e8fc76a379b0aa0320b6ffa60a6a47b51b1ea1e28b46b3e6c495a0c78f020c0f

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 00:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

980d30e7c1d5b9a68a243a20fd81f684.exe
Size

41KB
MD5

980d30e7c1d5b9a68a243a20fd81f684
SHA1

9ae55720ddec68b5534b831431d97e604230335c
SHA256

e8fc76a379b0aa0320b6ffa60a6a47b51b1ea1e28b46b3e6c495a0c78f020c0f
SHA512

941fb46b2b59bdfa8e01540c78d41bd1c15871e38703feca688c2d0152e182aafe82643b2c45c7d63f5a04275d7474284743a5daa29b5092cecbda5759d4cff5
SSDEEP

768:SGFhEA7GlIBL0+Gx9XLc6E3iKOnUJHMNAJ6X3Auv6n8Cn9Lab/AzH:SwhD5Qo6KzBMNK8CA4j

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\Workstation1\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstation1.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\Workstation1\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstation1.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Workstation1\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstation1.dll"	980d30e7c1d5b9a68a243a20fd81f684.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\Workstation1\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstation1.dll"	980d30e7c1d5b9a68a243a20fd81f684.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\Workstation1\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstation1.dll"	980d30e7c1d5b9a68a243a20fd81f684.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Workstation1\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstation1.dll"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2148	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	980d30e7c1d5b9a68a243a20fd81f684.exe
2148	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Workstation1.dll	980d30e7c1d5b9a68a243a20fd81f684.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2148	svchost.exe
2148	svchost.exe
2148	svchost.exe

C:\Users\Admin\AppData\Local\Temp\980d30e7c1d5b9a68a243a20fd81f684.exe
"C:\Users\Admin\AppData\Local\Temp\980d30e7c1d5b9a68a243a20fd81f684.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:2280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k Workstation1
1⤵
- Sets DLL path for service in the registry
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Workstation1.dll

Filesize
57KB

MD5
0424d5f5f29a42d9e1a41f184bdb3489

SHA1
f8a42df51fa4f31838b057e5f602aecad4023f8b

SHA256
056c39abaf5a0e40e518870dd6bec9604a3babcf8491d9d5533bd192d87f0680

SHA512
081bac30b25536813a26dc31227eb2f0a7625d895ff503a9a68c24f610870d821c7c97ecc1911ca1fd63f2bc8ec24a0aba5a676e21f996bb2afc0bbc9a3ff919

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads