Overview

overview

8

Static

static

7a023e2fad...13.dll

windows7-x64

8

7a023e2fad...13.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    74s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a023e2fad2a78cfd927b21153aa690781f30f0c58dc75e52c7d7fae6446fd13.dll

  • Size

    101KB

  • MD5

    d4ae0cb9493e07bbde77bb341f9943f0

  • SHA1

    2dffdcc424f4e734a2f784c7e46584738a2616f8

  • SHA256

    7a023e2fad2a78cfd927b21153aa690781f30f0c58dc75e52c7d7fae6446fd13

  • SHA512

    5a42861c454c05da833df776f58388fe3cb53ee7086e8048a8ce4c02aded988a32672dd128a0d1099da464105762367b8385401abf240b5e4c6787874389d078

  • SSDEEP

    3072:XsU+S7o2ET2Xm5h0yXkyohodNfgxEHsvAEnYc+jlp:cU+SM2ETIG0yXk6Ux6svjv

Score
8/10
discoveryexploitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Sets service image path in registry 2 TTPs 2 IoCs
    persistence
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Drops file in System32 directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a023e2fad2a78cfd927b21153aa690781f30f0c58dc75e52c7d7fae6446fd13.dll,#1
    1⤵
    • Sets service image path in registry
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\system32\cmd.exe
      cmd.exe /c takeown /f "C:\Windows\system32\mscorp.exe" && icacls "C:\Windows\system32\mscorp.exe" /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Windows\system32\mscorp.exe"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2036
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\system32\mscorp.exe" /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2024
    • C:\Windows\system32\mscorp.exe
      C:\Windows\system32\mscorp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\program files (x86)\Internet Explorer\iexplore.exe
        "C:\program files (x86)\Internet Explorer\iexplore.exe" google.com
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" google.com
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

File Permissions Modification

1
T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    d93ee5fa9a1ce6324af9500c60125eaf

    SHA1

    67deb635a652bdae062b9a7cc30c4b0187a4ee4f

    SHA256

    d715a51867f3d9083e5f9373e8ee39e8516d4c6c7e70134f401e3167a894542e

    SHA512

    67835f33a868f01258246c8d99f7dc8293cff010b5025f71659972498d998f3ff22d9afae59e0702d6523dfc98f9eabe6d00d88622892c141792a4659f8ae66b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
    Filesize

    9KB

    MD5

    8e6faf6af6dd1432ec41bace5a86ac4d

    SHA1

    c9be0e130d79c65a6e46d9a573f0d2740b5528a8

    SHA256

    c7a18bceeba819b5819ac121b6a7811cd7e57fbcd4ef5d0fde70790e2215d636

    SHA512

    271ffb99acf6a7e6402ea98975a5c5ab5af0005148626510a7ab01a6da46f24d4d62c93985937d98871444968630587e65170ce824aee1ef01f8b0a94cd62b44

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YGUL4J4Q.txt
    Filesize

    607B

    MD5

    17ba606b7923a2738668d2d67fdc9d7c

    SHA1

    2e4d446ccf5dca5b93f6f254e37058c2d4207ce0

    SHA256

    512ad964b268691eb80e2afea4f0510b8d31e4abe5549ddbb072b6d49325a68b

    SHA512

    664a08fdab780aaabedc180ee9c56313d9b1684bbff4147952b18bc750341198d4c35e709dec3354c4fd8ed98d57179ba95664316064925feb7e48cd69f5e25f

    Download Submit
  • C:\Windows\System32\mscorp.exe
    Filesize

    28KB

    MD5

    7a761c26dcf4c1e3b607bb09a17a6691

    SHA1

    3348c59e794f19cc328ab262c2c0b57d25656d8e

    SHA256

    21b3ecefc540dd04a9e30d8bb8333279faef495661be9d99bbbb2cc43db8bd68

    SHA512

    56b2a3041c37d3a3b8f2b622aca71145dd8db0b5b8a16f8bd86170af83e683c2bc824ca8912c71ce3447152f44854e9b529fd2c79aae06910c62dc313947ef1b

    Download Submit
  • C:\Windows\system32\mscorp.exe
    Filesize

    28KB

    MD5

    7a761c26dcf4c1e3b607bb09a17a6691

    SHA1

    3348c59e794f19cc328ab262c2c0b57d25656d8e

    SHA256

    21b3ecefc540dd04a9e30d8bb8333279faef495661be9d99bbbb2cc43db8bd68

    SHA512

    56b2a3041c37d3a3b8f2b622aca71145dd8db0b5b8a16f8bd86170af83e683c2bc824ca8912c71ce3447152f44854e9b529fd2c79aae06910c62dc313947ef1b

    Download Submit
  • memory/1788-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1960-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1960-60-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2024-59-0x0000000000000000-mapping.dmp
    Download
  • memory/2036-57-0x0000000000000000-mapping.dmp
    Download