Overview

overview

8

Static

static

94bca6065a...eb.exe

windows7-x64

8

94bca6065a...eb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94bca6065a694200df09742d609e9e1d7304f338aaa819d0fcafa00a5f7ea0eb.exe

  • Size

    76KB

  • MD5

    e57c118267efc922cc0a239851bf1e30

  • SHA1

    010ea211cd93a374c2d588a28e57f60b1f7051b7

  • SHA256

    94bca6065a694200df09742d609e9e1d7304f338aaa819d0fcafa00a5f7ea0eb

  • SHA512

    da53dfe1b6f6a65eafa4aa7a577083f9639861a8524b8f00e1f420c8493afdbc05296dead1130faea6793ab86399179016179fd18e504418fe07ea935923a240

  • SSDEEP

    1536:9iLQekT049P0zK5O/u92pHh9Oqwa1jrc:ssXT0K55+HeaZrc

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 20 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94bca6065a694200df09742d609e9e1d7304f338aaa819d0fcafa00a5f7ea0eb.exe
    "C:\Users\Admin\AppData\Local\Temp\94bca6065a694200df09742d609e9e1d7304f338aaa819d0fcafa00a5f7ea0eb.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\pul.dll Execute
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\sc.exe
        sc stop 360rp
        3⤵
        • Launches sc.exe
        PID:1368
      • C:\Windows\SysWOW64\sc.exe
        sc delete 360rp
        3⤵
        • Launches sc.exe
        PID:1536
      • C:\Windows\SysWOW64\sc.exe
        sc stop RsRavMon
        3⤵
        • Launches sc.exe
        PID:1748
      • C:\Windows\SysWOW64\sc.exe
        sc delete RsRavMon
        3⤵
        • Launches sc.exe
        PID:1492
      • C:\Windows\SysWOW64\sc.exe
        sc stop McNASvc
        3⤵
        • Launches sc.exe
        PID:1692
      • C:\Windows\SysWOW64\sc.exe
        sc delete McNASvc
        3⤵
        • Launches sc.exe
        PID:1820
      • C:\Windows\SysWOW64\sc.exe
        sc delete MpfService
        3⤵
        • Launches sc.exe
        PID:300
      • C:\Windows\SysWOW64\sc.exe
        sc stop MpfService
        3⤵
        • Launches sc.exe
        PID:648
      • C:\Windows\SysWOW64\sc.exe
        sc stop McProxy
        3⤵
        • Launches sc.exe
        PID:1756
      • C:\Windows\SysWOW64\sc.exe
        sc delete McProxy
        3⤵
        • Launches sc.exe
        PID:324
      • C:\Windows\SysWOW64\sc.exe
        sc stop McShield
        3⤵
        • Launches sc.exe
        PID:360
      • C:\Windows\SysWOW64\sc.exe
        sc delete McShield
        3⤵
        • Launches sc.exe
        PID:1552
      • C:\Windows\SysWOW64\sc.exe
        sc stop McODS
        3⤵
        • Launches sc.exe
        PID:1252
      • C:\Windows\SysWOW64\sc.exe
        sc delete McODS
        3⤵
        • Launches sc.exe
        PID:824
      • C:\Windows\SysWOW64\sc.exe
        sc stop mcmscsvc
        3⤵
        • Launches sc.exe
        PID:1636
      • C:\Windows\SysWOW64\sc.exe
        sc delete mcmscsvc
        3⤵
        • Launches sc.exe
        PID:1384
      • C:\Windows\SysWOW64\sc.exe
        sc delete McSysmon
        3⤵
        • Launches sc.exe
        PID:1952
      • C:\Windows\SysWOW64\sc.exe
        sc stop McSysmon
        3⤵
        • Launches sc.exe
        PID:1672
      • C:\Windows\SysWOW64\sc.exe
        sc stop ekrn
        3⤵
        • Launches sc.exe
        PID:1604
      • C:\Windows\SysWOW64\sc.exe
        sc delete ekrn
        3⤵
        • Launches sc.exe
        PID:1712
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32 C:\Windows\system32\nom.dll Execute
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      PID:1268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\nom.dll
    Filesize

    8KB

    MD5

    4026288a2daca37ac456f26dc1b713d3

    SHA1

    51a7b71868a5b6b8bc1bdf4d587ce03cde608243

    SHA256

    bac1c6fdb89138a479490d2f183a62fe43c8558f0d6e1a93c350ce904f3e11e4

    SHA512

    f7afd568976b1910a0f119fbc9cdce165b754f65828ed4b44ed1ebc06e5bce0df03fc7e786e3c39c325749ab27f514c438f021e65bd1e1acb38db56de5d73165

    Download Submit

  • C:\Windows\SysWOW64\pul.dll
    Filesize

    24KB

    MD5

    1ef60b6f4b5541b61eb3e5afae837b03

    SHA1

    9ba9437e8798f1ab0862d96422b0fd1f1a9f23da

    SHA256

    64f2be7a2f6eb7ed52fb191ceb0a122b8144e32ce1b1e9275e00934da42659be

    SHA512

    eaab6bb21ba803ece3a4974874e8fcb5a19f23445be2f6115af8cf05243c2fd4fe575882014bd117b7c2cab74d03b6d298d244f3be293191252fe1fb645a5ac4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\20BB.tmp
    Filesize

    1.7MB

    MD5

    b5eb5bd3066959611e1f7a80fd6cc172

    SHA1

    6fb1532059212c840737b3f923a9c0b152c0887a

    SHA256

    1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

    SHA512

    6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

    Download Submit

  • \Windows\SysWOW64\nom.dll
    Filesize

    8KB

    MD5

    4026288a2daca37ac456f26dc1b713d3

    SHA1

    51a7b71868a5b6b8bc1bdf4d587ce03cde608243

    SHA256

    bac1c6fdb89138a479490d2f183a62fe43c8558f0d6e1a93c350ce904f3e11e4

    SHA512

    f7afd568976b1910a0f119fbc9cdce165b754f65828ed4b44ed1ebc06e5bce0df03fc7e786e3c39c325749ab27f514c438f021e65bd1e1acb38db56de5d73165

    Download Submit

  • \Windows\SysWOW64\nom.dll
    Filesize

    8KB

    MD5

    4026288a2daca37ac456f26dc1b713d3

    SHA1

    51a7b71868a5b6b8bc1bdf4d587ce03cde608243

    SHA256

    bac1c6fdb89138a479490d2f183a62fe43c8558f0d6e1a93c350ce904f3e11e4

    SHA512

    f7afd568976b1910a0f119fbc9cdce165b754f65828ed4b44ed1ebc06e5bce0df03fc7e786e3c39c325749ab27f514c438f021e65bd1e1acb38db56de5d73165

    Download Submit

  • \Windows\SysWOW64\nom.dll
    Filesize

    8KB

    MD5

    4026288a2daca37ac456f26dc1b713d3

    SHA1

    51a7b71868a5b6b8bc1bdf4d587ce03cde608243

    SHA256

    bac1c6fdb89138a479490d2f183a62fe43c8558f0d6e1a93c350ce904f3e11e4

    SHA512

    f7afd568976b1910a0f119fbc9cdce165b754f65828ed4b44ed1ebc06e5bce0df03fc7e786e3c39c325749ab27f514c438f021e65bd1e1acb38db56de5d73165

    Download Submit

  • \Windows\SysWOW64\nom.dll
    Filesize

    8KB

    MD5

    4026288a2daca37ac456f26dc1b713d3

    SHA1

    51a7b71868a5b6b8bc1bdf4d587ce03cde608243

    SHA256

    bac1c6fdb89138a479490d2f183a62fe43c8558f0d6e1a93c350ce904f3e11e4

    SHA512

    f7afd568976b1910a0f119fbc9cdce165b754f65828ed4b44ed1ebc06e5bce0df03fc7e786e3c39c325749ab27f514c438f021e65bd1e1acb38db56de5d73165

    Download Submit

  • \Windows\SysWOW64\pul.dll
    Filesize

    24KB

    MD5

    1ef60b6f4b5541b61eb3e5afae837b03

    SHA1

    9ba9437e8798f1ab0862d96422b0fd1f1a9f23da

    SHA256

    64f2be7a2f6eb7ed52fb191ceb0a122b8144e32ce1b1e9275e00934da42659be

    SHA512

    eaab6bb21ba803ece3a4974874e8fcb5a19f23445be2f6115af8cf05243c2fd4fe575882014bd117b7c2cab74d03b6d298d244f3be293191252fe1fb645a5ac4

    Download Submit

  • \Windows\SysWOW64\pul.dll
    Filesize

    24KB

    MD5

    1ef60b6f4b5541b61eb3e5afae837b03

    SHA1

    9ba9437e8798f1ab0862d96422b0fd1f1a9f23da

    SHA256

    64f2be7a2f6eb7ed52fb191ceb0a122b8144e32ce1b1e9275e00934da42659be

    SHA512

    eaab6bb21ba803ece3a4974874e8fcb5a19f23445be2f6115af8cf05243c2fd4fe575882014bd117b7c2cab74d03b6d298d244f3be293191252fe1fb645a5ac4

    Download Submit

  • \Windows\SysWOW64\pul.dll
    Filesize

    24KB

    MD5

    1ef60b6f4b5541b61eb3e5afae837b03

    SHA1

    9ba9437e8798f1ab0862d96422b0fd1f1a9f23da

    SHA256

    64f2be7a2f6eb7ed52fb191ceb0a122b8144e32ce1b1e9275e00934da42659be

    SHA512

    eaab6bb21ba803ece3a4974874e8fcb5a19f23445be2f6115af8cf05243c2fd4fe575882014bd117b7c2cab74d03b6d298d244f3be293191252fe1fb645a5ac4

    Download Submit

  • \Windows\SysWOW64\pul.dll
    Filesize

    24KB

    MD5

    1ef60b6f4b5541b61eb3e5afae837b03

    SHA1

    9ba9437e8798f1ab0862d96422b0fd1f1a9f23da

    SHA256

    64f2be7a2f6eb7ed52fb191ceb0a122b8144e32ce1b1e9275e00934da42659be

    SHA512

    eaab6bb21ba803ece3a4974874e8fcb5a19f23445be2f6115af8cf05243c2fd4fe575882014bd117b7c2cab74d03b6d298d244f3be293191252fe1fb645a5ac4

    Download Submit

  • memory/300-68-0x0000000000000000-mapping.dmp

    Download

  • memory/324-70-0x0000000000000000-mapping.dmp

    Download

  • memory/360-71-0x0000000000000000-mapping.dmp

    Download

  • memory/648-67-0x0000000000000000-mapping.dmp

    Download

  • memory/824-74-0x0000000000000000-mapping.dmp

    Download

  • memory/1252-73-0x0000000000000000-mapping.dmp

    Download

  • memory/1268-81-0x0000000000000000-mapping.dmp

    Download

  • memory/1368-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1384-76-0x0000000000000000-mapping.dmp

    Download

  • memory/1492-64-0x0000000000000000-mapping.dmp

    Download

  • memory/1536-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1552-72-0x0000000000000000-mapping.dmp

    Download

  • memory/1604-79-0x0000000000000000-mapping.dmp

    Download

  • memory/1636-75-0x0000000000000000-mapping.dmp

    Download

  • memory/1672-77-0x0000000000000000-mapping.dmp

    Download

  • memory/1692-65-0x0000000000000000-mapping.dmp

    Download

  • memory/1712-80-0x0000000000000000-mapping.dmp

    Download

  • memory/1748-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1756-69-0x0000000000000000-mapping.dmp

    Download

  • memory/1820-66-0x0000000000000000-mapping.dmp

    Download

  • memory/1952-78-0x0000000000000000-mapping.dmp

    Download

  • memory/1980-54-0x0000000000000000-mapping.dmp

    Download

  • memory/1980-55-0x0000000075521000-0x0000000075523000-memory.dmp

    Filesize

    8KB

    Download