5862d73082ccbdb8f167f4d208d5c1095eec16cdca5bc9a8f6410e13a6c3db19

Analysis

max time kernel
124s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 02:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

006fa04e202f3b578680ab6dfef95395.exe
Size

1.1MB
MD5

006fa04e202f3b578680ab6dfef95395
SHA1

73fba67d3fff4570183955242b7392e77f091447
SHA256

5862d73082ccbdb8f167f4d208d5c1095eec16cdca5bc9a8f6410e13a6c3db19
SHA512

7491d10978f04a4ef6c4b81783bc160f2ffddc565b61e264dd3277cf841e02eda01f1c40a555f5c3f8ddc8cf0d21c5fad12cf81c6f80b201a15e621241ce243b
SSDEEP

3072:4LcOJ/v6+0hzWcQ/LYynMVb9vEhuTbhMUj7WAk4/5DGKl:ALBv6+6zUgbpCuTtNqAk6D9

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Rspdates Apxplicatioanjrq\Parameters\ServiceDll = "C:\\Documents and Settings\\\\Rspdates.dll"	006fa04e202f3b578680ab6dfef95395.exe

Deletes itself 1 IoCs

pid	Process
4444	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
4444	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4308	006fa04e202f3b578680ab6dfef95395.exe
4308	006fa04e202f3b578680ab6dfef95395.exe
4308	006fa04e202f3b578680ab6dfef95395.exe
4308	006fa04e202f3b578680ab6dfef95395.exe
4308	006fa04e202f3b578680ab6dfef95395.exe
4308	006fa04e202f3b578680ab6dfef95395.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	4308	006fa04e202f3b578680ab6dfef95395.exe
Token: SeRestorePrivilege	4308	006fa04e202f3b578680ab6dfef95395.exe

C:\Users\Admin\AppData\Local\Temp\006fa04e202f3b578680ab6dfef95395.exe
"C:\Users\Admin\AppData\Local\Temp\006fa04e202f3b578680ab6dfef95395.exe"
1⤵
- Sets DLL path for service in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\documents and settings\rspdates.dll

Filesize
1KB

MD5
226d5fee9e21f6c9b1de053c17301d2b

SHA1
6ea9806d8bea31aab24cfc1a10555f44a09ef512

SHA256
76619f4a1b0b52936853378e6ede9838e6f26b517e4dcde2c3a2ef49952936b0

SHA512
09d66291ceace07f6a33005fdb7a1fc798485d7c213b2e94b2561baf6f5491e9a38b4c07546afd3bcd32002f492e1e36775d78d9088150785c6494f06a17d832

Download Submit
memory/4308-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4308-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download