a52c27dafbf31bc6b2c1d5f11dd0d8ddfe3401a42cee0790ed48244219d43230

Analysis

max time kernel
148s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a52c27dafbf31bc6b2c1d5f11dd0d8ddfe3401a42cee0790ed48244219d43230.exe
Size

71KB
MD5

e5eebe174517d702dcad60eee1a493f7
SHA1

e993e9239035e4d55b67d7d4d0257b1e2b6df11a
SHA256

a52c27dafbf31bc6b2c1d5f11dd0d8ddfe3401a42cee0790ed48244219d43230
SHA512

d2dc6b5a5c32f55074aed3e0a0f2b5f1ad64af80aa53857483637a95f415cb1c05210cc7d6c9d7b4d2aeb552848d16c2b2aeb149cdc6be4865076fd2ddd01adf
SSDEEP

1536:TPn8njURvkTcvuxfTfQPnOWmTK+5+Vcm2oBKrHDX5:TUnjURvkTcvYfUPnjVcm2oBKrjX

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\defaultlib\Parameters\ServiceDll = "C:\\Windows\\system32\\u141138740.dll"	a52c27dafbf31bc6b2c1d5f11dd0d8ddfe3401a42cee0790ed48244219d43230.exe

Loads dropped DLL 1 IoCs

pid	Process
1324	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\u141138740.dll	a52c27dafbf31bc6b2c1d5f11dd0d8ddfe3401a42cee0790ed48244219d43230.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe
1324	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a52c27dafbf31bc6b2c1d5f11dd0d8ddfe3401a42cee0790ed48244219d43230.exe
"C:\Users\Admin\AppData\Local\Temp\a52c27dafbf31bc6b2c1d5f11dd0d8ddfe3401a42cee0790ed48244219d43230.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:1584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\u141138740.dll

Filesize
64KB

MD5
721d7448a4d4bfdd1407f4459b925722

SHA1
345a40cf08ecb1d1f04a3c1274b265bca3362ace

SHA256
c5da3222bc8ab0563022553e616de063bd71ee2ab096c86035cdc89a1bbe2b4a

SHA512
20ac4859647e9f39b59bae550345bd2377a7f67c2a57e4fc1494da9ad5cee439e31344c8a23a9fcb71eceee7a75a869588567a335bf6bd0c66fb4c9c18de98b1

Download Submit
\Windows\SysWOW64\u141138740.dll

Filesize
64KB

MD5
721d7448a4d4bfdd1407f4459b925722

SHA1
345a40cf08ecb1d1f04a3c1274b265bca3362ace

SHA256
c5da3222bc8ab0563022553e616de063bd71ee2ab096c86035cdc89a1bbe2b4a

SHA512
20ac4859647e9f39b59bae550345bd2377a7f67c2a57e4fc1494da9ad5cee439e31344c8a23a9fcb71eceee7a75a869588567a335bf6bd0c66fb4c9c18de98b1

Download Submit