faf3dbc5d93d810046373a5cc0f920b7dc97e7306b02933e3feb155bb9da9c58

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faf3dbc5d93d810046373a5cc0f920b7dc97e7306b02933e3feb155bb9da9c58.dll
Size

644KB
MD5

0a83cd19908686609f53343bf3d13d50
SHA1

5ba04c9fdd815bcaaf6a6f2ec33a96ea54b49051
SHA256

faf3dbc5d93d810046373a5cc0f920b7dc97e7306b02933e3feb155bb9da9c58
SHA512

4e13a14869f9ce3c68ea8d40b76c0390a4b3ea232a8d2b04a7dd4f23cab82a4602806d98aa67dd65259844336cb8bc3ee3a705c07b490271be3f46330cac6fc5
SSDEEP

12288:Tb0ljCddInCcO7/k7zZihDpEGyhH+o5RZXIhg2oNQu1:H0dCdb7c7lUmGyECR1V2oNQu

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EGTOWBRDV\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\faf3dbc5d93d810046373a5cc0f920b7dc97e7306b02933e3feb155bb9da9c58.dll"	regsvr32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dad32533.dll	svchost.exe
File created	C:\windows\SysWOW64\wbem\deloqq.sys.tmp	svchost.exe
File created	C:\windows\SysWOW64\wbem\deloqq.sys	svchost.exe
File created	C:\Windows\SysWOW64\dad32533.dll	svchost.exe
File opened for modification	C:\windows\SysWOW64\wbem\deloqq.sys	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 4212	2040	regsvr32.exe	81
PID 2040 wrote to memory of 4212	2040	regsvr32.exe	81
PID 2040 wrote to memory of 4212	2040	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\faf3dbc5d93d810046373a5cc0f920b7dc97e7306b02933e3feb155bb9da9c58.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\faf3dbc5d93d810046373a5cc0f920b7dc97e7306b02933e3feb155bb9da9c58.dll
  2⤵
  - Sets DLL path for service in the registry
  PID:4212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k XEEGBDJZU -s EGTOWBRDV
1⤵
- Drops file in System32 directory
PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4212-133-0x0000000000760000-0x0000000000808000-memory.dmp

Filesize
672KB

Download