7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79

General

Target

7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79.dll
Size

233KB
MD5

1b173632ce8c8478d9a4b3c3a3b53b60
SHA1

25b5c15bb8a70afc440e8cecf93b85d4e36cdcd9
SHA256

7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79
SHA512

6da423a1a21b6e22ec89dec18b4502ea367bc34de465022e3fbac11b4c855aac510097e6277065d8e967ce382282df9d9ad48b8042570b48349fdf0331818c9f
SSDEEP

3072:2Qadi1TFsLSLZwL4vxu587buCd7OWx9WLak0M1zLlUrbrqBJ4I/cQ5NYd4OpAidT:2XIr9wuu5895j/I10M1E/c0byMPKtunD

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Windows Share = "RunDll32 \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\PROOF\\lsaperf.dll\",Init"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\spp\tokens\srvsrv.dll	rundll32.exe
File created	C:\Windows\SysWOW64\spp\tokens\srvsrv.dll	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\lsaperf.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\lsaperf.dll	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\hostsvc.dll	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\hostsvc.dll	rundll32.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
276	rundll32.exe
276	rundll32.exe
276	rundll32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 276	344	rundll32.exe	28
PID 344 wrote to memory of 276	344	rundll32.exe	28
PID 344 wrote to memory of 276	344	rundll32.exe	28
PID 344 wrote to memory of 276	344	rundll32.exe	28
PID 344 wrote to memory of 276	344	rundll32.exe	28
PID 344 wrote to memory of 276	344	rundll32.exe	28
PID 344 wrote to memory of 276	344	rundll32.exe	28
PID 276 wrote to memory of 564	276	rundll32.exe	29
PID 276 wrote to memory of 564	276	rundll32.exe	29
PID 276 wrote to memory of 564	276	rundll32.exe	29
PID 276 wrote to memory of 564	276	rundll32.exe	29
PID 276 wrote to memory of 564	276	rundll32.exe	29
PID 276 wrote to memory of 564	276	rundll32.exe	29
PID 276 wrote to memory of 564	276	rundll32.exe	29
PID 276 wrote to memory of 1132	276	rundll32.exe	12
PID 276 wrote to memory of 1132	276	rundll32.exe	12
PID 276 wrote to memory of 1172	276	rundll32.exe	14
PID 276 wrote to memory of 1172	276	rundll32.exe	14
PID 276 wrote to memory of 1204	276	rundll32.exe	16
PID 276 wrote to memory of 1204	276	rundll32.exe	16
PID 276 wrote to memory of 344	276	rundll32.exe	27
PID 276 wrote to memory of 344	276	rundll32.exe	27
PID 276 wrote to memory of 564	276	rundll32.exe	29
PID 276 wrote to memory of 564	276	rundll32.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79.dll,#1
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Windows\SysWOW64\RunDll32.exe
      RunDll32 "C:\Users\Admin\AppData\Local\Temp\7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79.dll",Init
      4⤵
      PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/276-55-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/276-56-0x00000000751F0000-0x000000007523F000-memory.dmp

Filesize
316KB

Download
memory/276-57-0x0000000075240000-0x000000007528F000-memory.dmp

Filesize
316KB

Download
memory/276-58-0x00000000751F0000-0x000000007523F000-memory.dmp

Filesize
316KB

Download
memory/276-59-0x0000000075240000-0x000000007528F000-memory.dmp

Filesize
316KB

Download
memory/276-73-0x00000000751F0000-0x000000007523F000-memory.dmp

Filesize
316KB

Download
memory/564-74-0x00000000751F0000-0x000000007523F000-memory.dmp

Filesize
316KB

Download
memory/1132-63-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing