dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f

Analysis

max time kernel
146s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
Size

91KB
MD5

db67e5310ddfe800fc8f2602c3bee5e0
SHA1

8b128e7ea3f736a22cd9ae1a6188102848fa8a42
SHA256

dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f
SHA512

2a2b62ef4c0dc12004d391aa96a94c905a6271f185f0f81a60b8a7d62ee3f16d17c3de2f56fdfbb764cf1c750832d9f4ea5c1fd30dd4d29a3fd66a553063ddd6
SSDEEP

1536:kK7N7e5HvCHs/4h41xG5G92vJMv4Tzwn45W59HkzeLYPL3fVynafqvPdIOU5gF:kKBC5CH+xBIvNfw95YeoLoSqtIz

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe

Loads dropped DLL 16 IoCs

pid	Process
1704	svchost.exe
1704	svchost.exe
1880	svchost.exe
1880	svchost.exe
936	svchost.exe
936	svchost.exe
1788	svchost.exe
1788	svchost.exe
680	svchost.exe
680	svchost.exe
1036	svchost.exe
1036	svchost.exe
1760	svchost.exe
1760	svchost.exe
600	svchost.exe
600	svchost.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nla.dll	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1176	dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe

C:\Users\Admin\AppData\Local\Temp\dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe
"C:\Users\Admin\AppData\Local\Temp\dc2c8de97ff83100e0cccdcb1a9629f65001d07935622007c1a37a9e4df3194f.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1176

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1704

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1880

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1760

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\??\c:\windows\SysWOW64\irmon.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\??\c:\windows\SysWOW64\nla.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\??\c:\windows\SysWOW64\ntmssvc.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\??\c:\windows\SysWOW64\nwcworkstation.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\??\c:\windows\SysWOW64\nwsapagent.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\??\c:\windows\SysWOW64\srservice.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\??\c:\windows\SysWOW64\wmdmpmsp.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\Irmon.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\Irmon.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\Nla.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\Nla.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\Ntmssvc.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\Ntmssvc.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\Nwsapagent.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\Nwsapagent.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\SRService.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\SRService.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\WmdmPmSp.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
\Windows\SysWOW64\WmdmPmSp.dll

Filesize
91KB

MD5
66fc3fc552030cd3db46fd6ca97804e3

SHA1
4fc06465a7577f4fd05523b83debf41388d4bc2e

SHA256
41d74d232f9e0faec282aa9990d829ee419306b47cec842dbc7ca48ca28da85d

SHA512
06bd30645771056ea71418d0c6fa68df4443290884b94eaf1a0ca460732e636e72cd2630e8ceec9f6c544a3081477e2f9828821e065f794099de0c4baf7ae043

Download Submit
memory/1176-62-0x0000000001E80000-0x0000000005E80000-memory.dmp

Filesize
64.0MB

Download
memory/1176-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1176-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1176-56-0x0000000001E80000-0x0000000005E80000-memory.dmp

Filesize
64.0MB

Download
memory/1176-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download