b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9

Analysis

max time kernel
59s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 03:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe
Size

23KB
MD5

a61a9c393b0040b14726f20aeff6baf6
SHA1

660ddbb3f76006e3299be189fba28952e3c61a67
SHA256

b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9
SHA512

5f6c959267008e2b40fbfd30fec34935dcb7532cd02af30c4e075c84f635a7cbc91224630f09d92e6457f28d6611a50ba718c1d504ad59c96ba56aac3cc3b51b
SSDEEP

384:ZkRxAFDAdmVvJDRwawaDp/xtqlIWOG0vgl+v9bvboAVn:ZkRxAF0CJSJa1WOG0vgl+v9bkun

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe

Deletes itself 1 IoCs

pid	Process
328	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1452	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tapisrv.dll	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe
File created	C:\Windows\SysWOW64\regsvc.dll	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe
File created	C:\Windows\SysWOW64\dllcache\regsvc.dll	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe
File created	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe
File created	C:\Windows\SysWOW64\dllcache\FastUserSwitchingCompatibility.dll	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe
File opened for modification	C:\Windows\SysWOW64\appmgmts.dll	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe
File opened for modification	C:\Windows\SysWOW64\upnphost.dll	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 328	1676	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe	29
PID 1676 wrote to memory of 328	1676	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe	29
PID 1676 wrote to memory of 328	1676	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe	29
PID 1676 wrote to memory of 328	1676	b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe	29

C:\Users\Admin\AppData\Local\Temp\b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe
"C:\Users\Admin\AppData\Local\Temp\b9f29e90fd32514c848e19cbfd8c9a1192b21549974f8678284d1f46321aa9b9.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\NewLog.bat
  2⤵
  - Deletes itself
  PID:328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NewLog.bat

Filesize
296B

MD5
bad8655fd2a31726c6950dd24e51485d

SHA1
35b0f9fb75df65177882bfee4014288661c7d1af

SHA256
ea21a8e8fce8e875c9e5e1d580f7ef27ce5d9e07507532d53892d7f121c950ba

SHA512
156e9afa0b7a7635bfc354cb6e6c132ba075b086dd99c78e36f862610724578c7021bfc3996e1c5542c8f5ef539c50b5c0f4c29efca66f1f5302b7315f991639

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
15KB

MD5
1042fed380d3055f101dffbeb43fad41

SHA1
33d6d4fd2de44f7a06906a82fa135fc9fa6da4c9

SHA256
a78b21fead2a2bf5186a1d740d9dbe9f7781401baf6a8f65d2997c682756da69

SHA512
3460ac3fbc87d3e38d324bc8b595072109b1a40af0d532a44c45cb362c3b22c5883868d932024937d9fb9df697699346dac3bd0262bfe09b4c8e08bece5f10a5

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
15KB

MD5
1042fed380d3055f101dffbeb43fad41

SHA1
33d6d4fd2de44f7a06906a82fa135fc9fa6da4c9

SHA256
a78b21fead2a2bf5186a1d740d9dbe9f7781401baf6a8f65d2997c682756da69

SHA512
3460ac3fbc87d3e38d324bc8b595072109b1a40af0d532a44c45cb362c3b22c5883868d932024937d9fb9df697699346dac3bd0262bfe09b4c8e08bece5f10a5

Download Submit
memory/1452-56-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download