750048f31e6244dd814b586dc67c1b7dd74b328c58fe6ed4a79d779009662a6c

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0cc29f9d8d0fb63df99de80cf43fb7c5.exe
Size

60KB
MD5

0cc29f9d8d0fb63df99de80cf43fb7c5
SHA1

6c2e82dcf9cf38cda395e2db3ce140da45563806
SHA256

750048f31e6244dd814b586dc67c1b7dd74b328c58fe6ed4a79d779009662a6c
SHA512

0ab75beb7f8f9bf94fa8c5c7f08c3c3b35cb13c7fca86e7c8b99154fde78fd3ffb8dd65ab75d639c6b7f5cc841239f8969e46c7fdb0d17b8c7d04d29c814894f
SSDEEP

768:8VJnR+k0rxcwPMMsRfJEAG8YOMgqQAIiyQKXEtQ5cNTXwSa5/d/jSUHvOhte9GzO:Afh9RfJpGEbqEwW6ezuJAGzUcbvwXxB

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xyimoi\Parameters\ServiceDll = "%SystemRoot%\\System32\\wrfkax.dll"	0cc29f9d8d0fb63df99de80cf43fb7c5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\xyimoi\Parameters\ServiceDll = "%SystemRoot%\\System32\\wrfkax.dll"	0cc29f9d8d0fb63df99de80cf43fb7c5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\xyimoi\Parameters\ServiceDll = "%SystemRoot%\\System32\\wrfkax.dll"	0cc29f9d8d0fb63df99de80cf43fb7c5.exe

Loads dropped DLL 2 IoCs

pid	Process
4964	0cc29f9d8d0fb63df99de80cf43fb7c5.exe
4288	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\00056dc1.ini	0cc29f9d8d0fb63df99de80cf43fb7c5.exe
File created	C:\Windows\SysWOW64\wrfkax.dll	0cc29f9d8d0fb63df99de80cf43fb7c5.exe

C:\Users\Admin\AppData\Local\Temp\0cc29f9d8d0fb63df99de80cf43fb7c5.exe
"C:\Users\Admin\AppData\Local\Temp\0cc29f9d8d0fb63df99de80cf43fb7c5.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:4964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k xyimoi
1⤵
- Loads dropped DLL
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wrfkax.dll

Filesize
7KB

MD5
09f56072868329234af4b1ad64dc2c1b

SHA1
929f05f8e0e38491d776b40acc17bb746637a7fa

SHA256
79dcad549df4dea033e60d3da8129a4d7ea2727f5a31066cd6f22c3b08de610e

SHA512
f76b9bcc282d7d5f90e27f291f7aaa1c5bd1ebdff0096e8bbab6dbf90d4ba2def8ef328dea39dbf41e64690e5dec6e71fcc32a08252d073ba446be44203b6bfe

Download Submit
C:\Windows\SysWOW64\wrfkax.dll

Filesize
11KB

MD5
5f4803608c9c90eefa5c014a0a908a9a

SHA1
70d208a873d85015e5ef1fd12fc6fd41ed291b4f

SHA256
ba77b258a8c3fa6d7aea167c8657d3790c0f3783ac7eea60a6c36f3ecbc04860

SHA512
791a5f3d96b53b23188d56b882c27de5eab2849781a753b06bde53a5acb244c8b56c65f1340f4000b084ea697fd920b2d31b6728daf236e94e34d36a2894377d

Download Submit
\??\c:\windows\SysWOW64\wrfkax.dll

Filesize
34KB

MD5
fa8cd08bae76d07b17cd04f5c947d1b6

SHA1
d33c3c28a0eb2d587a578f5d37d345dbb1f2563a

SHA256
cc377bebad5af18252bdd02d0989e29ccc5373bc0d59ed9eb911b46045f8408a

SHA512
6c4e983c0f0aabe0bb514dc6b0f13ff3f13e307a837f69727762188c36ff5fcec824205d7ba8a830d3e03f4101dd238e827cd174bc13024a2485ffa4ff9c47ed

Download Submit
memory/4288-9-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4288-10-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4964-0-0x0000000000400000-0x0000000000405148-memory.dmp

Filesize
20KB

Download
memory/4964-5-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4964-11-0x0000000000400000-0x0000000000405148-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads