0658e06a29228419c2d14eb980d3d25744354b99dd10ef155836c1d3c9391fa5

Analysis

max time kernel
151s
max time network
102s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0658e06a29228419c2d14eb980d3d25744354b99dd10ef155836c1d3c9391fa5.exe
Size

572KB
MD5

9051b557b61558ec0e2170e1f8ee7490
SHA1

a906028b8702dc409ca3348826b83a57675dc86f
SHA256

0658e06a29228419c2d14eb980d3d25744354b99dd10ef155836c1d3c9391fa5
SHA512

f89d19cf848c833f87afbbd2a57442bb057a4a847bdae7bc2dc2c068bea92b9bb83ca168fac2c90c4bb610a7d3b2e5856a6be5424badfe36d597b185e6119419
SSDEEP

12288:HE5adJFAgBv3r+TMP10fWdNHKKWZIe7qM5kN5cEXYUBGc:HBjFAgBv3r+TMP106NqKWZ7qM5kNHXYm

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ej353.no-ip.org\Parameters\ServiceDll = "C:\\Windows\\system32\\server.dll"	0658e06a29228419c2d14eb980d3d25744354b99dd10ef155836c1d3c9391fa5.exe

Loads dropped DLL 5 IoCs

pid	Process
272	svchost.exe
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\server.dll	0658e06a29228419c2d14eb980d3d25744354b99dd10ef155836c1d3c9391fa5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	272	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 272 wrote to memory of 1664	272	svchost.exe	29
PID 272 wrote to memory of 1664	272	svchost.exe	29
PID 272 wrote to memory of 1664	272	svchost.exe	29
PID 272 wrote to memory of 1664	272	svchost.exe	29
PID 272 wrote to memory of 1664	272	svchost.exe	29
PID 272 wrote to memory of 1664	272	svchost.exe	29
PID 272 wrote to memory of 1664	272	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\0658e06a29228419c2d14eb980d3d25744354b99dd10ef155836c1d3c9391fa5.exe
"C:\Users\Admin\AppData\Local\Temp\0658e06a29228419c2d14eb980d3d25744354b99dd10ef155836c1d3c9391fa5.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:1132

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\server.dll,main
  2⤵
  - Loads dropped DLL
  PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\server.dll

Filesize
491KB

MD5
ce4bd4d7950ed18499bfcb395b4dd358

SHA1
116682da37c359bfdc7a7a9a5f82dc89d2344315

SHA256
7abfeeadefb8e60b8f396a79a340a53785a70e520b5e14d94a244fe27bb96a5f

SHA512
3ea05544e627f11651b59f7b545b9d356cce3f88c66ad0b7127e930f63f20acb758c7693e1c41340b457d74d5d27d75ccadb35e56bf6e7477e867e88c1ac4f02

Download Submit
\Windows\SysWOW64\server.dll

Filesize
491KB

MD5
ce4bd4d7950ed18499bfcb395b4dd358

SHA1
116682da37c359bfdc7a7a9a5f82dc89d2344315

SHA256
7abfeeadefb8e60b8f396a79a340a53785a70e520b5e14d94a244fe27bb96a5f

SHA512
3ea05544e627f11651b59f7b545b9d356cce3f88c66ad0b7127e930f63f20acb758c7693e1c41340b457d74d5d27d75ccadb35e56bf6e7477e867e88c1ac4f02

Download Submit
\Windows\SysWOW64\server.dll

Filesize
491KB

MD5
ce4bd4d7950ed18499bfcb395b4dd358

SHA1
116682da37c359bfdc7a7a9a5f82dc89d2344315

SHA256
7abfeeadefb8e60b8f396a79a340a53785a70e520b5e14d94a244fe27bb96a5f

SHA512
3ea05544e627f11651b59f7b545b9d356cce3f88c66ad0b7127e930f63f20acb758c7693e1c41340b457d74d5d27d75ccadb35e56bf6e7477e867e88c1ac4f02

Download Submit
\Windows\SysWOW64\server.dll

Filesize
491KB

MD5
ce4bd4d7950ed18499bfcb395b4dd358

SHA1
116682da37c359bfdc7a7a9a5f82dc89d2344315

SHA256
7abfeeadefb8e60b8f396a79a340a53785a70e520b5e14d94a244fe27bb96a5f

SHA512
3ea05544e627f11651b59f7b545b9d356cce3f88c66ad0b7127e930f63f20acb758c7693e1c41340b457d74d5d27d75ccadb35e56bf6e7477e867e88c1ac4f02

Download Submit
\Windows\SysWOW64\server.dll

Filesize
491KB

MD5
ce4bd4d7950ed18499bfcb395b4dd358

SHA1
116682da37c359bfdc7a7a9a5f82dc89d2344315

SHA256
7abfeeadefb8e60b8f396a79a340a53785a70e520b5e14d94a244fe27bb96a5f

SHA512
3ea05544e627f11651b59f7b545b9d356cce3f88c66ad0b7127e930f63f20acb758c7693e1c41340b457d74d5d27d75ccadb35e56bf6e7477e867e88c1ac4f02

Download Submit
\Windows\SysWOW64\server.dll

Filesize
491KB

MD5
ce4bd4d7950ed18499bfcb395b4dd358

SHA1
116682da37c359bfdc7a7a9a5f82dc89d2344315

SHA256
7abfeeadefb8e60b8f396a79a340a53785a70e520b5e14d94a244fe27bb96a5f

SHA512
3ea05544e627f11651b59f7b545b9d356cce3f88c66ad0b7127e930f63f20acb758c7693e1c41340b457d74d5d27d75ccadb35e56bf6e7477e867e88c1ac4f02

Download Submit
memory/1132-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1132-55-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1132-58-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download