7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79

Analysis

max time kernel
175s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79.dll
Size

233KB
MD5

1b173632ce8c8478d9a4b3c3a3b53b60
SHA1

25b5c15bb8a70afc440e8cecf93b85d4e36cdcd9
SHA256

7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79
SHA512

6da423a1a21b6e22ec89dec18b4502ea367bc34de465022e3fbac11b4c855aac510097e6277065d8e967ce382282df9d9ad48b8042570b48349fdf0331818c9f
SSDEEP

3072:2Qadi1TFsLSLZwL4vxu587buCd7OWx9WLak0M1zLlUrbrqBJ4I/cQ5NYd4OpAidT:2XIr9wuu5895j/I10M1E/c0byMPKtunD

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Windows Share = "RunDll32 \"C:\\Windows\\system32\\hr-HR\\svcmsup.dll\",Init"	rundll32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hr-HR\svcmsup.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\hr-HR\svcmsup.dll	rundll32.exe
File created	C:\Windows\SysWOW64\sv-SE\msperf.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\sv-SE\msperf.dll	rundll32.exe
File created	C:\Windows\SysWOW64\logperf.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\logperf.dll	rundll32.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4076	rundll32.exe
4076	rundll32.exe
4076	rundll32.exe
4076	rundll32.exe
4076	rundll32.exe
4076	rundll32.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4076	3092	rundll32.exe	55
PID 3092 wrote to memory of 4076	3092	rundll32.exe	55
PID 3092 wrote to memory of 4076	3092	rundll32.exe	55
PID 4076 wrote to memory of 1628	4076	rundll32.exe	85
PID 4076 wrote to memory of 1628	4076	rundll32.exe	85
PID 4076 wrote to memory of 1628	4076	rundll32.exe	85
PID 4076 wrote to memory of 2456	4076	rundll32.exe	23
PID 4076 wrote to memory of 2456	4076	rundll32.exe	23
PID 4076 wrote to memory of 2472	4076	rundll32.exe	66
PID 4076 wrote to memory of 2472	4076	rundll32.exe	66
PID 4076 wrote to memory of 2604	4076	rundll32.exe	62
PID 4076 wrote to memory of 2604	4076	rundll32.exe	62
PID 4076 wrote to memory of 1192	4076	rundll32.exe	58
PID 4076 wrote to memory of 1192	4076	rundll32.exe	58
PID 4076 wrote to memory of 3084	4076	rundll32.exe	57
PID 4076 wrote to memory of 3084	4076	rundll32.exe	57
PID 4076 wrote to memory of 3272	4076	rundll32.exe	56
PID 4076 wrote to memory of 3272	4076	rundll32.exe	56
PID 4076 wrote to memory of 3380	4076	rundll32.exe	54
PID 4076 wrote to memory of 3380	4076	rundll32.exe	54
PID 4076 wrote to memory of 3444	4076	rundll32.exe	31
PID 4076 wrote to memory of 3444	4076	rundll32.exe	31
PID 4076 wrote to memory of 3524	4076	rundll32.exe	53
PID 4076 wrote to memory of 3524	4076	rundll32.exe	53
PID 4076 wrote to memory of 3676	4076	rundll32.exe	52
PID 4076 wrote to memory of 3676	4076	rundll32.exe	52
PID 4076 wrote to memory of 1532	4076	rundll32.exe	41
PID 4076 wrote to memory of 1532	4076	rundll32.exe	41
PID 4076 wrote to memory of 4676	4076	rundll32.exe	34
PID 4076 wrote to memory of 4676	4076	rundll32.exe	34
PID 4076 wrote to memory of 2780	4076	rundll32.exe	33
PID 4076 wrote to memory of 2780	4076	rundll32.exe	33
PID 4076 wrote to memory of 3092	4076	rundll32.exe	32
PID 4076 wrote to memory of 3092	4076	rundll32.exe	32
PID 4076 wrote to memory of 4260	4076	rundll32.exe	83
PID 4076 wrote to memory of 4260	4076	rundll32.exe	83
PID 4076 wrote to memory of 1628	4076	rundll32.exe	85
PID 4076 wrote to memory of 1628	4076	rundll32.exe	85
PID 4076 wrote to memory of 4184	4076	rundll32.exe	99
PID 4076 wrote to memory of 4184	4076	rundll32.exe	99

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79.dll,#1
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\RunDll32.exe
    RunDll32 "C:\Users\Admin\AppData\Local\Temp\7f5bc40b0116497652dbd25d53ecd35364a218ed42fb53f0929e2d2c0e097a79.dll",Init
    3⤵
    PID:1628

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2780

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4676

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:1532

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3084

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2472

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4260

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-138-0x0000000075130000-0x000000007517F000-memory.dmp

Filesize
316KB

Download
memory/1628-140-0x0000000075130000-0x000000007517F000-memory.dmp

Filesize
316KB

Download
memory/4076-134-0x0000000075130000-0x000000007517F000-memory.dmp

Filesize
316KB

Download
memory/4076-135-0x0000000075130000-0x000000007517F000-memory.dmp

Filesize
316KB

Download
memory/4076-139-0x0000000075130000-0x000000007517F000-memory.dmp

Filesize
316KB

Download