a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592

Analysis

max time kernel
151s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 15:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe
Size

167KB
MD5

ca5e70289b0af60370bb3e6db9a768d2
SHA1

28b48645bce165992e677171e48fb7a04f9092ec
SHA256

a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592
SHA512

39eb9fb3e632a5a7f7885665e090e3a0106953772ff24d50846f72d1ec6be2f19852a4c05d142bc086b00d67cfc292a2412c1e1ba5e7dbd369f4a237c65c71d5
SSDEEP

3072:rmpuX5haormHnEJ6GPKFM19/cAK5G13abErH/8X1Q:rmpuX5ha+mcR1p05G1yE5

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetworkDDjrq\Parameters\ServiceDll	a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe

Loads dropped DLL 1 IoCs

pid	Process
4740	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3988	a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe
3988	a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe
3988	a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe
3988	a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe
3988	a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe
3988	a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	3988	a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe
Token: SeRestorePrivilege	3988	a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe

C:\Users\Admin\AppData\Local\Temp\a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe
"C:\Users\Admin\AppData\Local\Temp\a9918c2468282cfdd30d998a4c9d1d5ce76e2fba84dba5411626f1dccb8ad592.exe"
1⤵
- Sets DLL path for service in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Network.dll

Filesize
30.1MB

MD5
9a4ea4481f83e72bb4640ff97255ab0b

SHA1
a02311f4968c6223d86d5813901dc4a40a96fa1a

SHA256
62ac021ba28050c753818623c8f2979a2492cec3650b0804831adb847257e326

SHA512
caef40208fbecbef010fb33f42454e6b1acd59e225cd5c4fcb9b07793bed42c1d26fc0d29ec2295e15b9425432ae552cb4843de7cdde6a5c9bc552cb13712cf6

Download Submit
\??\c:\program files\common files\network.dll

Filesize
30.1MB

MD5
9a4ea4481f83e72bb4640ff97255ab0b

SHA1
a02311f4968c6223d86d5813901dc4a40a96fa1a

SHA256
62ac021ba28050c753818623c8f2979a2492cec3650b0804831adb847257e326

SHA512
caef40208fbecbef010fb33f42454e6b1acd59e225cd5c4fcb9b07793bed42c1d26fc0d29ec2295e15b9425432ae552cb4843de7cdde6a5c9bc552cb13712cf6

Download Submit
memory/3988-132-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3988-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download