ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733

Analysis

max time kernel
146s
max time network
174s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe
Size

515KB
MD5

1fc3663b785d8859b0c80d983f91440b
SHA1

c44f3cd7c5e4e13bde0909d97b899db412f83399
SHA256

ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733
SHA512

b8694e9710dd144c0e06cde7042d2b382e72e3fa692db346b59f15448e3d65ee7a6e0dae7595782220488147bb5f2461e8bec7342acdf3dab784fb58ad1ea534
SSDEEP

12288:meFD7j1dmwpGwKpg9GzYvq/Y6WkRdgwGi70H24BDdrgptZ991j4JHO:T1/uAXKtzYi/TRdMH2umR991jD

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
980	Start.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9344508D-385A-48ad-AD7D-B52623E9C6A3}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9344508D-385A-48ad-AD7D-B52623E9C6A3}\StubPath = "C:\\Windows\\SysWOW64\\WinNT.hta"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components	svchost.exe

Deletes itself 1 IoCs

pid	Process
1124	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
808	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe
808	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe
980	Start.exe
1124	svchost.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dp1.fne	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe
File created	C:\Windows\SysWOW64\WinNT.hta	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WinNT.hta	svchost.exe
File opened for modification	C:\Windows\SysWOW64\krnln.fnr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dp1.fne	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SystemXp.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\krnln.fnr	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe
File opened for modification	C:\Windows\SysWOW64\Start.exe	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe
File opened for modification	C:\Windows\SysWOW64\Start.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25360	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 980 set thread context of 1124	980	Start.exe	28

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Server.txt	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe
File opened for modification	C:\Windows\win.ini	svchost.exe
File opened for modification	C:\Windows\Server.txt	svchost.exe
File opened for modification	C:\Windows\12.txt	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1124	svchost.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
808	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
980	Start.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 980	808	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe	27
PID 808 wrote to memory of 980	808	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe	27
PID 808 wrote to memory of 980	808	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe	27
PID 808 wrote to memory of 980	808	ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe	27
PID 980 wrote to memory of 1124	980	Start.exe	28
PID 980 wrote to memory of 1124	980	Start.exe	28
PID 980 wrote to memory of 1124	980	Start.exe	28
PID 980 wrote to memory of 1124	980	Start.exe	28
PID 980 wrote to memory of 1124	980	Start.exe	28
PID 980 wrote to memory of 1124	980	Start.exe	28
PID 980 wrote to memory of 1124	980	Start.exe	28
PID 980 wrote to memory of 1124	980	Start.exe	28
PID 980 wrote to memory of 1124	980	Start.exe	28
PID 980 wrote to memory of 1124	980	Start.exe	28

C:\Users\Admin\AppData\Local\Temp\ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe
"C:\Users\Admin\AppData\Local\Temp\ee57de2fd952eff3c56f920576c6c667254e2f69e4576b9739a7633c461fa733.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\SysWOW64\Start.exe
  C:\Windows\system32\Start.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Deletes itself
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\12.txt

Filesize
102B

MD5
b6c8ed6b896704c44686606788ea5fbf

SHA1
7c4372a1a2a4e20c3c779b7e168626fc47e04d72

SHA256
a05c6c5fca61edc562eb0b145f2e7cf3f98ec636a9e2159b2d919f34427f9fa2

SHA512
9e0085fba64f5362442a2fcef59a2616c18948c13b56b37f884856d61872b63aae8c57ef55e90acdf9d5e30818a2c3ac6e275f7f8fb2d0dbf120c0886238c9d8

Download Submit
C:\Windows\Server.txt

Filesize
22B

MD5
3cd906490e3005741d2830847a1540d4

SHA1
4f12564c2bf51ee41976327a1258ffe3a89e61e3

SHA256
5bc58abd97be994a1730b392fd783317b6a933bee4ebb7a730798824824bd173

SHA512
e50de5a954193b89b951ff6a540fd54797c15e1928b382e1fe02fc7b8edc8ab7de02cf687756cb814f5970a6cc4c0127e25ed2f51b68aeedbee640b7faf3d25a

Download Submit
C:\Windows\SysWOW64\Start.exe

Filesize
143KB

MD5
83eff4562e2c076d60770b277a63baaf

SHA1
8246282a0a13004f3b2a2c072d53ce3790ea4550

SHA256
19ce69ea936585fd6281f88878d7ec11e56af0fb071233a810a5d6bbe89b9f7b

SHA512
fd38afb21ea89efffebd83290deddc74503fef327d7b9fa91cd2eae9ffce463433ca8b40b7aa12dd34a828225d96a27ffdd576e2279865c2ecd34bc2a3ca7225

Download Submit
C:\Windows\SysWOW64\Start.exe

Filesize
143KB

MD5
83eff4562e2c076d60770b277a63baaf

SHA1
8246282a0a13004f3b2a2c072d53ce3790ea4550

SHA256
19ce69ea936585fd6281f88878d7ec11e56af0fb071233a810a5d6bbe89b9f7b

SHA512
fd38afb21ea89efffebd83290deddc74503fef327d7b9fa91cd2eae9ffce463433ca8b40b7aa12dd34a828225d96a27ffdd576e2279865c2ecd34bc2a3ca7225

Download Submit
C:\Windows\SysWOW64\dp1.fne

Filesize
50KB

MD5
8703a35775a6f8e6580e9d071e7809b3

SHA1
7396abbd4028250ed9319b3f96e871bb9fb6b7cd

SHA256
c5b4b57cb002f59ccbdf795d9792c9e3aa65465b600d8e74e970bab2bdc2d3bc

SHA512
f2db8b5243829a1f715e131e22f74ce2794f27fd102f7a84b4b19489aa6e10f0afb5a4d5f52b999cb67f9e87a34499684f0b8f5dc7435ab5fef2c6122736e875

Download Submit
C:\Windows\SysWOW64\krnln.fnr

Filesize
372KB

MD5
0396ad47c62ea17fce456679a1502e97

SHA1
c1cd927cd0c0efa5442650c8020d216a4f80f7ac

SHA256
08c56c3158da89ad16fe0d4835a968b2352c5629ba80efb460fcff484109d92c

SHA512
5f2f9ce9f7efabd263512e050aa257055de9f2c15cc2b87e14c15733959d44922e98b84101000838e91a745fe1aa16bd73696f973ec4789bb9d0949efff38cfb

Download Submit
\Windows\SysWOW64\Start.exe

Filesize
143KB

MD5
83eff4562e2c076d60770b277a63baaf

SHA1
8246282a0a13004f3b2a2c072d53ce3790ea4550

SHA256
19ce69ea936585fd6281f88878d7ec11e56af0fb071233a810a5d6bbe89b9f7b

SHA512
fd38afb21ea89efffebd83290deddc74503fef327d7b9fa91cd2eae9ffce463433ca8b40b7aa12dd34a828225d96a27ffdd576e2279865c2ecd34bc2a3ca7225

Download Submit
\Windows\SysWOW64\Start.exe

Filesize
143KB

MD5
83eff4562e2c076d60770b277a63baaf

SHA1
8246282a0a13004f3b2a2c072d53ce3790ea4550

SHA256
19ce69ea936585fd6281f88878d7ec11e56af0fb071233a810a5d6bbe89b9f7b

SHA512
fd38afb21ea89efffebd83290deddc74503fef327d7b9fa91cd2eae9ffce463433ca8b40b7aa12dd34a828225d96a27ffdd576e2279865c2ecd34bc2a3ca7225

Download Submit
\Windows\SysWOW64\krnln.fnr

Filesize
372KB

MD5
0396ad47c62ea17fce456679a1502e97

SHA1
c1cd927cd0c0efa5442650c8020d216a4f80f7ac

SHA256
08c56c3158da89ad16fe0d4835a968b2352c5629ba80efb460fcff484109d92c

SHA512
5f2f9ce9f7efabd263512e050aa257055de9f2c15cc2b87e14c15733959d44922e98b84101000838e91a745fe1aa16bd73696f973ec4789bb9d0949efff38cfb

Download Submit
\Windows\SysWOW64\krnln.fnr

Filesize
372KB

MD5
0396ad47c62ea17fce456679a1502e97

SHA1
c1cd927cd0c0efa5442650c8020d216a4f80f7ac

SHA256
08c56c3158da89ad16fe0d4835a968b2352c5629ba80efb460fcff484109d92c

SHA512
5f2f9ce9f7efabd263512e050aa257055de9f2c15cc2b87e14c15733959d44922e98b84101000838e91a745fe1aa16bd73696f973ec4789bb9d0949efff38cfb

Download Submit
memory/808-85-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/808-91-0x0000000000400000-0x00000000004A1200-memory.dmp

Filesize
644KB

Download
memory/808-84-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/808-55-0x0000000000400000-0x00000000004A1200-memory.dmp

Filesize
644KB

Download
memory/980-64-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/980-90-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/980-87-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/980-63-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/980-86-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1124-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1124-82-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/1124-79-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1124-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1124-88-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/1124-89-0x0000000000403000-0x0000000000425000-memory.dmp

Filesize
136KB

Download
memory/1124-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1124-74-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1124-76-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1124-71-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1124-95-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download