39c3866b393047086438a91c76b0763144c54e28f7d9ed2d98210402185d5fc4

Analysis

max time kernel
39s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

118f4d2961f859309786305a8922e703.exe
Size

150KB
MD5

118f4d2961f859309786305a8922e703
SHA1

13e51e4599fbce83827b03edd3a5c673dd8ef035
SHA256

39c3866b393047086438a91c76b0763144c54e28f7d9ed2d98210402185d5fc4
SHA512

30eb612011d329c884224667d54add7c8cef7e928079fe7bafcc2200c5de275946ab2d901068bdcd7e5a94ad405159efcbfea8cf92137553055f7c5ccce40497
SSDEEP

3072:+IaWa+TaCjfrxmwEqm//1xUwQCEPXqCB7dWYs/xNv:paqaCjDVEb3pQCEniYs/xt

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	118f4d2961f859309786305a8922e703.exe

Loads dropped DLL 36 IoCs

pid	Process
3216	svchost.exe
3216	svchost.exe
3216	svchost.exe
924	svchost.exe
924	svchost.exe
924	svchost.exe
4340	svchost.exe
4340	svchost.exe
4340	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
5036	svchost.exe
5036	svchost.exe
5036	svchost.exe
3748	svchost.exe
3748	svchost.exe
3748	svchost.exe
3748	svchost.exe
3748	svchost.exe
3748	svchost.exe
2916	svchost.exe
2916	svchost.exe
2916	svchost.exe
4312	svchost.exe
4312	svchost.exe
4312	svchost.exe
4312	svchost.exe
4312	svchost.exe
4312	svchost.exe
3232	svchost.exe
3232	svchost.exe
3232	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SRService.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	118f4d2961f859309786305a8922e703.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
972	118f4d2961f859309786305a8922e703.exe
972	118f4d2961f859309786305a8922e703.exe

C:\Users\Admin\AppData\Local\Temp\118f4d2961f859309786305a8922e703.exe
"C:\Users\Admin\AppData\Local\Temp\118f4d2961f859309786305a8922e703.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:3216

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
PID:924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
PID:4340

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
PID:2800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
PID:5036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
PID:3748

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
PID:2916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
PID:4312

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
PID:3232

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
PID:2380

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
PID:3124

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
150KB

MD5
3ddce9c690f9278efa9fc1c0af6d604e

SHA1
fa0d2367fa3f986d336d9e23320865dd6f99522a

SHA256
fb3f2d4a5a5cea538352dbd0174659b0e7d7ad8e9302c937c4b8bc72121e6896

SHA512
6d2ce3a89521bc10c8619ca38a95c28bf1295d329551248e92251834c09f1803d6d0e38328ce4f22be5532b6004053ac7e878a4cf3bdcb12fadfcfa9d6b6abc7

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
74KB

MD5
f0c03ba4e8f9a8f9283f3912f1dfb77a

SHA1
c85b6bb6543c67fcf95081416d9e68f59c6bfd47

SHA256
8a9ed279d1a6cc5c956a7b600e141cd5b0a4d87883077807f2a40267b1a82f12

SHA512
1db314f9d46676ec3da64b2c3c843fae48994b3b5abb99d4b15757cdb97f53e59817ebeb0c5d7e0a944718d3519a1118d9630d9134b2f61fe8ffa48d7d24218b

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
17KB

MD5
5b08298fcdeb675aa83264712e5245af

SHA1
9ece64edcab31bbc25c44e9311c50aec5af3f134

SHA256
451f97544c4a756dd939cef103f4af5fc69945babe040b20d7b405c5a7f89aef

SHA512
807c1ef78ac001914ecc182ad17f862cb68a8ff33395a353d6af43d43d0fa49046b21ca6a8a527d861f66b79113a064cb1da0b011ae8a56d0a6eea2b26603650

Download Submit
C:\Windows\SysWOW64\Irmon.dll

Filesize
92KB

MD5
ef4fbd04395aea3558ccc5872d88c920

SHA1
ebd1625c0ff41a343f14e667da7519383a01d4c8

SHA256
971d4e42aae0ba6e683ede91ea48e96c132ae8a48ae0a2c187c5936eaeb0ed60

SHA512
3685002e9552d1f1d86d72cc8931041bf5ffdd2399da69c280ec3bc348e42aea0a3d50e10c23b55b23b279bdaf25e2cbb35a08ad2af0d3115ea1e34d3c6f9920

Download Submit
C:\Windows\SysWOW64\SRService.dll

Filesize
65KB

MD5
7482eb6c259b4aced55f6d696546e49d

SHA1
b309f5e9c6275d1533579a165d05487d6868f41e

SHA256
3a418132f745f987c3d6999ad25f16b84a6ba401575ae2c50746519b60b2ed6b

SHA512
80019ab21c639c4e83d84e97f6ce0313ec2be6da12dbde151fa02e73fbffd54890630d74970b3d47d314b5172993b9135a915310c4def44f49cfe08c139b307e

Download Submit
\??\c:\windows\SysWOW64\helpsvc.dll

Filesize
98KB

MD5
642d555a1013df340c869bc36d754aaf

SHA1
1b0e6ed01d013e911b0c57d3ad42ccc7e30c3f6c

SHA256
2714e17fa4a5901fc10f21c49ebff1f785ad5e3fa05a64f032b5207c2cd73140

SHA512
33e8f3faad612b79c738b2d109a91872d0aa6929656cc99b895a46ac98e3fe92b05c13820632d049614abe7782400324ebdac2e1d57b2e7b2f7add6a8b3e00a1

Download Submit
\??\c:\windows\SysWOW64\irmon.dll

Filesize
93KB

MD5
c89584b475b044e2851962f309acec85

SHA1
562de45bfd533149e0507f90fe463761b1d5500f

SHA256
ba67da6d15ddce5dc5ec5308e5521524cce3a4b265b368f292d8b495e2da649f

SHA512
dcd5f0eb5e68005fb1d1a96cc54afc6cc1c72cbda02a0d656de0226a9a09b5402de13d92d56c72c3401f4511d29a9685fa7d26586b86bcfa8628270df07d54b5

Download Submit
\??\c:\windows\SysWOW64\logonhours.dll

Filesize
99KB

MD5
4a0c151f3d48c0503bd7d7ebad60980a

SHA1
9253a5924b25a145eabdd173e076c90f3716e499

SHA256
5ac4d375c44763d5bd3b658abb8c65fcbf7e914ca4ce9b76e275db5d3c364de5

SHA512
9caf15e7a806003c61fe5062b23714179b0efa5c17cba581fbc94a22adb329ce76a075a07b636cf7c5e9223fecdbd2e36d1b6cbb770ea31c71b963c6ed51c806

Download Submit
\??\c:\windows\SysWOW64\nla.dll

Filesize
13KB

MD5
b315ddf340a34ff46d0a27e397eaeb6b

SHA1
4d1f162c9924e9318d00f89f5f13551acfe87eae

SHA256
118a183d86d60176d476b56799ad960229a98b498bc6740ccbe9bafa71636394

SHA512
7a2a7479e38020ac41f587ae80a886d38f4c665f1ee1b16864b08550de86e917c1c5ecb6ac3b5206623cbbd053faf1c349ed0e2a2d896880df640484779e8aa0

Download Submit
memory/924-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/924-14-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/972-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/972-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2380-63-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3124-70-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3124-69-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3124-80-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3216-5-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4312-52-0x0000000001160000-0x0000000001185000-memory.dmp

Filesize
148KB

Download
memory/4312-79-0x0000000001160000-0x0000000001185000-memory.dmp

Filesize
148KB

Download