9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe
Size

77KB
MD5

80d8de34a72a246cc00b87cd0dc6f7ad
SHA1

c0284a340a09b9ed97ed1a18e90f11573dc4aa6d
SHA256

9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d
SHA512

9a9337a8f247bbb55fc08ec6582ab3b630ed1ff0ae9c92c116a73937f4e49829dd77001c86fffa61babd6db057e035a46afe77af8ad068cf302e4f8fdbfcabf5
SSDEEP

1536:osyqFgD9LMz6UQWEmug3vE/YqYdXobsFz+YsvOV4CZX5Q01W65F:oJBff3YDdXobswYsmZpQ01NF

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 36 IoCs

flow	pid	Process
1	2032	rundll32.exe
2	2032	rundll32.exe
3	2032	rundll32.exe
4	2032	rundll32.exe
5	2032	rundll32.exe
6	2032	rundll32.exe
8	2032	rundll32.exe
9	2032	rundll32.exe
10	2032	rundll32.exe
11	2032	rundll32.exe
12	2032	rundll32.exe
15	2032	rundll32.exe
20	2032	rundll32.exe
21	2032	rundll32.exe
22	2032	rundll32.exe
23	2032	rundll32.exe
24	2032	rundll32.exe
25	2032	rundll32.exe
26	2032	rundll32.exe
27	2032	rundll32.exe
28	2032	rundll32.exe
29	2032	rundll32.exe
30	2032	rundll32.exe
31	2032	rundll32.exe
33	2032	rundll32.exe
34	2032	rundll32.exe
35	2032	rundll32.exe
36	2032	rundll32.exe
37	2032	rundll32.exe
38	2032	rundll32.exe
39	2032	rundll32.exe
40	2032	rundll32.exe
41	2032	rundll32.exe
42	2032	rundll32.exe
43	2032	rundll32.exe
44	2032	rundll32.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\usbinckey.sys	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe

Executes dropped EXE 1 IoCs

pid	Process
956	cardctrl.exe

Deletes itself 1 IoCs

pid	Process
1004	rundll32.exe

Loads dropped DLL 8 IoCs

pid	Process
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe

Unexpected DNS network traffic destination 24 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	209.166.160.36
Destination IP	165.87.201.244
Destination IP	165.87.201.244
Destination IP	165.87.201.244
Destination IP	168.95.192.1
Destination IP	165.87.201.244
Destination IP	168.95.192.1
Destination IP	208.67.222.222
Destination IP	168.95.192.1
Destination IP	208.67.222.222
Destination IP	168.95.192.1
Destination IP	208.67.222.222
Destination IP	209.166.160.36
Destination IP	165.87.201.244
Destination IP	168.95.192.1
Destination IP	208.67.222.222
Destination IP	209.166.160.36
Destination IP	168.95.192.1
Destination IP	208.67.222.222
Destination IP	209.166.160.36
Destination IP	208.67.222.222
Destination IP	209.166.160.36
Destination IP	209.166.160.36
Destination IP	165.87.201.244

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cardctrl.exe	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe
File created	C:\Windows\SysWOW64\usbinckey.dll	cardctrl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File created	C:\Windows\SysWOW64\cardctrl.exe	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
832	ipconfig.exe
368	ipconfig.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-e9-79-e4-7f-5a\WpadDecision = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-e9-79-e4-7f-5a\WpadDecisionTime = 10ad10b39f04d901	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23896681-2F7C-457F-95A1-C89420667DBB}\a2-e9-79-e4-7f-5a	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-e9-79-e4-7f-5a\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23896681-2F7C-457F-95A1-C89420667DBB}\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23896681-2F7C-457F-95A1-C89420667DBB}\WpadDecisionTime = b0d346989f04d901	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23896681-2F7C-457F-95A1-C89420667DBB}\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23896681-2F7C-457F-95A1-C89420667DBB}\WpadNetworkName = "Network 2"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-e9-79-e4-7f-5a\WpadDecisionTime = b0d346989f04d901	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-e9-79-e4-7f-5a\WpadDetectedUrl	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23896681-2F7C-457F-95A1-C89420667DBB}\WpadDecisionTime = 10ad10b39f04d901	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23896681-2F7C-457F-95A1-C89420667DBB}	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-e9-79-e4-7f-5a	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe
988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe
988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 368	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe	27
PID 988 wrote to memory of 368	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe	27
PID 988 wrote to memory of 368	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe	27
PID 988 wrote to memory of 368	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe	27
PID 956 wrote to memory of 832	956	cardctrl.exe	30
PID 956 wrote to memory of 832	956	cardctrl.exe	30
PID 956 wrote to memory of 832	956	cardctrl.exe	30
PID 956 wrote to memory of 832	956	cardctrl.exe	30
PID 956 wrote to memory of 2032	956	cardctrl.exe	32
PID 956 wrote to memory of 2032	956	cardctrl.exe	32
PID 956 wrote to memory of 2032	956	cardctrl.exe	32
PID 956 wrote to memory of 2032	956	cardctrl.exe	32
PID 956 wrote to memory of 2032	956	cardctrl.exe	32
PID 956 wrote to memory of 2032	956	cardctrl.exe	32
PID 956 wrote to memory of 2032	956	cardctrl.exe	32
PID 988 wrote to memory of 1004	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe	33
PID 988 wrote to memory of 1004	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe	33
PID 988 wrote to memory of 1004	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe	33
PID 988 wrote to memory of 1004	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe	33
PID 988 wrote to memory of 1004	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe	33
PID 988 wrote to memory of 1004	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe	33
PID 988 wrote to memory of 1004	988	9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe	33

C:\Users\Admin\AppData\Local\Temp\9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe
"C:\Users\Admin\AppData\Local\Temp\9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig.exe
  2⤵
  - Gathers network information
  PID:368
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\usbinckey.dll,DelInterface C:\Users\Admin\AppData\Local\Temp\9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:1004

C:\Windows\SysWOW64\cardctrl.exe
C:\Windows\SysWOW64\cardctrl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig.exe
  2⤵
  - Gathers network information
  PID:832
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\usbinckey.dll,GetInterface
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cardctrl.exe

Filesize
77KB

MD5
80d8de34a72a246cc00b87cd0dc6f7ad

SHA1
c0284a340a09b9ed97ed1a18e90f11573dc4aa6d

SHA256
9044ebb75dcd8392c9e37a238b292f35abd391dde29ebd7888a4a4f5fa9a861d

SHA512
9a9337a8f247bbb55fc08ec6582ab3b630ed1ff0ae9c92c116a73937f4e49829dd77001c86fffa61babd6db057e035a46afe77af8ad068cf302e4f8fdbfcabf5

Download Submit
C:\Windows\SysWOW64\usbinckey.dll

Filesize
43KB

MD5
7ab16973c0e72adda99fa094434913ff

SHA1
75c02a9da9e4b3175d53c9baaecb191174f4412c

SHA256
1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

SHA512
48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

Download Submit
\Windows\SysWOW64\usbinckey.dll

Filesize
43KB

MD5
7ab16973c0e72adda99fa094434913ff

SHA1
75c02a9da9e4b3175d53c9baaecb191174f4412c

SHA256
1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

SHA512
48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

Download Submit
\Windows\SysWOW64\usbinckey.dll

Filesize
43KB

MD5
7ab16973c0e72adda99fa094434913ff

SHA1
75c02a9da9e4b3175d53c9baaecb191174f4412c

SHA256
1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

SHA512
48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

Download Submit
\Windows\SysWOW64\usbinckey.dll

Filesize
43KB

MD5
7ab16973c0e72adda99fa094434913ff

SHA1
75c02a9da9e4b3175d53c9baaecb191174f4412c

SHA256
1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

SHA512
48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

Download Submit
\Windows\SysWOW64\usbinckey.dll

Filesize
43KB

MD5
7ab16973c0e72adda99fa094434913ff

SHA1
75c02a9da9e4b3175d53c9baaecb191174f4412c

SHA256
1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

SHA512
48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

Download Submit
\Windows\SysWOW64\usbinckey.dll

Filesize
43KB

MD5
7ab16973c0e72adda99fa094434913ff

SHA1
75c02a9da9e4b3175d53c9baaecb191174f4412c

SHA256
1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

SHA512
48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

Download Submit
\Windows\SysWOW64\usbinckey.dll

Filesize
43KB

MD5
7ab16973c0e72adda99fa094434913ff

SHA1
75c02a9da9e4b3175d53c9baaecb191174f4412c

SHA256
1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

SHA512
48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

Download Submit
\Windows\SysWOW64\usbinckey.dll

Filesize
43KB

MD5
7ab16973c0e72adda99fa094434913ff

SHA1
75c02a9da9e4b3175d53c9baaecb191174f4412c

SHA256
1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

SHA512
48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

Download Submit
\Windows\SysWOW64\usbinckey.dll

Filesize
43KB

MD5
7ab16973c0e72adda99fa094434913ff

SHA1
75c02a9da9e4b3175d53c9baaecb191174f4412c

SHA256
1e678ec3145b862b163c2661980302a661a46e247c1efd921ad34855c1ef39b3

SHA512
48c558d1e788f6f8ce0b6695bdb8c9c971c7966db992efa7346194d9f221475d5ea9a96b08171c7e4fe5d91753c01f80bd5692b141ce76affa3e41d5328ad651

Download Submit
memory/368-54-0x0000000000000000-mapping.dmp

Download
memory/368-55-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/832-57-0x0000000000000000-mapping.dmp

Download
memory/956-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/988-68-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-67-0x0000000000000000-mapping.dmp

Download
memory/2032-58-0x0000000000000000-mapping.dmp

Download
memory/2032-74-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download