557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920

Analysis

max time kernel
264s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 12:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920.exe
Size

121KB
MD5

39853abd6e378e1ade27cba9d98d7cac
SHA1

48b05671cbe034296c7d850999f05fb6913bebaa
SHA256

557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920
SHA512

d88a4e0f882ee5507f5fd98962bcf70dc6a5f94a34d98058a6831f9364ac7d5befcf67c16db598c5a5931562b2ec009f6ae11bf596492abb6d9a2b155f44b064
SSDEEP

3072:kuq65sZ9qO50Y0hGNy5S40cISVF50XsUU2Ohzkit:kuq655OaJ05uF508SuzL

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Rspdates Apxplicatiijrq\Parameters\ServiceDll	557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920.exe

Deletes itself 1 IoCs

pid	Process
1584	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1584	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MyInformations.ini	557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920.exe
File created	C:\Windows\XHJ38.txt	557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920.exe
File created	C:\Windows\XHJ38.reg	557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1532	557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920.exe
1532	557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1532	557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920.exe
Token: SeRestorePrivilege	1532	557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920.exe

C:\Users\Admin\AppData\Local\Temp\557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920.exe
"C:\Users\Admin\AppData\Local\Temp\557a26466e9fff1708d7c104a3be6ecb2605f134565b3b13d5a4ec4c80cea920.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\rspdates.dll

Filesize
106KB

MD5
273f5541ad1b4000f67c0e521753257c

SHA1
dd7b99434d50b21a195271feb7f15bc7c2e0d02a

SHA256
28eee93507b81fc0019140fc2409b7798bfd51694ae626307522201505aee3ae

SHA512
56522120350f0857151e42388f5c497cd2bc89dba15c114fc2b368006f7522007d85ae70e77689859f08ffc87882ca81e7b37eb264c14def7b7d15d70a28acc5

Download Submit
\Windows\SysWOW64\Rspdates.dll

Filesize
106KB

MD5
273f5541ad1b4000f67c0e521753257c

SHA1
dd7b99434d50b21a195271feb7f15bc7c2e0d02a

SHA256
28eee93507b81fc0019140fc2409b7798bfd51694ae626307522201505aee3ae

SHA512
56522120350f0857151e42388f5c497cd2bc89dba15c114fc2b368006f7522007d85ae70e77689859f08ffc87882ca81e7b37eb264c14def7b7d15d70a28acc5

Download Submit
memory/1532-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1532-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1584-57-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download