399820f7522c6d4dee827de584f98f4b572b1dc97421065a74a6c6848b5d9ba4

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 10:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7cd84e564c20a685e067c9cc6125ed06.exe
Size

623KB
MD5

7cd84e564c20a685e067c9cc6125ed06
SHA1

fdd16497942a358c012cb7c9e3d94563626ab10a
SHA256

399820f7522c6d4dee827de584f98f4b572b1dc97421065a74a6c6848b5d9ba4
SHA512

84018910c219d6b8b5c0c2c2f023978a494467446e962a53e0b922d6e6a89e6c3397eae70415aa4368ee598e3390076f3f53c54493814be65d4741d10ab4c245
SSDEEP

12288:iu7YYvncgVhfc8oreTPekX3CbiB1mMzcWwHeI1JZjZ/ks:uYnFoY2kX3Cbw1dzcpx8s

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	7cd84e564c20a685e067c9cc6125ed06.exe

Deletes itself 1 IoCs

pid	Process
2072	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	7cd84e564c20a685e067c9cc6125ed06.exe

C:\Users\Admin\AppData\Local\Temp\7cd84e564c20a685e067c9cc6125ed06.exe
"C:\Users\Admin\AppData\Local\Temp\7cd84e564c20a685e067c9cc6125ed06.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:1228

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll

Filesize
111KB

MD5
9eac4d06e125e041f6ffb1986cff8300

SHA1
8c3a290ad9d779af17e32e55ff7328f08d3fca33

SHA256
4cec4a97c56e110eff8f52fe382110f588dd8f3ba56a7a49bdd103d9494fa81e

SHA512
880ba252458db7554a30811e993bf5539cff43b2f206a893f011ca053a822557ea5b91a79198ffae4717ae7d2bfd40829e25bc238a6e95d14f93f805a084c24c

Download Submit
memory/1228-1-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1228-0-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1228-2-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1228-7-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads