39c3866b393047086438a91c76b0763144c54e28f7d9ed2d98210402185d5fc4

General

Target

118f4d2961f859309786305a8922e703.exe
Size

150KB
MD5

118f4d2961f859309786305a8922e703
SHA1

13e51e4599fbce83827b03edd3a5c673dd8ef035
SHA256

39c3866b393047086438a91c76b0763144c54e28f7d9ed2d98210402185d5fc4
SHA512

30eb612011d329c884224667d54add7c8cef7e928079fe7bafcc2200c5de275946ab2d901068bdcd7e5a94ad405159efcbfea8cf92137553055f7c5ccce40497
SSDEEP

3072:+IaWa+TaCjfrxmwEqm//1xUwQCEPXqCB7dWYs/xNv:paqaCjDVEb3pQCEniYs/xt

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	118f4d2961f859309786305a8922e703.exe

Loads dropped DLL 24 IoCs

pid	Process
2516	svchost.exe
2516	svchost.exe
2284	svchost.exe
2284	svchost.exe
2824	svchost.exe
2824	svchost.exe
864	svchost.exe
864	svchost.exe
2680	svchost.exe
2680	svchost.exe
1712	svchost.exe
1712	svchost.exe
1740	svchost.exe
1740	svchost.exe
1660	svchost.exe
1660	svchost.exe
2168	svchost.exe
2168	svchost.exe
2956	svchost.exe
2956	svchost.exe
2064	svchost.exe
2064	svchost.exe
3040	svchost.exe
3040	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	118f4d2961f859309786305a8922e703.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2020	118f4d2961f859309786305a8922e703.exe

C:\Users\Admin\AppData\Local\Temp\118f4d2961f859309786305a8922e703.exe
"C:\Users\Admin\AppData\Local\Temp\118f4d2961f859309786305a8922e703.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2284

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1712

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:2644

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2168

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
150KB

MD5
3ddce9c690f9278efa9fc1c0af6d604e

SHA1
fa0d2367fa3f986d336d9e23320865dd6f99522a

SHA256
fb3f2d4a5a5cea538352dbd0174659b0e7d7ad8e9302c937c4b8bc72121e6896

SHA512
6d2ce3a89521bc10c8619ca38a95c28bf1295d329551248e92251834c09f1803d6d0e38328ce4f22be5532b6004053ac7e878a4cf3bdcb12fadfcfa9d6b6abc7

Download Submit
\Windows\SysWOW64\SRService.dll

Filesize
79KB

MD5
fdf4806f06ad37017c363892e6df095d

SHA1
da179d5206589cdec221e64f2167159750802451

SHA256
d0333427f603b542cb41d98fd5b6645a47379adb5492f287f383f467cf2b59af

SHA512
cdd574e49d37e5ef31c78ed1809bf3e6255fcde2a65f29c229acb88b753e903ffbec36cdca0a0e7d2014ef3f00099ad5f6af3f98e58d7a62a05405df4292df1f

Download Submit
\Windows\SysWOW64\SRService.dll

Filesize
69KB

MD5
db2243be8c61bdc190828f79dfc6d739

SHA1
06a5e6beead36a3b411b40f24a2e3cbb510acd79

SHA256
9f93cb8e2a6c85f934f1128d29d0102cd5304435bf41c9e64eb0fa4d446cee23

SHA512
e06116d9789cf4157669abecfba40c12cab66596e82fc69b576be83a2d154fa20281491fde59b2598d3c9493670376828800bcaa4e52b8124026b208cd1b1b56

Download Submit
memory/864-26-0x00000000001E0000-0x0000000000205000-memory.dmp

Filesize
148KB

Download
memory/1712-35-0x0000000000150000-0x0000000000175000-memory.dmp

Filesize
148KB

Download
memory/2020-20-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/2020-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2020-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2020-2-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/2020-1-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/2284-14-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/2516-8-0x00000000001D0000-0x00000000001F5000-memory.dmp

Filesize
148KB

Download
memory/2824-21-0x0000000000380000-0x00000000003A5000-memory.dmp

Filesize
148KB

Download
memory/3040-61-0x0000000000120000-0x0000000000145000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads