3da31cc9dba462a8f1c0375c8209051ab9a1eb7c46c7bca5b9c9a535569eee8d

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3488a8c46e54c2075d2cb417f6e9ae79.dll
Size

160KB
MD5

3488a8c46e54c2075d2cb417f6e9ae79
SHA1

f58cdc06d51a4a2b25184c3ec9a247b97a930f5a
SHA256

3da31cc9dba462a8f1c0375c8209051ab9a1eb7c46c7bca5b9c9a535569eee8d
SHA512

8812c71bc31b381c5b1731871a25d3331c4d123a82544c9ffce8ea3c57d2fc0799b68b81c5faf94e2054124bf6bcfd87a983c236f011815b872ac4462fcbc0c1
SSDEEP

3072:W0wpqFegLt9a46GT40hAzJLD2ZWd/0JyxiyFr:W0RFegLtjMA2FD8Wd/0Uxr

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LmHots\Parameters\ServiceDll = "C:\\Program Files (x86)\\Common Files\\Services\\Com.txt"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2508	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Services\Com.txt	rundll32.exe
File created	C:\Program Files (x86)\Common Files\Services\Com.txt	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1844	rundll32.exe
1844	rundll32.exe
2508	svchost.exe
2508	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1844	rundll32.exe
Token: SeCreateGlobalPrivilege	2508	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 1844	764	rundll32.exe	87
PID 764 wrote to memory of 1844	764	rundll32.exe	87
PID 764 wrote to memory of 1844	764	rundll32.exe	87
PID 1844 wrote to memory of 4640	1844	rundll32.exe	92
PID 1844 wrote to memory of 4640	1844	rundll32.exe	92
PID 1844 wrote to memory of 4640	1844	rundll32.exe	92

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3488a8c46e54c2075d2cb417f6e9ae79.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3488a8c46e54c2075d2cb417f6e9ae79.dll,#1
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\240630000.BaT
    3⤵
    PID:4640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LmHots -s LmHots
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Services\Com.txt

Filesize
160KB

MD5
3488a8c46e54c2075d2cb417f6e9ae79

SHA1
f58cdc06d51a4a2b25184c3ec9a247b97a930f5a

SHA256
3da31cc9dba462a8f1c0375c8209051ab9a1eb7c46c7bca5b9c9a535569eee8d

SHA512
8812c71bc31b381c5b1731871a25d3331c4d123a82544c9ffce8ea3c57d2fc0799b68b81c5faf94e2054124bf6bcfd87a983c236f011815b872ac4462fcbc0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\240630000.BaT

Filesize
250B

MD5
a83d2c1ad0a87fc72d9fa86c7f7d1888

SHA1
0e484bed1ba2dd54d27b8ff3e351db33544b80bb

SHA256
c96c15c1e17a79d1479160434fa237ad72e46974c31bb7720228fc5fd249abdd

SHA512
c19ba7e19b147db6d3fd9a6e980e21b7813afe6c8e84b68562463b8fac23a881d374d757ef809da1ee84da37b4caa35140fb2a8215d8a4e8db25c4e907812bdf

Download Submit
memory/1844-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download