7d78d20fe815437d47581a063d61ad4c37f19d8d72a9abc6ab657a70e06cd306

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00b7a0aba98606fdb9a65150b127c7bc.exe
Size

104KB
MD5

00b7a0aba98606fdb9a65150b127c7bc
SHA1

98f96d187c7878d25e484eb8434414c140c2c0cf
SHA256

7d78d20fe815437d47581a063d61ad4c37f19d8d72a9abc6ab657a70e06cd306
SHA512

91189ab7dde8e8d2a7b7e124b015da7f228291fa8f7023301d8f28740b01ddbd6d3f902398ea558b57c34783379c35deac3a1e57c86cfafeab1e61974c39941e
SSDEEP

1536:bvmdO2zqJiJ6vFCHxvEu7oh2lnD7yoN6OPtjz:zmdO2vJ6S9Ebh2lnSoNPd

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\msosmsfpfis64.sys	00b7a0aba98606fdb9a65150b127c7bc.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2168	00b7a0aba98606fdb9a65150b127c7bc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msosptfs00.dll	00b7a0aba98606fdb9a65150b127c7bc.exe
File opened for modification	C:\Windows\SysWOW64\msosptfs00.dll	00b7a0aba98606fdb9a65150b127c7bc.exe
File opened for modification	C:\Windows\SysWOW64\msosptfs.dat	00b7a0aba98606fdb9a65150b127c7bc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	00b7a0aba98606fdb9a65150b127c7bc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2168	00b7a0aba98606fdb9a65150b127c7bc.exe
2168	00b7a0aba98606fdb9a65150b127c7bc.exe
2168	00b7a0aba98606fdb9a65150b127c7bc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
472	services.exe
472	services.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	00b7a0aba98606fdb9a65150b127c7bc.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 260	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	26
PID 2168 wrote to memory of 340	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	25
PID 2168 wrote to memory of 376	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	24
PID 2168 wrote to memory of 384	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	23
PID 2168 wrote to memory of 424	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	3
PID 2168 wrote to memory of 472	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	2
PID 2168 wrote to memory of 480	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	1
PID 2168 wrote to memory of 488	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	4
PID 2168 wrote to memory of 580	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	22
PID 2168 wrote to memory of 656	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	21
PID 2168 wrote to memory of 736	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	20
PID 2168 wrote to memory of 800	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	19
PID 2168 wrote to memory of 836	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	18
PID 2168 wrote to memory of 984	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	16
PID 2168 wrote to memory of 300	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	5
PID 2168 wrote to memory of 372	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	15
PID 2168 wrote to memory of 1072	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	14
PID 2168 wrote to memory of 1112	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	6
PID 2168 wrote to memory of 1176	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	13
PID 2168 wrote to memory of 1208	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	7
PID 2168 wrote to memory of 1788	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	11
PID 2168 wrote to memory of 2452	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	10
PID 2168 wrote to memory of 2504	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	8
PID 2168 wrote to memory of 3068	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	28
PID 2168 wrote to memory of 3068	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	28
PID 2168 wrote to memory of 3068	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	28
PID 2168 wrote to memory of 3068	2168	00b7a0aba98606fdb9a65150b127c7bc.exe	28

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Suspicious behavior: LoadsDriver
PID:472
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:300
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1112
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2504
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2452
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1072
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:372
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:984
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:836
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:800
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:736
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:656
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:580

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\00b7a0aba98606fdb9a65150b127c7bc.exe
  "C:\Users\Admin\AppData\Local\Temp\00b7a0aba98606fdb9a65150b127c7bc.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\00b7a0aba98606fdb9a65150b127c7bc.exe"
    3⤵
    - Deletes itself
    PID:3068

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1788

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:376

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:340

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msosptfs00.dll

Filesize
11KB

MD5
bd5a98ef6a62e1cf74d59a825c0bc01d

SHA1
fac827a57608c0a8699f393c9281ee37827e34ed

SHA256
898b56fd395e3ca6f5200f5d631181516f593509d86d9a606ef852266a87fffd

SHA512
2828440a2fc86b9b019f47170558baf4f6a0ab1ce8f9037a057376e6715e41a11b2fdccf1bd5f22b7a8435ea7c28d03107b45cab836dbf091137fd0808580e64

Download Submit
memory/260-9-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/480-31-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2168-10-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download