beadc50f6811efca2e636250a7b14ea21ff82b8185f609bc6bec9d3c28764135

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beadc50f6811efca2e636250a7b14ea21ff82b8185f609bc6bec9d3c28764135.exe
Size

76KB
MD5

08911a6b3a9a46c26faab78a3be5c090
SHA1

1ec5232d69baa359b62fcd848788ba413eb52976
SHA256

beadc50f6811efca2e636250a7b14ea21ff82b8185f609bc6bec9d3c28764135
SHA512

1be4b8c255e721fa90fce17b46c004b6dcbbce9d0e8f7873562478c11f25d830a778d4268fa9815243db2f6957bf5233a093cf4e46638054e92565175e8be3d1
SSDEEP

1536:ZfiYWaShpZkupSlganAIGNzWq66Xroget5tGafvkRhZlhNqNPo3:Zfif7OupcgDI56Xr1et3G5RhZhqNPo3

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\pwlxqo\Parameters\ServiceDll = "%SystemRoot%\\System32\\bftloj.dll"	beadc50f6811efca2e636250a7b14ea21ff82b8185f609bc6bec9d3c28764135.exe

Deletes itself 1 IoCs

pid	Process
752	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1328	beadc50f6811efca2e636250a7b14ea21ff82b8185f609bc6bec9d3c28764135.exe
752	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0005b820.001	beadc50f6811efca2e636250a7b14ea21ff82b8185f609bc6bec9d3c28764135.exe
File created	C:\Windows\SysWOW64\bftloj.dll	beadc50f6811efca2e636250a7b14ea21ff82b8185f609bc6bec9d3c28764135.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
752	svchost.exe
752	svchost.exe
752	svchost.exe

C:\Users\Admin\AppData\Local\Temp\beadc50f6811efca2e636250a7b14ea21ff82b8185f609bc6bec9d3c28764135.exe
"C:\Users\Admin\AppData\Local\Temp\beadc50f6811efca2e636250a7b14ea21ff82b8185f609bc6bec9d3c28764135.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:1328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -K pwlxqo
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\bftloj.dll

Filesize
99KB

MD5
b524af770e05659de2dc26a7db52c70b

SHA1
1641904982639020937300c915774df63854d517

SHA256
64a7e504f20c1c78ed5a9219a577e49ebd0450bd365f9d138e1d85a2bc88c3d6

SHA512
271882d2b173586f544855df0d0919a2c1732fd6a0ce129c11b0d06cf0bedca23e0c8d53a8491c35870c8b1e971b9dd2b322eed11533e78bcf10af3b517cbb71

Download Submit
\Windows\SysWOW64\bftloj.dll

Filesize
99KB

MD5
b524af770e05659de2dc26a7db52c70b

SHA1
1641904982639020937300c915774df63854d517

SHA256
64a7e504f20c1c78ed5a9219a577e49ebd0450bd365f9d138e1d85a2bc88c3d6

SHA512
271882d2b173586f544855df0d0919a2c1732fd6a0ce129c11b0d06cf0bedca23e0c8d53a8491c35870c8b1e971b9dd2b322eed11533e78bcf10af3b517cbb71

Download Submit
\Windows\SysWOW64\bftloj.dll

Filesize
99KB

MD5
b524af770e05659de2dc26a7db52c70b

SHA1
1641904982639020937300c915774df63854d517

SHA256
64a7e504f20c1c78ed5a9219a577e49ebd0450bd365f9d138e1d85a2bc88c3d6

SHA512
271882d2b173586f544855df0d0919a2c1732fd6a0ce129c11b0d06cf0bedca23e0c8d53a8491c35870c8b1e971b9dd2b322eed11533e78bcf10af3b517cbb71

Download Submit
memory/752-61-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/752-62-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1328-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1328-57-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1328-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download