94e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24

Analysis

max time kernel
192s
max time network
61s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
08-11-2023 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rootkits/044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
Size

246KB
MD5

5b65e0442761c3ba7ab13f19e696a3ad
SHA1

840cd5fabb617cdfd848ff29253b4cce79213a35
SHA256

044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d
SHA512

a5af3f57bbeea72a98fa3fcf499f98e568994a9ea29ab5558fc691d83d97decf2c9aa17d2f157442baf63c06b8fcc3c604a5098289c991cd7b061cb22cd64ec7
SSDEEP

3072:dZvq0Fnr1gWPgOYVkN6rnhccEYMY2wuoyq8pq+8MhHRIK8k4B7KHpwRXDYNdY2vx:dZvdr1bkVkNwzEJwu1Z/L8hgpwZY79

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

pid	process
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

description pid process

Token: SeDebugPrivilege 2648 044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

pid	process
1204	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

description	pid	process	target process
PID 2648 wrote to memory of 424	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	winlogon.exe
PID 2648 wrote to memory of 468	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	services.exe
PID 2648 wrote to memory of 484	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	lsass.exe
PID 2648 wrote to memory of 492	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	lsm.exe
PID 2648 wrote to memory of 600	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 2648 wrote to memory of 680	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 2648 wrote to memory of 764	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 2648 wrote to memory of 816	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 2648 wrote to memory of 860	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 2648 wrote to memory of 972	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 2648 wrote to memory of 272	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 2648 wrote to memory of 916	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	spoolsv.exe
PID 2648 wrote to memory of 1060	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 2648 wrote to memory of 1120	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	taskhost.exe
PID 2648 wrote to memory of 1176	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	Dwm.exe
PID 2648 wrote to memory of 1204	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	Explorer.EXE
PID 2648 wrote to memory of 2224	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	svchost.exe
PID 2648 wrote to memory of 2076	2648	044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe	sppsvc.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:484

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1060

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:2224

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1120

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
- Modifies security service
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:600

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:492

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1204

C:\Users\Admin\AppData\Local\Temp\Rootkits\044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
"C:\Users\Admin\AppData\Local\Temp\Rootkits\044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/272-164-0x0000000000910000-0x000000000093A000-memory.dmp

Filesize
168KB

Download
memory/272-96-0x0000000000910000-0x000000000093A000-memory.dmp

Filesize
168KB

Download
memory/272-104-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/424-52-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/424-12-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/424-10-0x0000000077431000-0x0000000077432000-memory.dmp

Filesize
4KB

Download
memory/424-9-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/424-8-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/424-6-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/424-4-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/468-18-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download
memory/468-61-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download
memory/468-19-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/468-20-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/484-29-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/484-28-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/484-26-0x0000000000A50000-0x0000000000A7A000-memory.dmp

Filesize
168KB

Download
memory/484-74-0x0000000000A50000-0x0000000000A7A000-memory.dmp

Filesize
168KB

Download
memory/492-32-0x00000000004C0000-0x00000000004EA000-memory.dmp

Filesize
168KB

Download
memory/492-35-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/492-38-0x00000000004C0000-0x00000000004EA000-memory.dmp

Filesize
168KB

Download
memory/492-42-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/492-83-0x00000000004C0000-0x00000000004EA000-memory.dmp

Filesize
168KB

Download
memory/600-45-0x00000000004D0000-0x00000000004FA000-memory.dmp

Filesize
168KB

Download
memory/600-41-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/600-90-0x00000000004D0000-0x00000000004FA000-memory.dmp

Filesize
168KB

Download
memory/600-37-0x00000000004D0000-0x00000000004FA000-memory.dmp

Filesize
168KB

Download
memory/600-44-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/680-53-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/680-55-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/680-114-0x00000000003F0000-0x000000000041A000-memory.dmp

Filesize
168KB

Download
memory/680-50-0x00000000003F0000-0x000000000041A000-memory.dmp

Filesize
168KB

Download
memory/764-56-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/764-68-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/764-119-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/764-63-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/816-126-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/816-64-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

Filesize
64KB

Download
memory/816-60-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/816-65-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/816-66-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/860-73-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/860-146-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/860-77-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/916-108-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/916-101-0x0000000001BC0000-0x0000000001BEA000-memory.dmp

Filesize
168KB

Download
memory/916-166-0x0000000001BC0000-0x0000000001BEA000-memory.dmp

Filesize
168KB

Download
memory/972-93-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/972-86-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/972-82-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/972-156-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/1060-170-0x00000000008D0000-0x00000000008FA000-memory.dmp

Filesize
168KB

Download
memory/1060-116-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/1060-111-0x00000000008D0000-0x00000000008FA000-memory.dmp

Filesize
168KB

Download
memory/1120-121-0x0000000001B70000-0x0000000001B9A000-memory.dmp

Filesize
168KB

Download
memory/1120-123-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/1120-171-0x0000000001B70000-0x0000000001B9A000-memory.dmp

Filesize
168KB

Download
memory/1176-132-0x0000000001C30000-0x0000000001C5A000-memory.dmp

Filesize
168KB

Download
memory/1176-172-0x0000000001C30000-0x0000000001C5A000-memory.dmp

Filesize
168KB

Download
memory/1176-136-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/1204-139-0x0000000002990000-0x00000000029BA000-memory.dmp

Filesize
168KB

Download
memory/1204-173-0x0000000002990000-0x00000000029BA000-memory.dmp

Filesize
168KB

Download
memory/1204-144-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/2076-175-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/2076-160-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/2076-168-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/2224-150-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/2224-153-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/2224-174-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/2648-3-0x00000000771C0000-0x00000000772DF000-memory.dmp

Filesize
1.1MB

Download
memory/2648-1-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2648-169-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2648-34-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads