13bb66188c0414b1877c0932a60dcf02c14a00e9bbdd93f8a84a72aab728e711

Analysis

max time kernel
174s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ad65da4a8999897c2bbaea1c88c9f39.exe
Size

124KB
MD5

6ad65da4a8999897c2bbaea1c88c9f39
SHA1

a4966349d1fd70dca26314b0304e1673b4e3cdce
SHA256

13bb66188c0414b1877c0932a60dcf02c14a00e9bbdd93f8a84a72aab728e711
SHA512

7902b459f2a84c24211991e3884fc34df1175e74cc288c4c69d785765162bd00f17115bb56c82703c08b85d51f50b7f04d7bf140f8320ec2dacb6a6e53d6e165
SSDEEP

3072:WMV27Wolfw3I3Y5jiQVZQrKCD+RRluJVrLDvwl0:WMVClfw4IkQ0URrujDk

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUv32.dll"	6ad65da4a8999897c2bbaea1c88c9f39.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ndisdrv.sys	6ad65da4a8999897c2bbaea1c88c9f39.exe
File opened for modification	C:\Windows\SysWOW64\FastUv32.dll	6ad65da4a8999897c2bbaea1c88c9f39.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3504	6ad65da4a8999897c2bbaea1c88c9f39.exe
Token: SeLoadDriverPrivilege	3504	6ad65da4a8999897c2bbaea1c88c9f39.exe
Token: SeIncBasePriorityPrivilege	3504	6ad65da4a8999897c2bbaea1c88c9f39.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 876	3504	6ad65da4a8999897c2bbaea1c88c9f39.exe	91
PID 3504 wrote to memory of 876	3504	6ad65da4a8999897c2bbaea1c88c9f39.exe	91
PID 3504 wrote to memory of 876	3504	6ad65da4a8999897c2bbaea1c88c9f39.exe	91

C:\Users\Admin\AppData\Local\Temp\6ad65da4a8999897c2bbaea1c88c9f39.exe
"C:\Users\Admin\AppData\Local\Temp\6ad65da4a8999897c2bbaea1c88c9f39.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6AD65D~1.EXE > nul
  2⤵
  PID:876

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuv32.dll

Filesize
60KB

MD5
eecf104acbda06fd577e9de0ae2a7eb9

SHA1
a1be7931b3ccc0ce6b7017de870d931d1d3bec1b

SHA256
f177e6c67c3208edd9a2191d5db455bb8aaf831c6fa95f21bfa3c350d077762c

SHA512
c0434d733fe22f9fc9dd98a975b42bfa9de9bca2d0552199a5cd7c8afaf4c6d07f4107d176a78192c575ce3aa731ee82c2d70efc1de8a7bf7087f8c8bfcd8f00

Download Submit
memory/3504-0-0x0000000000400000-0x0000000000423028-memory.dmp

Filesize
140KB

Download
memory/3504-9-0x0000000000400000-0x0000000000423028-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads