c5e0117afbcc4e8b03ffec3c41eedc192692ea88f0609b26ab29845a4a327858

Analysis

max time kernel
148s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2022, 03:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c5e0117afbcc4e8b03ffec3c41eedc192692ea88f0609b26ab29845a4a327858.exe
Size

202KB
MD5

f416bdcfb70be6d79a3aa6b893cd8643
SHA1

baaa32adf991bf680810aa31a754bec3703e4706
SHA256

c5e0117afbcc4e8b03ffec3c41eedc192692ea88f0609b26ab29845a4a327858
SHA512

54d503cbc11fd146a210b730dccd8d17f462a68e996fb4902a39c8c91924c24079f1e8430460da8baa4fee7ebea09974ae444daaa5d1fac498c7ff10a1c28e25
SSDEEP

6144:/gksy6rW8C05JjmWM0X6tpztl5Ing91M6:/KnHjFhYpzt8

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DRATSer\Parameters\ServiceDll = "C:\\Windows\\system32\\\\System64.dll"	c5e0117afbcc4e8b03ffec3c41eedc192692ea88f0609b26ab29845a4a327858.exe

Loads dropped DLL 1 IoCs

pid	Process
488	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System64.dat	c5e0117afbcc4e8b03ffec3c41eedc192692ea88f0609b26ab29845a4a327858.exe
File created	C:\Windows\SysWOW64\System64.dll	c5e0117afbcc4e8b03ffec3c41eedc192692ea88f0609b26ab29845a4a327858.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4332	2032	WerFault.exe	80

C:\Users\Admin\AppData\Local\Temp\c5e0117afbcc4e8b03ffec3c41eedc192692ea88f0609b26ab29845a4a327858.exe
"C:\Users\Admin\AppData\Local\Temp\c5e0117afbcc4e8b03ffec3c41eedc192692ea88f0609b26ab29845a4a327858.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:2032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 376
  2⤵
  - Program crash
  PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2032 -ip 2032
1⤵
PID:3640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netservice
1⤵
- Loads dropped DLL
PID:488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\System64.dat

Filesize
65B

MD5
4c01e7038fbfb2a52e4b779bdb3235d8

SHA1
69c05d5238647fdc427efd9f875b77033479ed4a

SHA256
d6a530c535853267f677867c88a5e0e1a6530e6a499b960c0f13bafddfbb86c0

SHA512
f9919352e3f98f682d1e9c0fe4b0ca2778cd7bef086f075ac1ad1edfcd9c99fee74d5ef3bf0f4e004b50434df3d32a66149aae3c51449baac64971f205ca75e0

Download Submit
C:\Windows\SysWOW64\System64.dll

Filesize
292KB

MD5
fc437cd7b8d79f31bb087ea0ddaaced1

SHA1
9e78e8db53a994a4d49226222767bdb450aa263a

SHA256
358419a6952114a0c41b8570a78a53c4780f98b99ec7f10d61fa5333ee23d395

SHA512
314d3bf2c4150e24fabf7dd13b7370bbabf2b830fcff8a81c3b9551c3c434a636f60e992863298e9dd6a3561ac2376983e9bcbdf3cef1b3d9488921ed32f0381

Download Submit
\??\c:\windows\SysWOW64\system64.dll

Filesize
292KB

MD5
fc437cd7b8d79f31bb087ea0ddaaced1

SHA1
9e78e8db53a994a4d49226222767bdb450aa263a

SHA256
358419a6952114a0c41b8570a78a53c4780f98b99ec7f10d61fa5333ee23d395

SHA512
314d3bf2c4150e24fabf7dd13b7370bbabf2b830fcff8a81c3b9551c3c434a636f60e992863298e9dd6a3561ac2376983e9bcbdf3cef1b3d9488921ed32f0381

Download Submit
memory/488-135-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/488-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download