f8b56d5b198b081ecc52e0771e8e6c495587b62b50bce5b3c78169f39ca59390

Analysis

max time kernel
162s
max time network
201s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17df305886d4418dd627bf476d503fbf.exe
Size

128KB
MD5

17df305886d4418dd627bf476d503fbf
SHA1

54836668939c3f944fc2a3ec186fb23439482a8b
SHA256

f8b56d5b198b081ecc52e0771e8e6c495587b62b50bce5b3c78169f39ca59390
SHA512

f0cf549d399978a282b4c447f6a82830ed54a95527a83ca24c9d466a46a890de99f15dbfe6a80e28670911ad623ead7b8d5ec0d2b13d312317cacb509ca269e0
SSDEEP

1536:NGs+Z6jy8Q6o9/onIze7zVRaDk87Lmw+RsIvGiEW43SQe5EUMjkUmUq:NGsu6jyr9fz8T6X+RZvPEyEUmkUb

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Winet\Parameters\ServiceDll = "C:\\Windows\\system32\\winnet.dll"	17df305886d4418dd627bf476d503fbf.exe

Loads dropped DLL 2 IoCs

pid	Process
2968	17df305886d4418dd627bf476d503fbf.exe
2580	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winnet.dll	17df305886d4418dd627bf476d503fbf.exe
File created	C:\Windows\SysWOW64\winnet.dll	17df305886d4418dd627bf476d503fbf.exe
File created	C:\Windows\SysWOW64\winnet.dll.uns	17df305886d4418dd627bf476d503fbf.exe
File opened for modification	C:\Windows\SysWOW64\winnet.dll.uns	17df305886d4418dd627bf476d503fbf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3056	2968	WerFault.exe	28

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	17df305886d4418dd627bf476d503fbf.exe
2580	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	2968	17df305886d4418dd627bf476d503fbf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3056	2968	17df305886d4418dd627bf476d503fbf.exe	30
PID 2968 wrote to memory of 3056	2968	17df305886d4418dd627bf476d503fbf.exe	30
PID 2968 wrote to memory of 3056	2968	17df305886d4418dd627bf476d503fbf.exe	30
PID 2968 wrote to memory of 3056	2968	17df305886d4418dd627bf476d503fbf.exe	30

C:\Users\Admin\AppData\Local\Temp\17df305886d4418dd627bf476d503fbf.exe
"C:\Users\Admin\AppData\Local\Temp\17df305886d4418dd627bf476d503fbf.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 208
  2⤵
  - Program crash
  PID:3056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\KKK.dll

Filesize
110KB

MD5
7658243bd405b956e42eada139139fbd

SHA1
df8ff421aba028b2bc7cdbb09875ff31c986bcd3

SHA256
75e9360078c15ea13c938b5688496380b43203d8c70e38fb2cbb4c7207c12d1c

SHA512
73683a13bc30e43a9d01345e23abb4b0983ea27e01ae295e81efc2eb55e56d9812e60bfe7deec36f47861e20d573b2e1bf0a667548bd4145d645baad1904b2f1

Download Submit
memory/2580-12-0x0000000000100000-0x0000000000123000-memory.dmp

Filesize
140KB

Download
memory/2580-15-0x0000000000100000-0x0000000000123000-memory.dmp

Filesize
140KB

Download
memory/2580-18-0x0000000000100000-0x0000000000123000-memory.dmp

Filesize
140KB

Download
memory/2580-24-0x0000000000100000-0x0000000000123000-memory.dmp

Filesize
140KB

Download
memory/2580-30-0x0000000000100000-0x0000000000123000-memory.dmp

Filesize
140KB

Download
memory/2968-2-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download
memory/2968-8-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download
memory/2968-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2968-14-0x0000000000220000-0x0000000000243000-memory.dmp

Filesize
140KB

Download