f9d61f1953345a0da112b6653fbe72292c73ba8e67f875c0b60e0c8f05f4d024

Analysis

max time kernel
143s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

034952c93a87e5465783cea13800fbcd.exe
Size

154KB
MD5

034952c93a87e5465783cea13800fbcd
SHA1

f0fdb581db3183ea3d0a40f4e6386bb310dac4b8
SHA256

f9d61f1953345a0da112b6653fbe72292c73ba8e67f875c0b60e0c8f05f4d024
SHA512

1a8d85efd59936156c68fae0018aa6a65f6fb210edc620b703d4218136034165006022c0fdb87a29eeed738e9bf5a1f940bd81f29a2d94067cae3c8389673a90
SSDEEP

3072:r0Cc0k/A9aXfaOxMy/+wErSdhz2ZJsZ4CDl5sgqu3W+YlLsQ0i:rW0kXXfaOxMy/+wE6UZJsZ4Clqu3gL

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TVT\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\PDA\\TVT.DLL"	RUNDLL32.EXE

Deletes itself 1 IoCs

pid	Process
2824	RUNDLL32.EXE

Loads dropped DLL 13 IoCs

pid	Process
2824	RUNDLL32.EXE
2824	RUNDLL32.EXE
2824	RUNDLL32.EXE
2824	RUNDLL32.EXE
2752	svchost.exe
2936	RUNDLL32.EXE
2936	RUNDLL32.EXE
2936	RUNDLL32.EXE
2936	RUNDLL32.EXE
2852	RUNDLL32.EXE
2852	RUNDLL32.EXE
2852	RUNDLL32.EXE
2852	RUNDLL32.EXE

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 4058aaa4ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 4058aaa4ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 204f276fac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 204f276fac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = c0bc647eac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 00a3e789ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 00a3e789ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = e0327b95ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = e09f2fb0ac3ada01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadNetworkName = "Network 3"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDetectedUrl	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 00dfdbb3ac3ada01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = c0bc647eac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = c0521088ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 406b86a6ac3ada01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\c2-62-8f-0f-eb-7a	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = a07db87aac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 200b8b7cac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 00722799ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 00722799ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = a07db87aac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 00b6c38bac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 0008d3a2ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 406b86a6ac3ada01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 6079466dac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 609ffe70ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = c0521088ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = e0327b95ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = c0215097ac3ada01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 609ffe70ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 00b6c38bac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = c0215097ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = e09f2fb0ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 00dfdbb3ac3ada01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 6079466dac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 200b8b7cac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 0008d3a2ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06D2E88B-0416-408A-9C95-E7AA9C4FA2A5}\WpadDecisionTime = 602d02b2ac3ada01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-62-8f-0f-eb-7a\WpadDecisionTime = 602d02b2ac3ada01	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\SS\PROXY	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SS	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SS\PROXY	svchost.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2936	RUNDLL32.EXE
2852	RUNDLL32.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	svchost.exe
Token: SeTcbPrivilege	2752	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2852	RUNDLL32.EXE
2852	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2824	3052	034952c93a87e5465783cea13800fbcd.exe	28
PID 3052 wrote to memory of 2824	3052	034952c93a87e5465783cea13800fbcd.exe	28
PID 3052 wrote to memory of 2824	3052	034952c93a87e5465783cea13800fbcd.exe	28
PID 3052 wrote to memory of 2824	3052	034952c93a87e5465783cea13800fbcd.exe	28
PID 3052 wrote to memory of 2824	3052	034952c93a87e5465783cea13800fbcd.exe	28
PID 3052 wrote to memory of 2824	3052	034952c93a87e5465783cea13800fbcd.exe	28
PID 3052 wrote to memory of 2824	3052	034952c93a87e5465783cea13800fbcd.exe	28
PID 2752 wrote to memory of 2936	2752	svchost.exe	30
PID 2752 wrote to memory of 2936	2752	svchost.exe	30
PID 2752 wrote to memory of 2936	2752	svchost.exe	30
PID 2752 wrote to memory of 2936	2752	svchost.exe	30
PID 2752 wrote to memory of 2936	2752	svchost.exe	30
PID 2752 wrote to memory of 2936	2752	svchost.exe	30
PID 2752 wrote to memory of 2936	2752	svchost.exe	30
PID 2752 wrote to memory of 2852	2752	svchost.exe	31
PID 2752 wrote to memory of 2852	2752	svchost.exe	31
PID 2752 wrote to memory of 2852	2752	svchost.exe	31
PID 2752 wrote to memory of 2852	2752	svchost.exe	31
PID 2752 wrote to memory of 2852	2752	svchost.exe	31
PID 2752 wrote to memory of 2852	2752	svchost.exe	31
PID 2752 wrote to memory of 2852	2752	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\034952c93a87e5465783cea13800fbcd.exe
"C:\Users\Admin\AppData\Local\Temp\034952c93a87e5465783cea13800fbcd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\RUNDLL32.EXE
  RUNDLL32.EXE "C:\ProgramData\Microsoft\PDA\TVT.DLL" VzcPlqsyj 0 "C:\Users\Admin\AppData\Local\Temp\034952c93a87e5465783cea13800fbcd.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Deletes itself
  - Loads dropped DLL
  PID:2824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\RUNDLL32.EXE
  RUNDLL32.EXE "C:\ProgramData\Microsoft\PDA\TVT.DLL" VzcPlqsyj 2
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2936
- C:\Windows\SysWOW64\RUNDLL32.EXE
  RUNDLL32.EXE "C:\ProgramData\Microsoft\PDA\TVT.DLL" VzcPlqsyj 2
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\PDA\TVT.DLL

Filesize
154KB

MD5
20b88c5400d4adddbf6106a875082aa3

SHA1
96314f60282a4013a3dc4fe6cf822e762fc5c2d6

SHA256
e982569ba03c18c8e082029afb2f516672bb5eded8dd2e32ba0e56390e551fb7

SHA512
d2686e13f720ed56e48adfbf0c23b93c991f52bb7d6245c6774f669307725c4829d002427c696e101f2756fe3b7980921a9d6d7a5c36e884c16f2a8ec14e70a1

Download Submit