59a79707b9eafc889842cb5726f4ab0ac14e23e95ccbece213ed1233d6a073a1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53828613d07c8b4cfe73ce6731404368.exe
Size

31KB
MD5

53828613d07c8b4cfe73ce6731404368
SHA1

5ad7ca44548ae1cf10f7213e43b8b641026fb825
SHA256

59a79707b9eafc889842cb5726f4ab0ac14e23e95ccbece213ed1233d6a073a1
SHA512

9ffd9fbb04ad4ebc560d83a3475ce001eebf24feb2b6cf0ae9be440a2b2b89cdd79fb033987ffae5ac6ed7e07e5027f2eac6b6b8303016351995930385a9eaec
SSDEEP

384:XRRuARafr9bCYPCH0E3Tvo8pJ39GF/15S1YMigCbJTklIpCy6KK8YhmIO7Xhy1H:XRZRor9nPCL883394S1mgkZT6Nn8XVQ

Score

8^/10

persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "%SystemRoot%\\system32\\nwcwks.dll"	53828613d07c8b4cfe73ce6731404368.exe

Loads dropped DLL 1 IoCs

pid	Process
1876	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2028-6-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nwcwks.dll	53828613d07c8b4cfe73ce6731404368.exe
File opened for modification	C:\WINDOWS\SysWOW64\CMD.EXE	53828613d07c8b4cfe73ce6731404368.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2028	53828613d07c8b4cfe73ce6731404368.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe
2028	53828613d07c8b4cfe73ce6731404368.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	53828613d07c8b4cfe73ce6731404368.exe
Token: SeTakeOwnershipPrivilege	2028	53828613d07c8b4cfe73ce6731404368.exe
Token: SeRestorePrivilege	2028	53828613d07c8b4cfe73ce6731404368.exe
Token: SeBackupPrivilege	2028	53828613d07c8b4cfe73ce6731404368.exe
Token: SeChangeNotifyPrivilege	2028	53828613d07c8b4cfe73ce6731404368.exe
Token: SeTakeOwnershipPrivilege	2028	53828613d07c8b4cfe73ce6731404368.exe
Token: SeRestorePrivilege	2028	53828613d07c8b4cfe73ce6731404368.exe
Token: SeBackupPrivilege	2028	53828613d07c8b4cfe73ce6731404368.exe
Token: SeChangeNotifyPrivilege	2028	53828613d07c8b4cfe73ce6731404368.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 384	2028	53828613d07c8b4cfe73ce6731404368.exe	5
PID 2028 wrote to memory of 384	2028	53828613d07c8b4cfe73ce6731404368.exe	5
PID 2028 wrote to memory of 384	2028	53828613d07c8b4cfe73ce6731404368.exe	5
PID 2028 wrote to memory of 384	2028	53828613d07c8b4cfe73ce6731404368.exe	5
PID 2028 wrote to memory of 384	2028	53828613d07c8b4cfe73ce6731404368.exe	5
PID 2028 wrote to memory of 400	2028	53828613d07c8b4cfe73ce6731404368.exe	4
PID 2028 wrote to memory of 400	2028	53828613d07c8b4cfe73ce6731404368.exe	4
PID 2028 wrote to memory of 400	2028	53828613d07c8b4cfe73ce6731404368.exe	4
PID 2028 wrote to memory of 400	2028	53828613d07c8b4cfe73ce6731404368.exe	4
PID 2028 wrote to memory of 400	2028	53828613d07c8b4cfe73ce6731404368.exe	4
PID 2028 wrote to memory of 436	2028	53828613d07c8b4cfe73ce6731404368.exe	3
PID 2028 wrote to memory of 436	2028	53828613d07c8b4cfe73ce6731404368.exe	3
PID 2028 wrote to memory of 436	2028	53828613d07c8b4cfe73ce6731404368.exe	3
PID 2028 wrote to memory of 436	2028	53828613d07c8b4cfe73ce6731404368.exe	3
PID 2028 wrote to memory of 436	2028	53828613d07c8b4cfe73ce6731404368.exe	3
PID 2028 wrote to memory of 480	2028	53828613d07c8b4cfe73ce6731404368.exe	2
PID 2028 wrote to memory of 480	2028	53828613d07c8b4cfe73ce6731404368.exe	2
PID 2028 wrote to memory of 480	2028	53828613d07c8b4cfe73ce6731404368.exe	2
PID 2028 wrote to memory of 480	2028	53828613d07c8b4cfe73ce6731404368.exe	2
PID 2028 wrote to memory of 480	2028	53828613d07c8b4cfe73ce6731404368.exe	2
PID 2028 wrote to memory of 496	2028	53828613d07c8b4cfe73ce6731404368.exe	1
PID 2028 wrote to memory of 496	2028	53828613d07c8b4cfe73ce6731404368.exe	1
PID 2028 wrote to memory of 496	2028	53828613d07c8b4cfe73ce6731404368.exe	1
PID 2028 wrote to memory of 496	2028	53828613d07c8b4cfe73ce6731404368.exe	1
PID 2028 wrote to memory of 496	2028	53828613d07c8b4cfe73ce6731404368.exe	1
PID 2028 wrote to memory of 504	2028	53828613d07c8b4cfe73ce6731404368.exe	26
PID 2028 wrote to memory of 504	2028	53828613d07c8b4cfe73ce6731404368.exe	26
PID 2028 wrote to memory of 504	2028	53828613d07c8b4cfe73ce6731404368.exe	26
PID 2028 wrote to memory of 504	2028	53828613d07c8b4cfe73ce6731404368.exe	26
PID 2028 wrote to memory of 504	2028	53828613d07c8b4cfe73ce6731404368.exe	26
PID 2028 wrote to memory of 612	2028	53828613d07c8b4cfe73ce6731404368.exe	8
PID 2028 wrote to memory of 612	2028	53828613d07c8b4cfe73ce6731404368.exe	8
PID 2028 wrote to memory of 612	2028	53828613d07c8b4cfe73ce6731404368.exe	8
PID 2028 wrote to memory of 612	2028	53828613d07c8b4cfe73ce6731404368.exe	8
PID 2028 wrote to memory of 612	2028	53828613d07c8b4cfe73ce6731404368.exe	8
PID 2028 wrote to memory of 692	2028	53828613d07c8b4cfe73ce6731404368.exe	25
PID 2028 wrote to memory of 692	2028	53828613d07c8b4cfe73ce6731404368.exe	25
PID 2028 wrote to memory of 692	2028	53828613d07c8b4cfe73ce6731404368.exe	25
PID 2028 wrote to memory of 692	2028	53828613d07c8b4cfe73ce6731404368.exe	25
PID 2028 wrote to memory of 692	2028	53828613d07c8b4cfe73ce6731404368.exe	25
PID 2028 wrote to memory of 760	2028	53828613d07c8b4cfe73ce6731404368.exe	24
PID 2028 wrote to memory of 760	2028	53828613d07c8b4cfe73ce6731404368.exe	24
PID 2028 wrote to memory of 760	2028	53828613d07c8b4cfe73ce6731404368.exe	24
PID 2028 wrote to memory of 760	2028	53828613d07c8b4cfe73ce6731404368.exe	24
PID 2028 wrote to memory of 760	2028	53828613d07c8b4cfe73ce6731404368.exe	24
PID 2028 wrote to memory of 832	2028	53828613d07c8b4cfe73ce6731404368.exe	9
PID 2028 wrote to memory of 832	2028	53828613d07c8b4cfe73ce6731404368.exe	9
PID 2028 wrote to memory of 832	2028	53828613d07c8b4cfe73ce6731404368.exe	9
PID 2028 wrote to memory of 832	2028	53828613d07c8b4cfe73ce6731404368.exe	9
PID 2028 wrote to memory of 832	2028	53828613d07c8b4cfe73ce6731404368.exe	9
PID 2028 wrote to memory of 872	2028	53828613d07c8b4cfe73ce6731404368.exe	23
PID 2028 wrote to memory of 872	2028	53828613d07c8b4cfe73ce6731404368.exe	23
PID 2028 wrote to memory of 872	2028	53828613d07c8b4cfe73ce6731404368.exe	23
PID 2028 wrote to memory of 872	2028	53828613d07c8b4cfe73ce6731404368.exe	23
PID 2028 wrote to memory of 872	2028	53828613d07c8b4cfe73ce6731404368.exe	23
PID 2028 wrote to memory of 984	2028	53828613d07c8b4cfe73ce6731404368.exe	10
PID 2028 wrote to memory of 984	2028	53828613d07c8b4cfe73ce6731404368.exe	10
PID 2028 wrote to memory of 984	2028	53828613d07c8b4cfe73ce6731404368.exe	10
PID 2028 wrote to memory of 984	2028	53828613d07c8b4cfe73ce6731404368.exe	10
PID 2028 wrote to memory of 984	2028	53828613d07c8b4cfe73ce6731404368.exe	10
PID 2028 wrote to memory of 288	2028	53828613d07c8b4cfe73ce6731404368.exe	21
PID 2028 wrote to memory of 288	2028	53828613d07c8b4cfe73ce6731404368.exe	21
PID 2028 wrote to memory of 288	2028	53828613d07c8b4cfe73ce6731404368.exe	21
PID 2028 wrote to memory of 288	2028	53828613d07c8b4cfe73ce6731404368.exe	21

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:496

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:612
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1884
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:832
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1188
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:984
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1124
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2308
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1088
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1028
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:288
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:872
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:760
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:692
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k netsvcs
  2⤵
  - Loads dropped DLL
  PID:1876

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:400

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\53828613d07c8b4cfe73ce6731404368.exe
  "C:\Users\Admin\AppData\Local\Temp\53828613d07c8b4cfe73ce6731404368.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\nwcwks.dll

Filesize
8KB

MD5
560f8147e9bb5a728d8715120d2f7e7f

SHA1
bbe08f172eae8f6e49a6e1b8bb121816c326f8e3

SHA256
19e1012e46327170d1860a8f38c96bddf25d1e4abd42cb3f4581a6d3d08fd9f9

SHA512
20659449d1c2a2319bd24532f6be5bfe4d1a6fbf279478adae65bf534eab52bc16cef2136c138db1e90ed63880ae518cdbf7db87cdecd75d592dd7c5a279a53b

Download Submit
memory/2028-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2028-3-0x00000000771DF000-0x00000000771E0000-memory.dmp

Filesize
4KB

Download
memory/2028-2-0x00000000771E0000-0x00000000771E1000-memory.dmp

Filesize
4KB

Download
memory/2028-6-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download