c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705

Analysis

max time kernel
182s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705.exe
Size

3.4MB
MD5

e4f0038a0855493b3236d32f483538d3
SHA1

f9f7d26f7237151dd7000abf4e3cf8f9f2a336c6
SHA256

c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705
SHA512

1d782515734634278ef872d7ae53425c222e3c2933d69875409b9808f927b5400c477abb5a7f83a0f355e902d216579710f73f5c56c57cc70919580c4135bbc9
SSDEEP

49152:bMd7V/fGcwN4GyXjR1x4W6Pcdh6JIKZJL1izAuIUirESzXvi/l1JU+I08b8i1pUG:b4/fGcwN45LDd6JjL1i03a3y18i1gGw

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3784	svchost.exe
2008	svchost.exe
3748	Keymaker.exe
1708	lsass.exe
4728	lsass.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2472	netsh.exe

Loads dropped DLL 1 IoCs

pid	Process
3748	Keymaker.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3784 set thread context of 2008	3784	svchost.exe	80
PID 1708 set thread context of 4728	1708	lsass.exe	85

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4676	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3784	svchost.exe
2008	svchost.exe
1708	lsass.exe
4728	lsass.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 3784	3596	c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705.exe	79
PID 3596 wrote to memory of 3784	3596	c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705.exe	79
PID 3596 wrote to memory of 3784	3596	c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705.exe	79
PID 3784 wrote to memory of 2008	3784	svchost.exe	80
PID 3784 wrote to memory of 2008	3784	svchost.exe	80
PID 3784 wrote to memory of 2008	3784	svchost.exe	80
PID 3784 wrote to memory of 2008	3784	svchost.exe	80
PID 3784 wrote to memory of 2008	3784	svchost.exe	80
PID 3784 wrote to memory of 2008	3784	svchost.exe	80
PID 3784 wrote to memory of 2008	3784	svchost.exe	80
PID 3784 wrote to memory of 2008	3784	svchost.exe	80
PID 3596 wrote to memory of 3748	3596	c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705.exe	81
PID 3596 wrote to memory of 3748	3596	c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705.exe	81
PID 3596 wrote to memory of 3748	3596	c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705.exe	81
PID 2008 wrote to memory of 2472	2008	svchost.exe	82
PID 2008 wrote to memory of 2472	2008	svchost.exe	82
PID 2008 wrote to memory of 2472	2008	svchost.exe	82
PID 2008 wrote to memory of 1708	2008	svchost.exe	84
PID 2008 wrote to memory of 1708	2008	svchost.exe	84
PID 2008 wrote to memory of 1708	2008	svchost.exe	84
PID 1708 wrote to memory of 4728	1708	lsass.exe	85
PID 1708 wrote to memory of 4728	1708	lsass.exe	85
PID 1708 wrote to memory of 4728	1708	lsass.exe	85
PID 1708 wrote to memory of 4728	1708	lsass.exe	85
PID 1708 wrote to memory of 4728	1708	lsass.exe	85
PID 1708 wrote to memory of 4728	1708	lsass.exe	85
PID 1708 wrote to memory of 4728	1708	lsass.exe	85
PID 1708 wrote to memory of 4728	1708	lsass.exe	85

C:\Users\Admin\AppData\Local\Temp\c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705.exe
"C:\Users\Admin\AppData\Local\Temp\c7419bd7201f2bb76df1f2a463219209e9e7b8a58b62c7821ca99fa33354d705.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram program = C:\Users\Admin\AppData\Roaming\lsass.exename = Nero mode = ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2472
  - - C:\Users\Admin\AppData\Roaming\lsass.exe
      "C:\Users\Admin\AppData\Roaming\lsass.exe" /d C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Users\Admin\AppData\Roaming\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\lsass.exe" /d C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:4728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keymaker.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keymaker.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x428 0x4bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keymaker.exe

Filesize
3.1MB

MD5
868e76bc9830820054d3c11501ea3cb5

SHA1
f604ed72e576776ccacf90114bdd0a090a407796

SHA256
960b857a47c4bd90902c651b7e8abd82589771cea805a7869a729f7ef2d84e10

SHA512
1a848d1da000a5c1c4dedabdfee44d87ff893b6cf5651fe47bf781fb1c9778d72bd785ed7704d1ae260de9fbcd52065107d265d5ee6bd0f2ef5d5b6786b13112

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keymaker.exe

Filesize
3.1MB

MD5
868e76bc9830820054d3c11501ea3cb5

SHA1
f604ed72e576776ccacf90114bdd0a090a407796

SHA256
960b857a47c4bd90902c651b7e8abd82589771cea805a7869a729f7ef2d84e10

SHA512
1a848d1da000a5c1c4dedabdfee44d87ff893b6cf5651fe47bf781fb1c9778d72bd785ed7704d1ae260de9fbcd52065107d265d5ee6bd0f2ef5d5b6786b13112

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe

Filesize
308KB

MD5
21cb364069443782d2467e8bb5a06004

SHA1
4ef3be65b33aeb58618722edaa583d8f014c1a7f

SHA256
33f0b72e285f3cf58b7480ebc18a3a29ce54b46172e3c50f2bc5375ac0792c60

SHA512
03a515d9f86d70fa12aab4552a6c26db59fc20b7afa6081c62b6772a8c8337535c59d5c79aac631d02337f372c9a6eac8181e48ff0ce67495bff9024a0d2847e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe

Filesize
308KB

MD5
21cb364069443782d2467e8bb5a06004

SHA1
4ef3be65b33aeb58618722edaa583d8f014c1a7f

SHA256
33f0b72e285f3cf58b7480ebc18a3a29ce54b46172e3c50f2bc5375ac0792c60

SHA512
03a515d9f86d70fa12aab4552a6c26db59fc20b7afa6081c62b6772a8c8337535c59d5c79aac631d02337f372c9a6eac8181e48ff0ce67495bff9024a0d2847e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe

Filesize
308KB

MD5
21cb364069443782d2467e8bb5a06004

SHA1
4ef3be65b33aeb58618722edaa583d8f014c1a7f

SHA256
33f0b72e285f3cf58b7480ebc18a3a29ce54b46172e3c50f2bc5375ac0792c60

SHA512
03a515d9f86d70fa12aab4552a6c26db59fc20b7afa6081c62b6772a8c8337535c59d5c79aac631d02337f372c9a6eac8181e48ff0ce67495bff9024a0d2847e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
33KB

MD5
59c595d1c33069cd60d461b2e1b3c1ca

SHA1
aab78d5b0ecb28f1d8d50afdcb65fb4281865d10

SHA256
b2cae63d90e2dc9ff5f85e67b3896bbd0cd5680e8feacb9042702529a3bb7d98

SHA512
8f6cfdf328a5881a9bbf75f1192c9c0c6cced86f016ee474679bd8b0b1cce86b9b163f63293f6bad96125da38c0620dc5597103cb942fbe6c5452af73838091a

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
308KB

MD5
d31cd58c6d1b6a0d4c3849e604e5aef9

SHA1
94a3f92b2e76a3409f3032c2f77cef12517fc6cc

SHA256
7194f949aedab829fadb3b41daa6eb86386e289c3e7559d070fb10082892bd56

SHA512
cf501b4c5ae917fcc7f708ad0d3d8112641637c89eabdc22cd1525cd02393104852d6c26ab65439c33ff8c1bc83ebdebccdd3c3e1c25cd4172b5b4eb2934ea17

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
308KB

MD5
d31cd58c6d1b6a0d4c3849e604e5aef9

SHA1
94a3f92b2e76a3409f3032c2f77cef12517fc6cc

SHA256
7194f949aedab829fadb3b41daa6eb86386e289c3e7559d070fb10082892bd56

SHA512
cf501b4c5ae917fcc7f708ad0d3d8112641637c89eabdc22cd1525cd02393104852d6c26ab65439c33ff8c1bc83ebdebccdd3c3e1c25cd4172b5b4eb2934ea17

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe

Filesize
308KB

MD5
d31cd58c6d1b6a0d4c3849e604e5aef9

SHA1
94a3f92b2e76a3409f3032c2f77cef12517fc6cc

SHA256
7194f949aedab829fadb3b41daa6eb86386e289c3e7559d070fb10082892bd56

SHA512
cf501b4c5ae917fcc7f708ad0d3d8112641637c89eabdc22cd1525cd02393104852d6c26ab65439c33ff8c1bc83ebdebccdd3c3e1c25cd4172b5b4eb2934ea17

Download Submit
memory/2008-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-146-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-138-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3748-147-0x0000000000400000-0x000000000079710A-memory.dmp

Filesize
3.6MB

Download
memory/3748-162-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3748-164-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3748-165-0x0000000000400000-0x000000000079710A-memory.dmp

Filesize
3.6MB

Download
memory/4728-163-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download