7e26cd505e11bd653fe4365c05cda5819f7a14ff75da1dc0d43776f2e02b96c5

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e26cd505e11bd653fe4365c05cda5819f7a14ff75da1dc0d43776f2e02b96c5.dll
Size

104KB
MD5

68f7fcf9acb7ac6349a0052c15667628
SHA1

e2be1edc919826a9319e8ac0bbb6e6df29ab9434
SHA256

7e26cd505e11bd653fe4365c05cda5819f7a14ff75da1dc0d43776f2e02b96c5
SHA512

265b44268921c87a6acdbaf578be61b9f2398396b6724053e46704ad4d94be38992b09933ee70e7eca4b275ca8adb25b0dbb5a1cf5779e855bb3627d17d40372
SSDEEP

1536:E1dhZGC14V+78WBnpt/jlkhQ6dcMnyfha0RHmlpCpqTjC:8dhZz1bd6Q6dXnEha0dmlpCpqTjC

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\HidServ\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hidserv\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	rundll32.exe
File created	C:\Windows\SysWOW64\helpsvc.dll	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1172	1132	rundll32.exe	27
PID 1132 wrote to memory of 1172	1132	rundll32.exe	27
PID 1132 wrote to memory of 1172	1132	rundll32.exe	27
PID 1132 wrote to memory of 1172	1132	rundll32.exe	27
PID 1132 wrote to memory of 1172	1132	rundll32.exe	27
PID 1132 wrote to memory of 1172	1132	rundll32.exe	27
PID 1132 wrote to memory of 1172	1132	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e26cd505e11bd653fe4365c05cda5819f7a14ff75da1dc0d43776f2e02b96c5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e26cd505e11bd653fe4365c05cda5819f7a14ff75da1dc0d43776f2e02b96c5.dll,#1
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-55-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download