b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

Analysis

max time kernel
151s
max time network
83s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Size

515KB
MD5

aeed651f979e942281e73a08181fbdc4
SHA1

987f17265a289ac9172b1111f3e65b01c05fbc11
SHA256

b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557
SHA512

0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e
SSDEEP

12288:UJjPtlxWzYE6mFoC2Lg+WYeg5lqoswkC+kwr:UJBlczY5C2Lg+5eg5lJsrkw

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Task Scheduler = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\mstinit.exe"	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Task Scheduler	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Task Scheduler = "C:\\Users\\Admin\\Local Settings\\Application Data\\mstinit.exe"	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Task Scheduler	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe

Executes dropped EXE 1 IoCs

pid	Process
1908	lsm.exe

Loads dropped DLL 15 IoCs

pid	Process
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Mstsc	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Mstsc = "C:\\ProgramData\\mstsc.exe"	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\DCOM	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\DCOM = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\dllhost.exe"	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RCXFEDD.tmp	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
File created	C:\Windows\clipsrv.exe	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm service = "C:\\Users\\Admin\\Local Settings\\Application Data\\lsm.exe"	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Mstsc = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\mstsc.exe"	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm service	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Mstsc	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\USER\.DEFAULT	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1908	1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe	28
PID 1980 wrote to memory of 1908	1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe	28
PID 1980 wrote to memory of 1908	1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe	28
PID 1980 wrote to memory of 1908	1980	b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe	28

C:\Users\Admin\AppData\Local\Temp\b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe
"C:\Users\Admin\AppData\Local\Temp\b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\Local Settings\Application Data\lsm.exe
  "C:\Users\Admin\Local Settings\Application Data\lsm.exe" /a 1
  2⤵
  - Executes dropped EXE
  PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
10B

MD5
aa85136012cd810138d111294f30c992

SHA1
f0adce261814a5cf6f5690cb6115f03635f94f52

SHA256
47ade3cb261815629b1e4fd364904e9a66b8687b5acb408b568aeae762a1f081

SHA512
7613b9613cc24a884ab107d68eef3e758a4e519e358250ea1d7d45656971f1ad1658315cb779f39baf13c38297525bdb823ea84cbae66498a2e4c91ac0501790

Download Submit
C:\Users\Admin\AppData\Local\lsm.exe

Filesize
515KB

MD5
7ee04612f34e712ae9fa2d4fe1f4988b

SHA1
237414c513f34824c60bf83d47bdaedaa5155063

SHA256
ccca6a9c9b324a56e884d8c65642cbf6c5f4dcc0d5e10fbac4b4b66c5caedc13

SHA512
7e23911cbc9fb37407cbd5df6ce01b37323da40138c6ee8a68c8a8b72978eb700f29a7cee325227ca848af7cb1089434972033d9b72494daa91cf7f41c65852d

Download Submit
\ProgramData\mstsc.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\ProgramData\mstsc.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\dllhost.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\dllhost.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\mstsc.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\mstsc.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\Microsoft\mstinit.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\Microsoft\mstinit.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\esentutl.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\esentutl.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\lsm.exe

Filesize
515KB

MD5
7ee04612f34e712ae9fa2d4fe1f4988b

SHA1
237414c513f34824c60bf83d47bdaedaa5155063

SHA256
ccca6a9c9b324a56e884d8c65642cbf6c5f4dcc0d5e10fbac4b4b66c5caedc13

SHA512
7e23911cbc9fb37407cbd5df6ce01b37323da40138c6ee8a68c8a8b72978eb700f29a7cee325227ca848af7cb1089434972033d9b72494daa91cf7f41c65852d

Download Submit
\Users\Admin\AppData\Local\lsm.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\lsm.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\mstinit.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
\Users\Admin\AppData\Local\mstinit.exe

Filesize
515KB

MD5
aeed651f979e942281e73a08181fbdc4

SHA1
987f17265a289ac9172b1111f3e65b01c05fbc11

SHA256
b3da5d0851dc3eb600802b2cf5ae4689aaec1cfd321e4ea335fc3fe2fcc6c557

SHA512
0f789130004cb4d74bc03d6729924b141cc6c570ed84b15e4d43d60570c153930de1348e37a86db6d8f6efb7b9bd830e823cdfc4d886dec6f9fe72292993271e

Download Submit
memory/1908-72-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads