6f2129b1e154ac4e59778563467a9eac91912d9dc03aa6ab5bfe88cf58dd033b

Analysis

max time kernel
146s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8277a28b42eb820b6003c4e08d0053b4.exe
Size

6.9MB
MD5

8277a28b42eb820b6003c4e08d0053b4
SHA1

968b66c72bb65214cfd57af1ae9eda086a5fbc17
SHA256

6f2129b1e154ac4e59778563467a9eac91912d9dc03aa6ab5bfe88cf58dd033b
SHA512

116d87e23f64eeb8b917f79408479e348c474097f10a89aff09dc8c8be4ebbe58238bf77252442a667463a6652f0452a8fc06c75925af1a1e91d291a3c59eff3
SSDEEP

196608:1OsgMzFzZ/4pz/8X7yuP20nAEhYuz0gUTqfk2S+:1O/M9ZQRYyuhAAYuQTW82S+

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WUDFHostController\Parameters\ServiceDLL = "C:\\ProgramData\\Remote Utilities\\Backup\\msimg32.dll"	WUDFHost.exe

Executes dropped EXE 2 IoCs

pid	Process
2684	Silverlight.Configuration.exe
2716	WUDFHost.exe

Loads dropped DLL 7 IoCs

pid	Process
2232	8277a28b42eb820b6003c4e08d0053b4.exe
2232	8277a28b42eb820b6003c4e08d0053b4.exe
2684	Silverlight.Configuration.exe
2716	WUDFHost.exe
2716	WUDFHost.exe
2716	WUDFHost.exe
2388	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Silverlight.Configuration.exe = "\"C:\\ProgramData\\Remote Utilities\\Backup\\Silverlight.Configuration.exe\""	WUDFHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60e1858f0400da01	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	WUDFHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\SysWOW64\ieframe.dll,-5723 = "The Internet"	WUDFHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers"	WUDFHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network"	WUDFHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2684	Silverlight.Configuration.exe
2684	Silverlight.Configuration.exe
2684	Silverlight.Configuration.exe
2684	Silverlight.Configuration.exe
2684	Silverlight.Configuration.exe
2684	Silverlight.Configuration.exe
2684	Silverlight.Configuration.exe
2684	Silverlight.Configuration.exe
2716	WUDFHost.exe
2716	WUDFHost.exe
2716	WUDFHost.exe
2716	WUDFHost.exe
2716	WUDFHost.exe
2716	WUDFHost.exe
2716	WUDFHost.exe
2716	WUDFHost.exe
2388	svchost.exe
2388	svchost.exe
1668	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2232	8277a28b42eb820b6003c4e08d0053b4.exe
Token: SeDebugPrivilege	2684	Silverlight.Configuration.exe
Token: SeTakeOwnershipPrivilege	2716	WUDFHost.exe
Token: SeTcbPrivilege	2716	WUDFHost.exe
Token: SeTcbPrivilege	2716	WUDFHost.exe
Token: SeDebugPrivilege	1668	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2716	WUDFHost.exe
2716	WUDFHost.exe
2716	WUDFHost.exe
2716	WUDFHost.exe
2716	WUDFHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2684	2232	8277a28b42eb820b6003c4e08d0053b4.exe	28
PID 2232 wrote to memory of 2684	2232	8277a28b42eb820b6003c4e08d0053b4.exe	28
PID 2232 wrote to memory of 2684	2232	8277a28b42eb820b6003c4e08d0053b4.exe	28
PID 2232 wrote to memory of 2684	2232	8277a28b42eb820b6003c4e08d0053b4.exe	28
PID 2716 wrote to memory of 2444	2716	WUDFHost.exe	31
PID 2716 wrote to memory of 2444	2716	WUDFHost.exe	31
PID 2716 wrote to memory of 2444	2716	WUDFHost.exe	31
PID 2716 wrote to memory of 2444	2716	WUDFHost.exe	31
PID 2444 wrote to memory of 1668	2444	cmd.exe	33
PID 2444 wrote to memory of 1668	2444	cmd.exe	33
PID 2444 wrote to memory of 1668	2444	cmd.exe	33
PID 2444 wrote to memory of 1668	2444	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\8277a28b42eb820b6003c4e08d0053b4.exe
"C:\Users\Admin\AppData\Local\Temp\8277a28b42eb820b6003c4e08d0053b4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\ProgramData\Remote Utilities\Backup\Silverlight.Configuration.exe
  "C:\ProgramData\Remote Utilities\Backup\Silverlight.Configuration.exe" f
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- - C:\ProgramData\Remote Utilities\Backup\WUDFHost.exe
    "C:\ProgramData\Remote Utilities\Backup\WUDFHost.exe"
    3⤵
    - Sets DLL path for service in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c powershell.exe -command Add-MpPreference -ExclusionPath "C:\ProgramData\Remote Utilities\Backup"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Add-MpPreference -ExclusionPath "C:\ProgramData\Remote Utilities\Backup"
        5⤵
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "WUDFHostController" -svcr "WUDFHost.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remote Utilities\Backup\MSIMG32.dll

Filesize
103KB

MD5
9e20a938438c276ee36acecef977364b

SHA1
288816e2f027075966d0a8b86387ff7fc5f89e80

SHA256
a1b6b6d949a861237aa8a4972e6e41dc1ed5b82df7d0c8c371edae199fda85da

SHA512
424c7bd662d63357650bc9cfa465ce62da9c09213601561021785666e25da6ef2a71cb2886c071450a5887830137f481ff37e887438e3b43dd35816c90f694cb

Download Submit
C:\ProgramData\Remote Utilities\Backup\Silverlight.Configuration.exe

Filesize
231KB

MD5
17e40315660830aa625483bbf608730c

SHA1
c8f5825499315eaf4b5046ff79ac9553e71ad1c0

SHA256
f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe

SHA512
0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85

Download Submit
C:\ProgramData\Remote Utilities\Backup\Silverlight.Configuration.exe

Filesize
231KB

MD5
17e40315660830aa625483bbf608730c

SHA1
c8f5825499315eaf4b5046ff79ac9553e71ad1c0

SHA256
f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe

SHA512
0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85

Download Submit
C:\ProgramData\Remote Utilities\Backup\Silverlight.Configuration.exe

Filesize
231KB

MD5
17e40315660830aa625483bbf608730c

SHA1
c8f5825499315eaf4b5046ff79ac9553e71ad1c0

SHA256
f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe

SHA512
0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85

Download Submit
C:\ProgramData\Remote Utilities\Backup\WUDFHost.exe

Filesize
19.8MB

MD5
31c0bafc3f6e6c7322a7a32ac1bd87da

SHA1
42fd1a41e1eef5998de674ec068c702f1ee3b4f3

SHA256
f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5

SHA512
ab8dcda75a2e9c4d7dfcc23e76b3ca76b4ec5f1fbf24007bf0e9707de17461c5016ec9005dae3f62e34f586452aa145871d371536572365b35bf33b43a8d24ab

Download Submit
C:\ProgramData\Remote Utilities\Backup\WUDFHost.exe

Filesize
19.8MB

MD5
31c0bafc3f6e6c7322a7a32ac1bd87da

SHA1
42fd1a41e1eef5998de674ec068c702f1ee3b4f3

SHA256
f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5

SHA512
ab8dcda75a2e9c4d7dfcc23e76b3ca76b4ec5f1fbf24007bf0e9707de17461c5016ec9005dae3f62e34f586452aa145871d371536572365b35bf33b43a8d24ab

Download Submit
C:\ProgramData\Remote Utilities\Backup\libeay32.dll

Filesize
1.3MB

MD5
d9871a6ba02aacf3d51e6c168d9c6066

SHA1
42012a0116a9e8aed16c7298bd43cb1206a0f0cd

SHA256
7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

SHA512
ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

Download Submit
C:\ProgramData\Remote Utilities\Backup\settings.dat

Filesize
5KB

MD5
0e7ba2cb293b0068f7016063f1724d50

SHA1
0a1fbad5c284cde95559e2ceb1a59579336337ff

SHA256
d36aa23d6d4d64937fb02f67da38a03f51221ed68917e7148ff005ba8bc4454d

SHA512
eb1a7309846c0cd614bb0de519248a2c17a3cbc6f06f8f45df4b1d04786687e1923c0ff2cdf08e7cf74a1071687160445ee6e76be8364b4a27befccab7e4fe5e

Download Submit
C:\ProgramData\Remote Utilities\Backup\ssleay32.dll

Filesize
337KB

MD5
fe6d8feaeae983513e0a9a223604041b

SHA1
efa54892735d331a24b707068040e5a697455cee

SHA256
af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

SHA512
a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

Download Submit
C:\ProgramData\Remote Utilities\Backup\w32.dat

Filesize
166KB

MD5
2c5e106f847b886979cc5e1b7941f3b0

SHA1
abb94f3c804554f332d537cc13ccdee776f4cbe5

SHA256
d9ce77ebcd40b8790ff625a5682bcfc8667f3fa99dcba72bd3078d6f94e52277

SHA512
521521f95ba53f84c9d11819f3f828b72123905a0bbd6e891ce33f2354c6370e1e23e73e583d5c065b7de5eba329fa7f2a87d3ad23f8d588e1393ed402a973f5

Download Submit
C:\ProgramData\Remote Utilities\Backup\w64.dat

Filesize
195KB

MD5
2bc32883b924395a4a9b6429e150d12a

SHA1
89d6a753e466406b70c5b9bce3617a6b96c7c817

SHA256
3a0ff1e04417b15dca13bf11277655a231ab50cf1c3ed9d6313d94e8e02fc1f9

SHA512
e58823785f27adc50fcf922937b2e8471326e8eaf39343c4697fd1069c605889be2577d0e328284bdccc6ca8ba9c64536746fbd4dd6ea94cdc5ca4137cfe4ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8799.tmp\nsis7z.dll

Filesize
436KB

MD5
d7778720208a94e2049972fb7a1e0637

SHA1
080d607b10f93c839ec3f07faec3548bb78ac4dc

SHA256
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e

SHA512
98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b

Download Submit
\ProgramData\Remote Utilities\Backup\Silverlight.Configuration.exe

Filesize
231KB

MD5
17e40315660830aa625483bbf608730c

SHA1
c8f5825499315eaf4b5046ff79ac9553e71ad1c0

SHA256
f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe

SHA512
0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85

Download Submit
\ProgramData\Remote Utilities\Backup\libeay32.dll

Filesize
1.3MB

MD5
d9871a6ba02aacf3d51e6c168d9c6066

SHA1
42012a0116a9e8aed16c7298bd43cb1206a0f0cd

SHA256
7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

SHA512
ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

Download Submit
\ProgramData\Remote Utilities\Backup\msimg32.dll

Filesize
103KB

MD5
9e20a938438c276ee36acecef977364b

SHA1
288816e2f027075966d0a8b86387ff7fc5f89e80

SHA256
a1b6b6d949a861237aa8a4972e6e41dc1ed5b82df7d0c8c371edae199fda85da

SHA512
424c7bd662d63357650bc9cfa465ce62da9c09213601561021785666e25da6ef2a71cb2886c071450a5887830137f481ff37e887438e3b43dd35816c90f694cb

Download Submit
\ProgramData\Remote Utilities\Backup\msimg32.dll

Filesize
103KB

MD5
9e20a938438c276ee36acecef977364b

SHA1
288816e2f027075966d0a8b86387ff7fc5f89e80

SHA256
a1b6b6d949a861237aa8a4972e6e41dc1ed5b82df7d0c8c371edae199fda85da

SHA512
424c7bd662d63357650bc9cfa465ce62da9c09213601561021785666e25da6ef2a71cb2886c071450a5887830137f481ff37e887438e3b43dd35816c90f694cb

Download Submit
\ProgramData\Remote Utilities\Backup\msimg32.dll

Filesize
103KB

MD5
9e20a938438c276ee36acecef977364b

SHA1
288816e2f027075966d0a8b86387ff7fc5f89e80

SHA256
a1b6b6d949a861237aa8a4972e6e41dc1ed5b82df7d0c8c371edae199fda85da

SHA512
424c7bd662d63357650bc9cfa465ce62da9c09213601561021785666e25da6ef2a71cb2886c071450a5887830137f481ff37e887438e3b43dd35816c90f694cb

Download Submit
\ProgramData\Remote Utilities\Backup\ssleay32.dll

Filesize
337KB

MD5
fe6d8feaeae983513e0a9a223604041b

SHA1
efa54892735d331a24b707068040e5a697455cee

SHA256
af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

SHA512
a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

Download Submit
\Users\Admin\AppData\Local\Temp\nst8799.tmp\nsis7z.dll

Filesize
436KB

MD5
d7778720208a94e2049972fb7a1e0637

SHA1
080d607b10f93c839ec3f07faec3548bb78ac4dc

SHA256
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e

SHA512
98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b

Download Submit
memory/1668-71-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1668-72-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1668-67-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-73-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-68-0x0000000073790000-0x0000000073D3B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-69-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/2684-35-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2716-58-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/2716-60-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

Filesize
4KB

Download
memory/2716-59-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/2716-70-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2716-55-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2716-44-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2716-42-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2716-74-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-75-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-76-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-77-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-78-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-81-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-82-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-83-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-84-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-85-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-86-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-87-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-88-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/2716-89-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download