e2d4e07b60f45eeabdd922e0b4c6e292844bf2fb2c639a6c1421b6c53c6d0934

Analysis

max time kernel
155s
max time network
197s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 13:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e2d4e07b60f45eeabdd922e0b4c6e292844bf2fb2c639a6c1421b6c53c6d0934.dll
Size

105KB
MD5

0006f47ddbf902e35dc4a6895773b800
SHA1

bc890a9c6d5ac84f6a10d991a64a9a36731d7dba
SHA256

e2d4e07b60f45eeabdd922e0b4c6e292844bf2fb2c639a6c1421b6c53c6d0934
SHA512

c18b47420cf1cf5806a3608501cea6970a26fb7dd4ab44d2316faae7bfb7c1670cb2c0eab316868d846efa3b9c1bb70706a5efb4924bc75e11031385c7430b00
SSDEEP

1536:ljWsawWtjJTwS9euQnTPFFrNLRIO2lnToIfz/Bk:1+JTYumTvN72NTBfzZk

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\3800hk\Parameters\ServiceDll = "C:\\Windows\\system32\\3800hk.dll"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1172	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\3800hk.dll	rundll32.exe
File created	C:\Windows\SysWOW64\3800hk.dll	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 888	1308	rundll32.exe	28
PID 1308 wrote to memory of 888	1308	rundll32.exe	28
PID 1308 wrote to memory of 888	1308	rundll32.exe	28
PID 1308 wrote to memory of 888	1308	rundll32.exe	28
PID 1308 wrote to memory of 888	1308	rundll32.exe	28
PID 1308 wrote to memory of 888	1308	rundll32.exe	28
PID 1308 wrote to memory of 888	1308	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2d4e07b60f45eeabdd922e0b4c6e292844bf2fb2c639a6c1421b6c53c6d0934.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2d4e07b60f45eeabdd922e0b4c6e292844bf2fb2c639a6c1421b6c53c6d0934.dll,#1
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  PID:888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\3800hk.dll

Filesize
105KB

MD5
0006f47ddbf902e35dc4a6895773b800

SHA1
bc890a9c6d5ac84f6a10d991a64a9a36731d7dba

SHA256
e2d4e07b60f45eeabdd922e0b4c6e292844bf2fb2c639a6c1421b6c53c6d0934

SHA512
c18b47420cf1cf5806a3608501cea6970a26fb7dd4ab44d2316faae7bfb7c1670cb2c0eab316868d846efa3b9c1bb70706a5efb4924bc75e11031385c7430b00

Download Submit
\Windows\SysWOW64\3800hk.dll

Filesize
105KB

MD5
0006f47ddbf902e35dc4a6895773b800

SHA1
bc890a9c6d5ac84f6a10d991a64a9a36731d7dba

SHA256
e2d4e07b60f45eeabdd922e0b4c6e292844bf2fb2c639a6c1421b6c53c6d0934

SHA512
c18b47420cf1cf5806a3608501cea6970a26fb7dd4ab44d2316faae7bfb7c1670cb2c0eab316868d846efa3b9c1bb70706a5efb4924bc75e11031385c7430b00

Download Submit
memory/888-55-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/1172-58-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download