost.exe	cmd.exe
PID 1704 wrote to memory of 1328	1704	svchost.exe	cmd.exe
PID 1704 wrote to memory of 1328	1704	svchost.exe	cmd.exe
PID 1328 wrote to memory of 1824	1328	cmd.exe	lsp5F50.exe
PID 1328 wrote to memory of 1824	1328	cmd.exe	lsp5F50.exe
PID 1328 wrote to memory of 1824	1328	cmd.exe	lsp5F50.exe
PID 1328 wrote to memory of 1824	1328	cmd.exe	lsp5F50.exe

C:\Users\Admin\AppData\Local\Temp\bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe
"C:\Users\Admin\AppData\Local\Temp\bedfaf68c4a2e1dcb5b34612de969abad56ca81391280cc01c4621cc7c138c3c.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k DcomSec
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start "" "C:\Windows\TEMP\lsp5F50.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\TEMP\lsp5F50.exe
"C:\Windows\TEMP\lsp5F50.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1824

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\lsp5F50.exe
Filesize
56KB

MD5
6fd5914202ba0a564c04afabc77de63a

SHA1
62d3ff60c3d343298379b9f15e675c5d4ce8cca1

SHA256
dac9cd7a1c7754fbfc108c2544bf0d256dd8bd09928ae70344f38736a22b704c

SHA512
38a1ec7c0fff8c2504c67d3f7ca9aa57ff85d5feb8021122bb91d780348f10e7ce1f430e0054874a35cc0e1d798e69e861b72a6c31984661b750e05104df6bbd

Download Submit
C:\Windows\Temp\lsp5F50.exe
Filesize
56KB

MD5
6fd5914202ba0a564c04afabc77de63a

SHA1
62d3ff60c3d343298379b9f15e675c5d4ce8cca1

SHA256
dac9cd7a1c7754fbfc108c2544bf0d256dd8bd09928ae70344f38736a22b704c

SHA512
38a1ec7c0fff8c2504c67d3f7ca9aa57ff85d5feb8021122bb91d780348f10e7ce1f430e0054874a35cc0e1d798e69e861b72a6c31984661b750e05104df6bbd

Download Submit
\??\c:\logbot.txt
Filesize
3KB

MD5
6068531dd131b277dc6f36ac4c98898f

SHA1
a7902ca18fd4f0346b51102721a049333138a031

SHA256
b61acb91bb5e0c2776165a774af7d2a677803e0e9f4cf665320706e39b4b046b

SHA512
3ed0d19f42a4a7211839df21b5f0be56d254646ea9aa69163f079e325a0cb8f5cf0729bda41cde64e8eb8a35ddedf2e28f70780d8c588b4dfa6e25d7fa831dda

Download Submit
\??\c:\logbot.txt
Filesize
4KB

MD5
8834a25bc50a0a387dfbf9691803f926

SHA1
4c8d2268c13bee3ac857ab126d4475ee9f920f30

SHA256
376001d94b2abb36792bca7de67479fa28c70ea8e53b4e1f9e4177b80dd1b66a

SHA512
ef7e0ae4392d9f44228e038782c3645bfacc50103e22774051ea6a224ef86e2ff84d0048ad73eb1f51992d4c164e86be59d0e31e3ead83a8068551b0411a83db

Download Submit
\??\c:\logbot.txt
Filesize
6KB

MD5
ded4877d81ebbbeb5de37c694224e2ca

SHA1
03b2ec2be96f14baae16bf0ce7eb32a0dbceaf62

SHA256
fcd26c4ac530433bc65b3a8416195a92344f261ec427c7e6242dc76ea3ae6598

SHA512
c4859f4de5cd2e6750c014883cc303ec88b4bdcd0e02ef076fe419e25498ddf92577be71eaed4ee1aec9ba748ec35949b39e0fadf91e0a2bb6b7e8c67e8280f8

Download Submit
\??\c:\logbot.txt
Filesize
7KB

MD5
266fa9d782410281698778cba4820d9b

SHA1
4db83020f2cc5b3bf40bebc54812863b543c3161

SHA256
a491c1edf23dd00e1bbee470feba765e444b47ea1858df844442b3e7f772fee7

SHA512
1d2a913430c756a90ba48b4c2a2ec78ed5bd928f2c2a29b7ce649066273ee00cbe528b1c66a6824c5fcbccbd401ad17f93b44153b6a09e8225e1e508404ae9e2

Download Submit
\??\c:\logbot.txt
Filesize
7KB

MD5
a897adf87035ed16ff4fc97c6f1ea483

SHA1
9cbf3113fa37a976330061a8feff627670fcef9e

SHA256
3dbd711fd17e1a1f4169c4f417ec5dbd618dd3655b83e2a796b03eeec80e1a7c

SHA512
010e5a5b1f495292c69762658cc73aa5ff454788dcce7f828fed0a093d96ac6159369ecd24bd03a9a75edf055ba7978d6df9d496132638b3941bf9fc7c6a5628

Download Submit
\??\c:\logbot.txt
Filesize
7KB

MD5
f954aa533dac4a040787fe9ae3caa9a1

SHA1
f62fb68d670c1f34bbe026530c7a32b89b8a4212

SHA256
c0f1da2819607022f7fc90b96f577346535091124093d4e944362a4da2446589

SHA512
6d58be0b551ac004bc8989752ab28320106d4fbc99ed86486d5911426f7935fe0096f802bc8179a037fd33cfaf466de3b010f86342eb339b9bd8699d347bbe65

Download Submit
\??\c:\windows\syswow64\svcstqdonm.dll
Filesize
56KB

MD5
e676301ea288a915604d1c09ae740e8c

SHA1
8d8ebfb066bdd3c6e9f2d40e3106ebba0e026dee

SHA256
90ed93037a79fe8c89bc41debc7e94206dc220141b95c2da28d9193283cfb6ca

SHA512
6d0f23c0d10b977fb68a8897455ff6862d96830a1034525531060b2720933c73662cfff3b0505dc81bceb888d905634609dcb8672931de568ca32b02a00119a8

Download Submit
\Users\Admin\AppData\Local\Temp\lis36BB.tmp
Filesize
56KB

MD5
4ef640b857804fa7f39b0a6c49ca9b33

SHA1
97f8615d94b76ba52051d39569d774352f5b1caf

SHA256
11947846bac30b2c8ada8c5233b5e8d72d4a5e4e7b1daa2d9d80c067674f7f51

SHA512
990d30d0f9cdc1dd0c5e5eec6ad41bf99f0b0cadac3eddcd609a5f74a2667d94cd18d364c8f44effc7b439516cef55c05ff7d8aeb4d2e2db360129fd03371f46

Download Submit
\Windows\SysWOW64\svcstqdonm.dll
Filesize
56KB

MD5
e676301ea288a915604d1c09ae740e8c

SHA1
8d8ebfb066bdd3c6e9f2d40e3106ebba0e026dee

SHA256
90ed93037a79fe8c89bc41debc7e94206dc220141b95c2da28d9193283cfb6ca

SHA512
6d0f23c0d10b977fb68a8897455ff6862d96830a1034525531060b2720933c73662cfff3b0505dc81bceb888d905634609dcb8672931de568ca32b02a00119a8

Download Submit
\Windows\Temp\lis602B.tmp
Filesize
56KB

MD5
0c200f5d698ff8bda1f7ba7fbd55faca

SHA1
2bbe17e367875b66ced1a6dc4e609c4909288654

SHA256
fcb48f73a3c86baa4e92b17aa1b8c920f6cef0c388a4e8fe7ce8f0da29713fd8

SHA512
52345849a5bca8f2fdb6fa01d759a3f799e74ab140b07e0d41f454e565167cdd6438b224fba3f730a499c88253fd73ab37454f3f142694581f9b407b949ff4d5

Download Submit
\Windows\Temp\lse655A.tmp
Filesize
56KB

MD5
cf8feebc5f99dbb1768491a34d9f14fb

SHA1
1671814cd629bc84603201a1dc96d81d667a02dd

SHA256
df1c2d22418c727b785e1b99be4e1d2c27d25126ffdf2ac26b92713cd4df950d

SHA512
b9eb4e43f60ac2a2c66da27c6d33a65c8613a17d80b73fd3bee4e3d54c60950eca75e10ee40049628becaf42d5a0ab3a1d0160e9e3d1e32d2f0252f37ce9cdeb

Download Submit
\Windows\Temp\lsp5F50.exe
Filesize
56KB

MD5
6fd5914202ba0a564c04afabc77de63a

SHA1
62d3ff60c3d343298379b9f15e675c5d4ce8cca1

SHA256
dac9cd7a1c7754fbfc108c2544bf0d256dd8bd09928ae70344f38736a22b704c

SHA512
38a1ec7c0fff8c2504c67d3f7ca9aa57ff85d5feb8021122bb91d780348f10e7ce1f430e0054874a35cc0e1d798e69e861b72a6c31984661b750e05104df6bbd

Download Submit
\Windows\Temp\lsp5F50.exe
Filesize
56KB

MD5
6fd5914202ba0a564c04afabc77de63a

SHA1
62d3ff60c3d343298379b9f15e675c5d4ce8cca1

SHA256
dac9cd7a1c7754fbfc108c2544bf0d256dd8bd09928ae70344f38736a22b704c

SHA512
38a1ec7c0fff8c2504c67d3f7ca9aa57ff85d5feb8021122bb91d780348f10e7ce1f430e0054874a35cc0e1d798e69e861b72a6c31984661b750e05104df6bbd

Download Submit
memory/1328-61-0x0000000000000000-mapping.dmp

Download
memory/1456-56-0x00000000746A0000-0x00000000746B1000-memory.dmp

Filesize
68KB

Download
memory/1456-55-0x0000000000010000-0x0000000000021000-memory.dmp

Filesize
68KB

Download
memory/1456-77-0x0000000000010000-0x0000000000021000-memory.dmp

Filesize
68KB

Download
memory/1456-78-0x00000000746A0000-0x00000000746B1000-memory.dmp

Filesize
68KB

Download
memory/1704-60-0x00000000745E0000-0x00000000745F1000-memory.dmp

Filesize
68KB

Download
memory/1824-65-0x0000000000000000-mapping.dmp

Download
memory/1824-69-0x0000000074570000-0x0000000074581000-memory.dmp

Filesize
68KB

Download
memory/1824-70-0x0000000000010000-0x0000000000021000-memory.dmp

Filesize
68KB

Download
memory/1824-76-0x0000000074550000-0x0000000074561000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads