21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

Analysis

max time kernel
150s
max time network
75s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Size

427KB
MD5

01d8815042e43612391f519406c51d40
SHA1

b693364b39812a4cbc082b4d7dacaa582da7e0cd
SHA256

21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13
SHA512

c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a
SSDEEP

12288:NhNa7JySNwf7bQJ586JveE8l/dZfJzFpcXYpjYLOHD:NU5wf7bDdF8Ypjs

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Connection Manager = "C:\\Windows\\System32\\drivers\\cmstp.exe"	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DllHost3g	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DllHost3g = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\dllhst3g.exe"	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Connection Manager	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\cmstp.exe	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe

Executes dropped EXE 1 IoCs

pid	Process
1760	rsvp.exe

Loads dropped DLL 17 IoCs

pid	Process
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Csrss	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MessageService	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MessageService = "C:\\Windows\\System\\mqtgsvc.exe"	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System\mqtgsvc.exe	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
File opened for modification	C:\Windows\System\RCX76E8.tmp	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
File created	C:\Windows\System\rsvp.exe	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
File opened for modification	C:\Windows\System\RCX77D3.tmp	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
File created	C:\Windows\System\wininit.exe	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WinInit	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cisvc	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cisvc = "C:\\ProgramData\\cisvc.exe"	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WinInit = "C:\\Windows\\System\\wininit.exe"	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1760	1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe	26
PID 1404 wrote to memory of 1760	1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe	26
PID 1404 wrote to memory of 1760	1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe	26
PID 1404 wrote to memory of 1760	1404	21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe	26

C:\Users\Admin\AppData\Local\Temp\21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe
"C:\Users\Admin\AppData\Local\Temp\21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\System\rsvp.exe
  C:\Windows\System\rsvp.exe /a 1
  2⤵
  - Executes dropped EXE
  PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
9B

MD5
ce111886c7008194d0da1ff5165bca47

SHA1
a61500496e3366bc7e7c0fb4c8aface12139a8f0

SHA256
a0d73d64126249bead07de402a2f50fd00dc2ceb973619db3db8c79570fd20cc

SHA512
f817fef9c266fc1b837c33a50309daaff1d058d41a92737693e5b0f02e3eddf97b8d431e661e2a48bb78903025b72680963a876179b13c57198f697e24f50bcc

Download Submit
C:\Windows\system\rsvp.exe

Filesize
427KB

MD5
4e165a064b9c03c7626dd1257a9cf572

SHA1
7067f8c3cab7da5a97397458ce8bb11cdd580348

SHA256
8315ce4e951631f3de108e2525b6f85e8d3c47f8c56e259b13725af502ba4e23

SHA512
a6d861cbb54627dbc3d221c667c7a713cae70ce4a045bc296ef4c50997db9cc43e0441296978f3eac1139612307917ea6f3cf8a3a073600e74d5167cbc384eb4

Download Submit
\ProgramData\cisvc.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\ProgramData\cisvc.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\rsvp.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\rsvp.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\csrss.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\csrss.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\dllhst3g.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\dllhst3g.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Windows\SysWOW64\drivers\cmstp.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Windows\SysWOW64\drivers\cmstp.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Windows\system\mqtgsvc.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Windows\system\mqtgsvc.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Windows\system\rsvp.exe

Filesize
427KB

MD5
4e165a064b9c03c7626dd1257a9cf572

SHA1
7067f8c3cab7da5a97397458ce8bb11cdd580348

SHA256
8315ce4e951631f3de108e2525b6f85e8d3c47f8c56e259b13725af502ba4e23

SHA512
a6d861cbb54627dbc3d221c667c7a713cae70ce4a045bc296ef4c50997db9cc43e0441296978f3eac1139612307917ea6f3cf8a3a073600e74d5167cbc384eb4

Download Submit
\Windows\system\rsvp.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Windows\system\rsvp.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Windows\system\wininit.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
\Windows\system\wininit.exe

Filesize
427KB

MD5
01d8815042e43612391f519406c51d40

SHA1
b693364b39812a4cbc082b4d7dacaa582da7e0cd

SHA256
21a4ab34cb00fcfabd21bb5215187409a0628740c742c92a049ff482bf37fb13

SHA512
c7c03a096df95a321d63fcc4ca83bf518ac6a2d03f1afafb18eb131bf138c2d89dab38747ac9a9c46e1d67af2f4734b46d9da06ce066a7f7b9ae6eb8a9a1839a

Download Submit
memory/1760-74-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads