aa1ed18cf5df1858a8c933b97e4832baa19a239130e101907bedb61879712c42

Analysis

max time kernel
224s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa1ed18cf5df1858a8c933b97e4832baa19a239130e101907bedb61879712c42.dll
Size

22KB
MD5

9e33fa28c9f3991dea57e0831366371e
SHA1

923732f918748371945abbd1dd3b90fc639c4951
SHA256

aa1ed18cf5df1858a8c933b97e4832baa19a239130e101907bedb61879712c42
SHA512

61e2413417ab759df739d0de5b4f3192d59a7077e8ef48b9692124cf789219fa12659a5c575c192c606789bdb5ac7102cdb5c48f73525d4e1e40c80a62685f44
SSDEEP

384:W69cZ6z12M+ZxdKFaE5H25aRnfAw89Ug6/axudSGgI/+Jo8YFGqP5vXWvwWu:W69a6h2ddK/5H20Yw89weudZgIAYFp50

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\MgicRc.sys	svchost.exe
File created	C:\Windows\SysWOW64\drivers\MgicRc.sys	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\QQ.dll"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1788	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\QQ.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\QQ.dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
892	1524	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1524	rundll32.exe
1524	rundll32.exe
1524	rundll32.exe
1788	svchost.exe
1788	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1524	1164	rundll32.exe	28
PID 1164 wrote to memory of 1524	1164	rundll32.exe	28
PID 1164 wrote to memory of 1524	1164	rundll32.exe	28
PID 1164 wrote to memory of 1524	1164	rundll32.exe	28
PID 1164 wrote to memory of 1524	1164	rundll32.exe	28
PID 1164 wrote to memory of 1524	1164	rundll32.exe	28
PID 1164 wrote to memory of 1524	1164	rundll32.exe	28
PID 1524 wrote to memory of 892	1524	rundll32.exe	30
PID 1524 wrote to memory of 892	1524	rundll32.exe	30
PID 1524 wrote to memory of 892	1524	rundll32.exe	30
PID 1524 wrote to memory of 892	1524	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa1ed18cf5df1858a8c933b97e4832baa19a239130e101907bedb61879712c42.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa1ed18cf5df1858a8c933b97e4832baa19a239130e101907bedb61879712c42.dll,#1
  2⤵
  - Drops file in Drivers directory
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 268
    3⤵
    - Program crash
    PID:892

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\MgicRc.sys

Filesize
2KB

MD5
058bf2e0728e3d36308bf49ca10b9072

SHA1
ed9ca10d9ca36c94f065401c0c6ee5573a7f7de6

SHA256
9a5ae5bf51913d9c8e84dae09636d09b83359547cc9efd7acaa5e13ec6e9bf70

SHA512
e3ceadf9a09c2df7af451a7bc53c8d2419e3c94e478ad02436fbdec661304713a86c86780a6361a01ee2afece1917b92e5043580e2e697eaf05a73fb18fd26c2

Download Submit
\??\c:\windows\SysWOW64\qq.dll

Filesize
22KB

MD5
9e33fa28c9f3991dea57e0831366371e

SHA1
923732f918748371945abbd1dd3b90fc639c4951

SHA256
aa1ed18cf5df1858a8c933b97e4832baa19a239130e101907bedb61879712c42

SHA512
61e2413417ab759df739d0de5b4f3192d59a7077e8ef48b9692124cf789219fa12659a5c575c192c606789bdb5ac7102cdb5c48f73525d4e1e40c80a62685f44

Download Submit
\Windows\SysWOW64\QQ.dll

Filesize
22KB

MD5
9e33fa28c9f3991dea57e0831366371e

SHA1
923732f918748371945abbd1dd3b90fc639c4951

SHA256
aa1ed18cf5df1858a8c933b97e4832baa19a239130e101907bedb61879712c42

SHA512
61e2413417ab759df739d0de5b4f3192d59a7077e8ef48b9692124cf789219fa12659a5c575c192c606789bdb5ac7102cdb5c48f73525d4e1e40c80a62685f44

Download Submit
memory/892-59-0x0000000000000000-mapping.dmp

Download
memory/1524-54-0x0000000000000000-mapping.dmp

Download
memory/1524-55-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download