e1e8e2e91e375185a0595e8ba2bae1f8498a132e5d7186ae3396e19ff4aefab8

Analysis

max time kernel
179s
max time network
112s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 01:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e1e8e2e91e375185a0595e8ba2bae1f8498a132e5d7186ae3396e19ff4aefab8.exe
Size

762KB
MD5

3b57cc4e491168a4fa083dea9ad65b57
SHA1

3898021a8302a0f58a149907233dfbdb4dd92a11
SHA256

e1e8e2e91e375185a0595e8ba2bae1f8498a132e5d7186ae3396e19ff4aefab8
SHA512

ff38cd3c38578b8003651973d38547af5abe18c3ce074dce616b86317c20f29fd5c69c5466bf4cac86fb8e938925b3bb2a710fd091cf64fc3115da4f6583e169
SSDEEP

12288:rG6lrpOjWtGNgDUiWqWNKDrt25G6lrpOjWtGNgDUiWqWNKDrt2x:KcOjWcCDUiWBwrk8cOjWcCDUiWBwrkx

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360svc\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\windmad.dll"	e1e8e2e91e375185a0595e8ba2bae1f8498a132e5d7186ae3396e19ff4aefab8.exe

Deletes itself 1 IoCs

pid	Process
1348	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1348	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
848	e1e8e2e91e375185a0595e8ba2bae1f8498a132e5d7186ae3396e19ff4aefab8.exe

C:\Users\Admin\AppData\Local\Temp\e1e8e2e91e375185a0595e8ba2bae1f8498a132e5d7186ae3396e19ff4aefab8.exe
"C:\Users\Admin\AppData\Local\Temp\e1e8e2e91e375185a0595e8ba2bae1f8498a132e5d7186ae3396e19ff4aefab8.exe"
1⤵
- Sets DLL path for service in the registry
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\documents and settings\local user\windmad.dll

Filesize
99KB

MD5
687e8c6438047229c4b3177b369d275e

SHA1
bb341ba42d3a321a4c07f519e2a9e4fa84c98b92

SHA256
92fd05762ef24cc465e74596b0f9bc908f0e605646219c43f82547bdbe3ce924

SHA512
21ea2cad3090da82e2340e44e833aed87324891700ac24b99378b84b0471ffd2423abe40de32ae539e5f3a386dbb73081b0f63c91b80d3bb57d366b18e3eebc5

Download Submit
\Users\Local User\windmad.dll

Filesize
99KB

MD5
687e8c6438047229c4b3177b369d275e

SHA1
bb341ba42d3a321a4c07f519e2a9e4fa84c98b92

SHA256
92fd05762ef24cc465e74596b0f9bc908f0e605646219c43f82547bdbe3ce924

SHA512
21ea2cad3090da82e2340e44e833aed87324891700ac24b99378b84b0471ffd2423abe40de32ae539e5f3a386dbb73081b0f63c91b80d3bb57d366b18e3eebc5

Download Submit
memory/848-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/848-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/848-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/848-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download