39c3866b393047086438a91c76b0763144c54e28f7d9ed2d98210402185d5fc4

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

118f4d2961f859309786305a8922e703.exe
Size

150KB
MD5

118f4d2961f859309786305a8922e703
SHA1

13e51e4599fbce83827b03edd3a5c673dd8ef035
SHA256

39c3866b393047086438a91c76b0763144c54e28f7d9ed2d98210402185d5fc4
SHA512

30eb612011d329c884224667d54add7c8cef7e928079fe7bafcc2200c5de275946ab2d901068bdcd7e5a94ad405159efcbfea8cf92137553055f7c5ccce40497
SSDEEP

3072:+IaWa+TaCjfrxmwEqm//1xUwQCEPXqCB7dWYs/xNv:paqaCjDVEb3pQCEniYs/xt

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	118f4d2961f859309786305a8922e703.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	118f4d2961f859309786305a8922e703.exe

Loads dropped DLL 24 IoCs

pid	Process
1736	svchost.exe
1736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2620	svchost.exe
2620	svchost.exe
2256	svchost.exe
2256	svchost.exe
564	svchost.exe
564	svchost.exe
3028	svchost.exe
3028	svchost.exe
2680	svchost.exe
2680	svchost.exe
2800	svchost.exe
2800	svchost.exe
1596	svchost.exe
1596	svchost.exe
2272	svchost.exe
2272	svchost.exe
2444	svchost.exe
2444	svchost.exe
1056	svchost.exe
1056	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nla.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	118f4d2961f859309786305a8922e703.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	118f4d2961f859309786305a8922e703.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1712	118f4d2961f859309786305a8922e703.exe

C:\Users\Admin\AppData\Local\Temp\118f4d2961f859309786305a8922e703.exe
"C:\Users\Admin\AppData\Local\Temp\118f4d2961f859309786305a8922e703.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2620

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2256

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:3028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:2796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2272

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2444

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ntmssvc.dll

Filesize
33KB

MD5
82bc72a3294799e645210d30db98e699

SHA1
31022040f6842dc329ad4f813abdbb6dd5cae21a

SHA256
e002d6339b16c5764cd97ea1c95cd02fac79cda0275a4226fcf2f84626343819

SHA512
c9d6e0849486f9927b4cd8d386a26b7d32c5be7b15036c7eea6091b5993b5e01264088bcab9b39bab59ad73f9407bbc157491cbfb99a4fe295db9d3a915e7fe1

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
22KB

MD5
2d43578d4decf40b1709a46c44036991

SHA1
d21b81d8127fbeb360bfd67e8625f31c884db4d9

SHA256
150023a4367e33d61a50fccccf30ab815d2525b80fb485213396d8ee66229cd3

SHA512
623a266ad7f970ba4b97d5dfe2c51930271dccb036ee6be55a202015434ea57321018b376100fca785f9d001abb51d478ad76a742221f817a91dc11c4d73e292

Download Submit
\??\c:\windows\SysWOW64\helpsvc.dll

Filesize
39KB

MD5
d5264538ff2488e27b03b777d43247da

SHA1
58ccba7ff4c9b3efb9a1646628a240e31031e0e0

SHA256
b0be4f7a226683a367a8f4e8539fe396ca6cec21dfd4c60e2621a9829aa2a0ff

SHA512
6f51165fbccaa80f1129285770d7abca2003d3a855af8a205c7c40dfb7417493ef5b4af6d45742086588f2bfdf32c0815155f1fb96a3fa817bfe5122606c7e1f

Download Submit
\??\c:\windows\SysWOW64\logonhours.dll

Filesize
18KB

MD5
d4bbfa19da7d4eebf10712d5dc877712

SHA1
249b974fe440cf520737c8c4ce326856125847f7

SHA256
8fad49303a348f51b24c3753e4e92a19349ca4d6f1901c8276b9b39d2b3f1744

SHA512
c0f2a74ce1d5b9af0d0780fb700c3feca868ab40f0cb505dcdfcf4b79ad5520917c042a27bcf28a84892836518cd673bad855f841807a6cca1e71b79c2e0374c

Download Submit
\??\c:\windows\SysWOW64\nla.dll

Filesize
92KB

MD5
ef4fbd04395aea3558ccc5872d88c920

SHA1
ebd1625c0ff41a343f14e667da7519383a01d4c8

SHA256
971d4e42aae0ba6e683ede91ea48e96c132ae8a48ae0a2c187c5936eaeb0ed60

SHA512
3685002e9552d1f1d86d72cc8931041bf5ffdd2399da69c280ec3bc348e42aea0a3d50e10c23b55b23b279bdaf25e2cbb35a08ad2af0d3115ea1e34d3c6f9920

Download Submit
\??\c:\windows\SysWOW64\ntmssvc.dll

Filesize
23KB

MD5
ce478b314f49eceb0c1a9d37a9d813e8

SHA1
2818bdfcd018af8fe5a6d0a7444f7b5a8bc82abc

SHA256
6863a69830a48de2582d074018ee26baebf3192925f5fa684a47ced967399f4f

SHA512
9618ff057fe90d9fba1dd6118adea4ea022b01f6dd530982590e0abf56e7b5da8cecdbadb847962a029f78b24c0dbf0460deb1d2e23320e0e13b1e8e08e4caca

Download Submit
\??\c:\windows\SysWOW64\pcaudit.dll

Filesize
36KB

MD5
57dc7dcc6073438377070fecadd37e45

SHA1
18298537526b89dc7c8a2df4e61b6ba1626de614

SHA256
f2fddd0b10d1bf1cd90ede1ae7327453342570fd5d11fa0f2ae21da2940f0515

SHA512
6169e8630083ffbf3ba46866f7f4ebbf6f2cefe6907314583936b2772b416fe23bd4ae7c6360c2158da12b2a7bac3adcb4b25cbacf2350676a95fdde0d2f5c41

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
150KB

MD5
3ddce9c690f9278efa9fc1c0af6d604e

SHA1
fa0d2367fa3f986d336d9e23320865dd6f99522a

SHA256
fb3f2d4a5a5cea538352dbd0174659b0e7d7ad8e9302c937c4b8bc72121e6896

SHA512
6d2ce3a89521bc10c8619ca38a95c28bf1295d329551248e92251834c09f1803d6d0e38328ce4f22be5532b6004053ac7e878a4cf3bdcb12fadfcfa9d6b6abc7

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
4KB

MD5
7f182b1aedab60ee8a19aa25171be172

SHA1
2333f07a33b86e388b33349ffa8ed0829a5dba5a

SHA256
f4dc07ffadeac5265291b73efc9e47fbd562f58f06656c88fb12dd7ff293cb5a

SHA512
623a6dbc2fa06caacef496670c94055f4ec93d478092b6f24abc9b8640acb2ba7839fb62c6ce89d02af9df3251665fede5343d484a4cd7ced601545ee2e3bd0a

Download Submit
\Windows\SysWOW64\LogonHours.dll

Filesize
19KB

MD5
ddf80cd3dff131f7581e2cd35dc080c1

SHA1
e1215141a3b92b2b30f0f9faca94c6d36a0698ca

SHA256
93582110d9f942f084574deb593f740bc96fca28ec329a1f616a88e1b5710e65

SHA512
c36bbbe3878bef2fed69ea09def378ebd2bb90eb9323e176de9c914919392a5f9093729f88c0105d4b6dfffae3b4c9b70499cf77eafb7e23e0b216e3e8c18db4

Download Submit
\Windows\SysWOW64\LogonHours.dll

Filesize
7KB

MD5
e26cd7a3c2f5c4a014dcebd5c2ea9ce0

SHA1
10e206c8feb4a2402d5b94ee4250d638ff64d5a0

SHA256
09e7f4a8a319e9f2539460abd257865334c0d47a4790800d53e223d9bacdaf90

SHA512
85a1b6b5603f7ca91b2b4f17fb4db1556a200d828391c400072a87e725e2380fb603450a37497c5c157a3c880befa6ba0023971efd7cce83a3872934d94c87dd

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll

Filesize
27KB

MD5
2ff1c2852f5478e2e772ca5d483ddd22

SHA1
177d015a9c204f6649f3f2418f0d4a86971ba667

SHA256
9fdb2fa0b6bb464758a80c0c71c451420289919bf1d85226da9a7755614aa7bf

SHA512
fd8ead5ff5590858dca249a6e2a28f35f6a2fa52cc9dd49f29f3a367fa7aea2e848e0c98488efc869694f345e889ac807ba30ac6cfd87a0247ca5f1310194545

Download Submit
\Windows\SysWOW64\NWCWorkstation.dll

Filesize
124KB

MD5
4b751d5b89a0e158c56017cb0b19082f

SHA1
f695188f63a5c75b81ac0e338a8e7327dca07d16

SHA256
17b1a0b3d4da046ce697f9f371e3e8221ec82527e03e8d99db16c396b5588854

SHA512
42bc8386cfc06df2588dc695da909c5d38093059ee122e63bab1892d9d35e81b166379f44f9fda723376470fcbc0689a4eaeb096d12ab302e135437d139769d8

Download Submit
\Windows\SysWOW64\Nla.dll

Filesize
37KB

MD5
54a68c4f65dfeeb9e963e07ef4461999

SHA1
fcb71b5b711902681bf32c07657b66f0a7a3c161

SHA256
c552dbece3c49150942d444e9ef1f606fa3018231ef0b19d5eefa3453b549a9b

SHA512
ea0a3d581fc768d0dc2e0b1cfa4f4b7e145eff4e14ddcbaa420b23fa9471154d9df81c130f9abf3d40351eb143041121b5dd7d481d55450bfea5da64fb16b583

Download Submit
\Windows\SysWOW64\Nla.dll

Filesize
32KB

MD5
5efe035f699be0c1090c0116da9c0e70

SHA1
b2f67678070d32e77dcbabde5c1192e1e2ce8ac5

SHA256
af7fe1d6b0187e453191d7526cb626e83bad01cb7d28be75db2706b96263dc19

SHA512
935d17abc54a77c6ab80fe68e2d5899a7f62e857f626b73c56c617c9867f6b068a7d14b70da777d3af546726fd4e97d30b0530041be51749b9b084941abc4d2e

Download Submit
\Windows\SysWOW64\Ntmssvc.dll

Filesize
53KB

MD5
70328de59543ca19b9e5088ec9440cd8

SHA1
919ee038dfaf2b610f8d6a343f865e2d3ffd96fe

SHA256
2ab2e78a2901928b891603ab1409c881d3ef95f6ae845fac6f222e242dd503b6

SHA512
1bb7890b52e29004e637c43f1ce74ca71bf1e1fa5cd82f4d0a2598703bad9e50ddbc099cf342f2ffea4dc3ab4a958ef54491919cadd06a0a414d195356fd5587

Download Submit
\Windows\SysWOW64\Ntmssvc.dll

Filesize
10KB

MD5
e993359de63a60fc2db6e2b70535ac9f

SHA1
46f840084b43e5dd888f1dd066b18759cdc6a20f

SHA256
54a946eecd37bcdf124f5b46bc50e4f2e56ec31afb7ee80bb88a70962c8c4c1d

SHA512
e5d9638536a950a9a43b3d52db6cd7746a2e2f9037ced1eea3574b3b07fe8920331beaad8f157c4b4d471743dcb14f2475a967a5bef7a91176ba482bff7d789a

Download Submit
\Windows\SysWOW64\PCAudit.dll

Filesize
12KB

MD5
dac1fd3f92e722e7a46fa6a0a1e84f8d

SHA1
a78bc2cf1dd350a5a68993eb7ecdd4c5af48effc

SHA256
60ae547bdec8ed81f8646dda175727485f3ba92c693881074244a81774eaba93

SHA512
d1223c6c3fe209b65e916777d85c6b908aec1f51db2419de7331ed7ab309e4e4a16bb8f756a96184d0c1b21c1ca0c82719741b2dc34f78bb54f05b822de52803

Download Submit
\Windows\SysWOW64\PCAudit.dll

Filesize
55KB

MD5
46f8dae8e7ac8336ddfa0401c1782658

SHA1
ce02dcb9ff9b0a505fd375ef18edb7a3b5cbf981

SHA256
96d10391a6438e4f581f19c5914c494a1ea180907d9f67ebf17cfc7f44ca6e46

SHA512
694642fe0f3c06db0e4f2f5a2628b03acae17bd5d4508563d178187138831143cf0422c6a6699771472dd7e066cf38f1bae75dc22af5bc4d103fafc4162cb72a

Download Submit
\Windows\SysWOW64\helpsvc.dll

Filesize
81KB

MD5
93e0d2a6dcd3409f1e16c7a34001ffea

SHA1
64c97a540383ba591073d6f4c0635fe3d8d080c8

SHA256
f79fd917449fa632972bf8f26bfd6b8fccd4817472ba11ce7073d5ace8ad769a

SHA512
67afe11804b1057871ecbff9c08069d6d9031dda7552168fed65aebe0315d780472a23a2ee311448b652f5a1c1dfa2396e898418eabc1ea9559a0247f1598bad

Download Submit
\Windows\SysWOW64\helpsvc.dll

Filesize
39KB

MD5
e8250bd24c2fff0b9093b62e93d7a79c

SHA1
18ff7c8719eac170c07a95e2e6ef1b577fc15281

SHA256
c8080ac8b84cef4957ba38680c2f080e9a7866557553a023425a3f90c0ff4f05

SHA512
4cfaceee90924ee7a50e25b46c1cc36254a1aa02eca556b307002ea313d824d63e4b21cd2b5856c7a9111570029b3419b8a5b20d1ab1d888010a0402d1e230b4

Download Submit
memory/564-32-0x0000000000180000-0x00000000001A5000-memory.dmp

Filesize
148KB

Download
memory/1056-70-0x0000000000720000-0x0000000000745000-memory.dmp

Filesize
148KB

Download
memory/1596-65-0x0000000000160000-0x0000000000185000-memory.dmp

Filesize
148KB

Download
memory/1596-53-0x0000000000160000-0x0000000000185000-memory.dmp

Filesize
148KB

Download
memory/1596-54-0x0000000000160000-0x0000000000185000-memory.dmp

Filesize
148KB

Download
memory/1712-1-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1712-71-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/1712-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1712-22-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1712-21-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1712-2-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1712-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1712-20-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/2256-27-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/2256-37-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/2444-63-0x0000000000090000-0x00000000000B5000-memory.dmp

Filesize
148KB

Download
memory/2444-64-0x0000000000090000-0x00000000000B5000-memory.dmp

Filesize
148KB

Download
memory/2680-43-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/2680-42-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/2736-13-0x0000000000460000-0x0000000000485000-memory.dmp

Filesize
148KB

Download
memory/2736-14-0x0000000000460000-0x0000000000485000-memory.dmp

Filesize
148KB

Download