7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe
Size

216KB
MD5

0ae144e5591d49c8baa7884d1e916850
SHA1

7cc4bc8562a7ff1acf7fdc23d94528c84d2996f6
SHA256

7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618
SHA512

2ce4d753bb329e5afb2b3d29f73a4963fcb6b6f80feaa9db76a85997125b4e732960b7ac48bc574e2b30a9ab7ca9fc2410310619ac018b52a64f622d43fd8f20
SSDEEP

3072:JH4vxp0AFQibeZvWUS9m5ALXeFwduKOTztf8NM:JH4vxp0At0uGQXqNKOTzaM

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wind0ws\Parameters\ServiceDll = "C:\\WINDOWS\\system32\\1106\\Suppor32.dll"	7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe

Deletes itself 1 IoCs

pid	Process
1224	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1224	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\1106	7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe
File created	C:\WINDOWS\SysWOW64\1106\Suppor32.dll	7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AntiWare.txt	7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1724	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1100	7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1224	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeBackupPrivilege	1100	7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe
Token: SeRestorePrivilege	1100	7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1724	1100	7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe	27
PID 1100 wrote to memory of 1724	1100	7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe	27
PID 1100 wrote to memory of 1724	1100	7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe	27
PID 1100 wrote to memory of 1724	1100	7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe	27

C:\Users\Admin\AppData\Local\Temp\7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe
"C:\Users\Admin\AppData\Local\Temp\7bbcc9b5cf4d86ae8400cf96dbd5e2d22f10e836bf45593c634cbd0449ccc618.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im KSafeTray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\1106\suppor32.dll

Filesize
30.2MB

MD5
648dfbd0324f7f955a5e9d04a8841e3c

SHA1
a6644a2a7cfb3a1e6bdb4cd3f503040a6e6a69f1

SHA256
a2f8d555abb2034a524b13886b524efd25951e700b2d55e9236a9709cda90282

SHA512
33071a35780af79c015f08f7aedf911dac8fa7455861cdf3ac19914753a0aa10635d934dbf1257c11f57a66a41ae26ff931b2fa139572ca519678cd4b6d7792e

Download Submit
\Windows\SysWOW64\1106\Suppor32.dll

Filesize
30.2MB

MD5
648dfbd0324f7f955a5e9d04a8841e3c

SHA1
a6644a2a7cfb3a1e6bdb4cd3f503040a6e6a69f1

SHA256
a2f8d555abb2034a524b13886b524efd25951e700b2d55e9236a9709cda90282

SHA512
33071a35780af79c015f08f7aedf911dac8fa7455861cdf3ac19914753a0aa10635d934dbf1257c11f57a66a41ae26ff931b2fa139572ca519678cd4b6d7792e

Download Submit
memory/1100-54-0x0000000000402000-0x0000000000437000-memory.dmp

Filesize
212KB

Download
memory/1100-55-0x0000000000400000-0x0000000000436180-memory.dmp

Filesize
216KB

Download
memory/1100-58-0x0000000000400000-0x0000000000436180-memory.dmp

Filesize
216KB

Download
memory/1224-60-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1224-61-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/1224-62-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download