7aa820a3dd9f2761c9e9f51aa3dd36e227fdeb4fc3f881b1d7518404d31e2780

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1f629866bcac2e6e13d2366a64a7fd1.exe
Size

60KB
MD5

a1f629866bcac2e6e13d2366a64a7fd1
SHA1

8c0a8b7c6437c583a4ee7f3ea73e8ea735dd3630
SHA256

7aa820a3dd9f2761c9e9f51aa3dd36e227fdeb4fc3f881b1d7518404d31e2780
SHA512

010dca69d449548ad6db9cb4af0ef3e0cd82fcf1ff5e235ea444faec962836b658cfb9f2063c07277045a21a3dc8607dc9eeb0ab94082239fe7abe50850fe7fe
SSDEEP

1536:IOP3qkkUlIk+Vbqrxz6z3e9wiEx919GZJEZSgF:Iy6kE19G7EZTF

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	msguard32.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\System32\Drivers\etc\HOSTS	msguard32.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	msguard32.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	a1f629866bcac2e6e13d2366a64a7fd1.exe
2184	a1f629866bcac2e6e13d2366a64a7fd1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows UDP Guard = "C:\\Windows\\SysWOW64\\msguard32.exe"	msguard32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows UDP Guard = "C:\\Windows\\SysWOW64\\msguard32.exe"	msguard32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msguard32.exe	a1f629866bcac2e6e13d2366a64a7fd1.exe
File opened for modification	C:\Windows\SysWOW64\msguard32.exe	a1f629866bcac2e6e13d2366a64a7fd1.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\HOSTS	msguard32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2184	a1f629866bcac2e6e13d2366a64a7fd1.exe
3040	msguard32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 3040	2184	a1f629866bcac2e6e13d2366a64a7fd1.exe	28
PID 2184 wrote to memory of 3040	2184	a1f629866bcac2e6e13d2366a64a7fd1.exe	28
PID 2184 wrote to memory of 3040	2184	a1f629866bcac2e6e13d2366a64a7fd1.exe	28
PID 2184 wrote to memory of 3040	2184	a1f629866bcac2e6e13d2366a64a7fd1.exe	28

C:\Users\Admin\AppData\Local\Temp\a1f629866bcac2e6e13d2366a64a7fd1.exe
"C:\Users\Admin\AppData\Local\Temp\a1f629866bcac2e6e13d2366a64a7fd1.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\msguard32.exe
  "C:\Windows\system32\msguard32.exe" /run
  2⤵
  - Modifies security service
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\msguard32.exe

Filesize
60KB

MD5
a1f629866bcac2e6e13d2366a64a7fd1

SHA1
8c0a8b7c6437c583a4ee7f3ea73e8ea735dd3630

SHA256
7aa820a3dd9f2761c9e9f51aa3dd36e227fdeb4fc3f881b1d7518404d31e2780

SHA512
010dca69d449548ad6db9cb4af0ef3e0cd82fcf1ff5e235ea444faec962836b658cfb9f2063c07277045a21a3dc8607dc9eeb0ab94082239fe7abe50850fe7fe

Download Submit
memory/2184-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads