a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

Analysis

max time kernel
150s
max time network
77s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Size

416KB
MD5

acb806b971d7ff0a4af77df4facbbdd7
SHA1

97af051f25e285ae1ba3af2ec1b4506001136808
SHA256

a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83
SHA512

1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b
SSDEEP

12288:N7ihipiOvv+8LuyhMqrGbBilF5q+iIL8:N7Cilv8yvrGwlF5q+6

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Spooler	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Spooler = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\spoolsv.exe"	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Mstsc	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Mstsc = "C:\\ProgramData\\mstsc.exe"	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\dllhost.exe	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
File created	C:\Windows\SysWOW64\drivers\ieudinit.exe	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RCXF971.tmp	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe

Executes dropped EXE 1 IoCs

pid	Process
1908	ieudinit.exe

Loads dropped DLL 15 IoCs

pid	Process
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\DCOM	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\DCOM = "C:\\Windows\\System32\\drivers\\dllhost.exe"	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsm service	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsm service = "C:\\Windows\\System\\lsm.exe"	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mstinit.exe	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
File opened for modification	C:\Windows\RCXFA8D.tmp	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
File created	C:\Windows\System\lsm.exe	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
File opened for modification	C:\Windows\System\RCXF807.tmp	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Task Scheduler = "C:\\Windows\\mstinit.exe"	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Task Scheduler	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DllHost3g = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\dllhst3g.exe"	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DllHost3g	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Key created	\REGISTRY\USER\.DEFAULT	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1908	1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe	28
PID 1980 wrote to memory of 1908	1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe	28
PID 1980 wrote to memory of 1908	1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe	28
PID 1980 wrote to memory of 1908	1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe	28
PID 1980 wrote to memory of 1908	1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe	28
PID 1980 wrote to memory of 1908	1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe	28
PID 1980 wrote to memory of 1908	1980	a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe	28

C:\Users\Admin\AppData\Local\Temp\a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe
"C:\Users\Admin\AppData\Local\Temp\a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\drivers\ieudinit.exe
  C:\Windows\System32\drivers\ieudinit.exe /a 1
  2⤵
  - Executes dropped EXE
  PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
10B

MD5
15a3db517febeef5a9a20a3481de8526

SHA1
e6437200cbb55c51c1e8abc38b62a0e6beb2a78f

SHA256
0c47eb6a345a63ad212f32a12475a1328386b541e87d30673ebdff39be7cd4fa

SHA512
e65f4d0e2491a378161a55e9f8fa611a679e2713a6b4f091425d031041bff7bab5188cdfb9cb4870992507f9cabac4479de41a7c986323acd868a1ebed8c368f

Download Submit
C:\Windows\SysWOW64\drivers\ieudinit.exe

Filesize
416KB

MD5
f8444733247c297ac75ee08fe00c9d86

SHA1
87e3abbc3d7af2e9e5ad35ef928796a3fe6c66c3

SHA256
0f5cf8caa94f38c405b42349807486bad4e9a68bc3e8508566d1ee7d7a2911f4

SHA512
2c3854f746730398ef97a1add6fa457c460df9f0fea37f33519026904cf5b4ca9403d1f55384e5ac433783ba5d7d9e0708be2dfaff30975796e54b29fa9ba40d

Download Submit
\ProgramData\mstsc.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\ProgramData\mstsc.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Users\Admin\AppData\Local\Microsoft\spoolsv.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Users\Admin\AppData\Local\Microsoft\spoolsv.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\dllhst3g.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\dllhst3g.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Users\Admin\AppData\Roaming\csrss.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Users\Admin\AppData\Roaming\csrss.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Windows\SysWOW64\drivers\dllhost.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Windows\SysWOW64\drivers\dllhost.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Windows\SysWOW64\drivers\ieudinit.exe

Filesize
416KB

MD5
f8444733247c297ac75ee08fe00c9d86

SHA1
87e3abbc3d7af2e9e5ad35ef928796a3fe6c66c3

SHA256
0f5cf8caa94f38c405b42349807486bad4e9a68bc3e8508566d1ee7d7a2911f4

SHA512
2c3854f746730398ef97a1add6fa457c460df9f0fea37f33519026904cf5b4ca9403d1f55384e5ac433783ba5d7d9e0708be2dfaff30975796e54b29fa9ba40d

Download Submit
\Windows\SysWOW64\drivers\ieudinit.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Windows\SysWOW64\drivers\ieudinit.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Windows\system\lsm.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
\Windows\system\lsm.exe

Filesize
416KB

MD5
acb806b971d7ff0a4af77df4facbbdd7

SHA1
97af051f25e285ae1ba3af2ec1b4506001136808

SHA256
a7f88deef51fa5e745bec6cc2cab29498f2da6ce124b1e3b11f81003473a7c83

SHA512
1c274d214eb35df329c34af8f55d50c318b7467fe7069be84c84b6de95a65857225de60d3ccc46c054a260fdbe5ae633bb9bfa70db41d11fac2eaf2d1db90b8b

Download Submit
memory/1908-72-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads