adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f.dll
Size

23KB
MD5

59856d1926c9f4846cc4efeac492acae
SHA1

1cdc90969c610d9bf036a91e7ebfb878915f2664
SHA256

adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f
SHA512

e40097ec7dd46d404eb333d2d99d74a42a5cf1dd35bd5e4656d8ab4891bd54e7b47d435b18f21ed9108ee61ae9d597bb3e8fcc48088dab78a264e45a53dc784e
SSDEEP

384:pYIp8RA0nHWX2I/LuE1iOLSgHu0OtjryMu2iFoNTlpRSIUtLDRw9s:p5qAEQuE1XLSgHV2jryMCmBpnYL12

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "%SystemRoot%\\System32\\winmide32.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "%SystemRoot%\\System32\\winmide32.dll"	svchost.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs"	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1108	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wins\wins.lib	rundll32.exe
File created	C:\Windows\SysWOW64\winmide32.dll	svchost.exe
File created	C:\Windows\SysWOW64\wins\wins.lib	svchost.exe
File created	C:\Windows\SysWOW64\winmide32.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\winmide32.dll	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1108	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	1108	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 688	1520	rundll32.exe	28
PID 1520 wrote to memory of 688	1520	rundll32.exe	28
PID 1520 wrote to memory of 688	1520	rundll32.exe	28
PID 1520 wrote to memory of 688	1520	rundll32.exe	28
PID 1520 wrote to memory of 688	1520	rundll32.exe	28
PID 1520 wrote to memory of 688	1520	rundll32.exe	28
PID 1520 wrote to memory of 688	1520	rundll32.exe	28
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25
PID 1108 wrote to memory of 336	1108	svchost.exe	25

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f.dll,#1
  2⤵
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Drops file in System32 directory
  PID:688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\winmide32.dll

Filesize
23KB

MD5
59856d1926c9f4846cc4efeac492acae

SHA1
1cdc90969c610d9bf036a91e7ebfb878915f2664

SHA256
adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f

SHA512
e40097ec7dd46d404eb333d2d99d74a42a5cf1dd35bd5e4656d8ab4891bd54e7b47d435b18f21ed9108ee61ae9d597bb3e8fcc48088dab78a264e45a53dc784e

Download Submit
\Windows\SysWOW64\winmide32.dll

Filesize
23KB

MD5
59856d1926c9f4846cc4efeac492acae

SHA1
1cdc90969c610d9bf036a91e7ebfb878915f2664

SHA256
adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f

SHA512
e40097ec7dd46d404eb333d2d99d74a42a5cf1dd35bd5e4656d8ab4891bd54e7b47d435b18f21ed9108ee61ae9d597bb3e8fcc48088dab78a264e45a53dc784e

Download Submit
memory/336-61-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/688-55-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/688-59-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1108-60-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download