34fb84c46783bebdf15caede429ba6d72ebdba23360a8067df0f01463614c538

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778f9b2f5ed649514c82b93e5f314a69.exe
Size

581KB
MD5

778f9b2f5ed649514c82b93e5f314a69
SHA1

7417a710e30731874c84b86afc543f4c3187b749
SHA256

34fb84c46783bebdf15caede429ba6d72ebdba23360a8067df0f01463614c538
SHA512

d42c8edbb48828122e655bf086e5ce1f1d137339cb3163d3975ef0086fb5b1204c54a0cd1bb043b5ac5c5632b377b726a6fa82842ad46d86deb18490c0ec6a56
SSDEEP

12288:yMH8l0btikVa39/jGsF3Z4mxxuW2+rDxVkVnKrpJp+:yTN9/j1QmXuWbr980c

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\stisvr.dll\Parameters\ServiceDll = "C:\\Windows\\system32\\stisvr.dll"	778f9b2f5ed649514c82b93e5f314a69.exe

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2676	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\stisvr.dll	778f9b2f5ed649514c82b93e5f314a69.exe
File opened for modification	C:\Windows\SysWOW64\stisvr.dll	778f9b2f5ed649514c82b93e5f314a69.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2684	2040	778f9b2f5ed649514c82b93e5f314a69.exe	29
PID 2040 wrote to memory of 2684	2040	778f9b2f5ed649514c82b93e5f314a69.exe	29
PID 2040 wrote to memory of 2684	2040	778f9b2f5ed649514c82b93e5f314a69.exe	29
PID 2040 wrote to memory of 2684	2040	778f9b2f5ed649514c82b93e5f314a69.exe	29

C:\Users\Admin\AppData\Local\Temp\778f9b2f5ed649514c82b93e5f314a69.exe
"C:\Users\Admin\AppData\Local\Temp\778f9b2f5ed649514c82b93e5f314a69.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\778f9b2f5ed649514c82b93e5f314a69.exe"
  2⤵
  - Deletes itself
  PID:2684

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\stisvr.dll

Filesize
145KB

MD5
ed9da1a7bb38c06774367b1d596464fc

SHA1
db1d31bc903028957bbffaff790be6140cc3490c

SHA256
9780e550a0b207251b8ecb10246a11da624df781047f12e396c43627af31b915

SHA512
ccc0e158bce48a16c9b98e49fe5329d3d5be8f0580c30a980aa83c2d3138d49cc833ee4068117b226000e290b7ce9ca9c6da0749f9e04aa87cf52081484c80d3

Download Submit
\Windows\SysWOW64\stisvr.dll

Filesize
144KB

MD5
2966e445f2499f7ed2cc1578d782d83a

SHA1
08941bec6e676a77a18c154cbb3b8dc476abf5dd

SHA256
ebac36ed2af0348fc20496ff6340679e4025878f16c1ae62d54f7993f2a08d78

SHA512
05ca59a64bcb2519cf0085b853c48adaa4877b1cc48479b990f57d7b1aee481c4561e3cb02f14a3d2cd76e0c7314c188843e197aa359adf40a3d9327408dc3a5

Download Submit
memory/2040-0-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2040-1-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/2040-8-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2040-9-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2040-7-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2040-6-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2040-5-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2040-4-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2040-3-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2040-2-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2040-10-0x0000000003200000-0x0000000003202000-memory.dmp

Filesize
8KB

Download
memory/2040-12-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/2040-11-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/2040-13-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2040-14-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2040-15-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2040-16-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/2040-17-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/2040-18-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2040-19-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/2040-20-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2040-21-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2040-22-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2040-23-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2040-24-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2040-25-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2040-26-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-29-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-30-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-31-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-32-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-33-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-34-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-35-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-36-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-37-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-39-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-38-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-40-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-42-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-43-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-45-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-44-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-46-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-48-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-47-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-41-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-49-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-52-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-57-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-60-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-59-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-61-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-58-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-62-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-63-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-56-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-65-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-64-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-55-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-54-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-53-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-51-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-50-0x0000000003250000-0x0000000003350000-memory.dmp

Filesize
1024KB

Download
memory/2040-82-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2676-78-0x00000000006D0000-0x000000000075B000-memory.dmp

Filesize
556KB

Download
memory/2676-85-0x00000000006D0000-0x000000000075B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads