34fb84c46783bebdf15caede429ba6d72ebdba23360a8067df0f01463614c538

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778f9b2f5ed649514c82b93e5f314a69.exe
Size

581KB
MD5

778f9b2f5ed649514c82b93e5f314a69
SHA1

7417a710e30731874c84b86afc543f4c3187b749
SHA256

34fb84c46783bebdf15caede429ba6d72ebdba23360a8067df0f01463614c538
SHA512

d42c8edbb48828122e655bf086e5ce1f1d137339cb3163d3975ef0086fb5b1204c54a0cd1bb043b5ac5c5632b377b726a6fa82842ad46d86deb18490c0ec6a56
SSDEEP

12288:yMH8l0btikVa39/jGsF3Z4mxxuW2+rDxVkVnKrpJp+:yTN9/j1QmXuWbr980c

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stisvr.dll\Parameters\ServiceDll = "C:\\Windows\\system32\\stisvr.dll"	778f9b2f5ed649514c82b93e5f314a69.exe

Loads dropped DLL 1 IoCs

pid	Process
4132	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\stisvr.dll	778f9b2f5ed649514c82b93e5f314a69.exe
File opened for modification	C:\Windows\SysWOW64\stisvr.dll	778f9b2f5ed649514c82b93e5f314a69.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 316	888	778f9b2f5ed649514c82b93e5f314a69.exe	91
PID 888 wrote to memory of 316	888	778f9b2f5ed649514c82b93e5f314a69.exe	91
PID 888 wrote to memory of 316	888	778f9b2f5ed649514c82b93e5f314a69.exe	91

C:\Users\Admin\AppData\Local\Temp\778f9b2f5ed649514c82b93e5f314a69.exe
"C:\Users\Admin\AppData\Local\Temp\778f9b2f5ed649514c82b93e5f314a69.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\778f9b2f5ed649514c82b93e5f314a69.exe"
  2⤵
  PID:316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\stisvr.dll

Filesize
149KB

MD5
8f169e224836eab72f2f83bfcd133016

SHA1
5642efaaf54744768205879d5668a5815944de4d

SHA256
9ccc10023d52cdbe97448efa3da9449ead71ccbb25cc376ecdfa9bffc1418188

SHA512
94fa2bd2e6a023a67f46c4be3951ca46fcb618f458e9f4d7656cb907b99ad497945c6a28bbc9e43bdc82bb032c6cc3ac4751e135e2a9ccc8a0b48d4dd7e827c6

Download Submit
\??\c:\windows\SysWOW64\stisvr.dll

Filesize
144KB

MD5
279a35666281d1a2b950f09be4e2afa1

SHA1
75d381c5644af57d9608db0fd625766d686b1d04

SHA256
961cb5de73ab8caeef947704c5a27d207c32f611ecb8fa368c9620e18a1dfe05

SHA512
9209dc2b07c2e9600c23ddb88ac13cf98f89a0e6417836f6bcca41e72464aa08add744664c8ed1ce3756883c42cf18e0f8a1946c2db514d3399facc6fa9fd8e7

Download Submit
memory/888-0-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/888-1-0x0000000000AF0000-0x0000000000B44000-memory.dmp

Filesize
336KB

Download
memory/888-3-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/888-33-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-34-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-32-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-35-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-44-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-46-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-47-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-45-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-43-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-48-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-50-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-54-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-56-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-59-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-60-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-61-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-63-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-65-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-64-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-62-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-58-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-57-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-55-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-53-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-49-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-42-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-41-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-40-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-39-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-38-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-37-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-36-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-31-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-30-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-29-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-81-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/888-28-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-27-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-26-0x00000000034F0000-0x00000000035F0000-memory.dmp

Filesize
1024KB

Download
memory/888-25-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/888-24-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/888-22-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/888-23-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/888-21-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/888-20-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/888-19-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/888-18-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/888-17-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/888-16-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/888-15-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/888-14-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/888-13-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/888-12-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/888-11-0x00000000034A0000-0x00000000034A2000-memory.dmp

Filesize
8KB

Download
memory/888-10-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/888-9-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/888-8-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/888-7-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/888-6-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/888-5-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/888-4-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/888-2-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4132-83-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads