ec77e47addd1b2ac9318306f6ebadc0473daa1cd1595a8e207fb62104e06d465

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec77e47addd1b2ac9318306f6ebadc0473daa1cd1595a8e207fb62104e06d465.dll
Size

19KB
MD5

04b211d5782800badd22a5957f957c94
SHA1

3ebb1012cecc1251de19a377d5c5a676dfd719e2
SHA256

ec77e47addd1b2ac9318306f6ebadc0473daa1cd1595a8e207fb62104e06d465
SHA512

503ee19d10d8b5cc48a456fbed2949770cfc096af0aa46ea74a5999b90e89875b41120d30b6c42d2ec0b6efe2e0876a352c4d9370dfd1f33926374abaa914078
SSDEEP

384:bWYdMCPMbvso6uDp1rFMnvRc0dYhWd0VCIbJo8YFGqP5vXWvwWocwoCm:KYdMCPMbvso5t1q5c0dVdYCIRYFp5vc6

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\MgicRc.sys	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\MgicRc.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\sys64.dll"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4848	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sys64.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\sys64.dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4596	3444	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3444	rundll32.exe
3444	rundll32.exe
3444	rundll32.exe
3444	rundll32.exe
4848	svchost.exe
4848	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 3444	2328	rundll32.exe	80
PID 2328 wrote to memory of 3444	2328	rundll32.exe	80
PID 2328 wrote to memory of 3444	2328	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec77e47addd1b2ac9318306f6ebadc0473daa1cd1595a8e207fb62104e06d465.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec77e47addd1b2ac9318306f6ebadc0473daa1cd1595a8e207fb62104e06d465.dll,#1
  2⤵
  - Drops file in Drivers directory
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 692
    3⤵
    - Program crash
    PID:4596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3444 -ip 3444
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\MgicRc.sys

Filesize
2KB

MD5
058bf2e0728e3d36308bf49ca10b9072

SHA1
ed9ca10d9ca36c94f065401c0c6ee5573a7f7de6

SHA256
9a5ae5bf51913d9c8e84dae09636d09b83359547cc9efd7acaa5e13ec6e9bf70

SHA512
e3ceadf9a09c2df7af451a7bc53c8d2419e3c94e478ad02436fbdec661304713a86c86780a6361a01ee2afece1917b92e5043580e2e697eaf05a73fb18fd26c2

Download Submit
C:\Windows\SysWOW64\sys64.dll

Filesize
19KB

MD5
04b211d5782800badd22a5957f957c94

SHA1
3ebb1012cecc1251de19a377d5c5a676dfd719e2

SHA256
ec77e47addd1b2ac9318306f6ebadc0473daa1cd1595a8e207fb62104e06d465

SHA512
503ee19d10d8b5cc48a456fbed2949770cfc096af0aa46ea74a5999b90e89875b41120d30b6c42d2ec0b6efe2e0876a352c4d9370dfd1f33926374abaa914078

Download Submit
\??\c:\windows\SysWOW64\sys64.dll

Filesize
19KB

MD5
04b211d5782800badd22a5957f957c94

SHA1
3ebb1012cecc1251de19a377d5c5a676dfd719e2

SHA256
ec77e47addd1b2ac9318306f6ebadc0473daa1cd1595a8e207fb62104e06d465

SHA512
503ee19d10d8b5cc48a456fbed2949770cfc096af0aa46ea74a5999b90e89875b41120d30b6c42d2ec0b6efe2e0876a352c4d9370dfd1f33926374abaa914078

Download Submit