65f3da67744b81baa74edd1691472c94d6b4925effb367cd551af85a844048eb

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65f3da67744b81baa74edd1691472c94d6b4925effb367cd551af85a844048eb.exe
Size

108KB
MD5

44f6110e548b8018f01d838a55fdaba0
SHA1

0f9ccd7c4d0c13a8ae47bc7eeddeae5c807f3fec
SHA256

65f3da67744b81baa74edd1691472c94d6b4925effb367cd551af85a844048eb
SHA512

adc2ab7898eda86d1aabc68e2231bc892091597ec9e92b06d1a3b4f00adb195bc39474f5698082dfae6e939d891dac03dd349267c8ffd30748765070db6c8a69
SSDEEP

1536:leRnCjzR8tr+5Mu5XjPYAtj48UJC5OZi04i5V1oJwmAMmoD4R:leRn+4r+5Mu5XbY+j4eOMwmAM

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	65f3da67744b81baa74edd1691472c94d6b4925effb367cd551af85a844048eb.exe

Deletes itself 1 IoCs

pid	Process
1216	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1216	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	65f3da67744b81baa74edd1691472c94d6b4925effb367cd551af85a844048eb.exe

C:\Users\Admin\AppData\Local\Temp\65f3da67744b81baa74edd1691472c94d6b4925effb367cd551af85a844048eb.exe
"C:\Users\Admin\AppData\Local\Temp\65f3da67744b81baa74edd1691472c94d6b4925effb367cd551af85a844048eb.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:1368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll

Filesize
72KB

MD5
8bae0a135c8283705e48bc2f3b419b7b

SHA1
fb70051d6f5b545497c68c7097f2baace21a6792

SHA256
62204e1c6e9e6fa6a90f3bb6984e3e0add4164efd9b34a4ebffdfbce64d95554

SHA512
0b7ab9d3f29820e3a665ac5cf0e13ed0d8ced6f0a882972b6ba947d9eb4d4c272171bf5cf12d40be7559e552032a71d11d430cf48e6ae4c95ce485a09d1752ad

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll

Filesize
72KB

MD5
8bae0a135c8283705e48bc2f3b419b7b

SHA1
fb70051d6f5b545497c68c7097f2baace21a6792

SHA256
62204e1c6e9e6fa6a90f3bb6984e3e0add4164efd9b34a4ebffdfbce64d95554

SHA512
0b7ab9d3f29820e3a665ac5cf0e13ed0d8ced6f0a882972b6ba947d9eb4d4c272171bf5cf12d40be7559e552032a71d11d430cf48e6ae4c95ce485a09d1752ad

Download Submit
memory/1368-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download