cdcc1167b9e739f6d0c7d96ca0d98f069f0a0efa3fcd2bffb301d1cb5effe86d

General

Target

c7a2fc7ac0e77e96dbc7fcd7096ad888.exe
Size

585KB
MD5

c7a2fc7ac0e77e96dbc7fcd7096ad888
SHA1

33410b05b45cdfb880c283848de0edfc9d500475
SHA256

cdcc1167b9e739f6d0c7d96ca0d98f069f0a0efa3fcd2bffb301d1cb5effe86d
SHA512

1dbf2d9659c71915875fb4c015d9b915f87738ce0b67f0f21a8ea19d0b49af23450c27c2b7d599a327a28b786d61d967db077e4d7b23931f77d3e32fac1ed71e
SSDEEP

12288:TK5kZW+oXlolfKzOtzzFRF3Z4mxx0DqVTVOCRU:TC+/YloNDrRQmXjVTzO

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\test\Parameters\ServiceDll = "C:\\Windows\\system32\\System64.dll"	c7a2fc7ac0e77e96dbc7fcd7096ad888.exe

Loads dropped DLL 1 IoCs

pid	Process
1968	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System64.dat	c7a2fc7ac0e77e96dbc7fcd7096ad888.exe
File created	C:\Windows\SysWOW64\System64.dll	c7a2fc7ac0e77e96dbc7fcd7096ad888.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2092	1072	c7a2fc7ac0e77e96dbc7fcd7096ad888.exe	28
PID 1072 wrote to memory of 2092	1072	c7a2fc7ac0e77e96dbc7fcd7096ad888.exe	28
PID 1072 wrote to memory of 2092	1072	c7a2fc7ac0e77e96dbc7fcd7096ad888.exe	28
PID 1072 wrote to memory of 2092	1072	c7a2fc7ac0e77e96dbc7fcd7096ad888.exe	28

C:\Users\Admin\AppData\Local\Temp\c7a2fc7ac0e77e96dbc7fcd7096ad888.exe
"C:\Users\Admin\AppData\Local\Temp\c7a2fc7ac0e77e96dbc7fcd7096ad888.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\c7a2fc7ac0e77e96dbc7fcd7096ad888.exe
  C:\Users\Admin\AppData\Local\Temp\c7a2fc7ac0e77e96dbc7fcd7096ad888.exe -Nod32
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  PID:2092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netservice
1⤵
- Loads dropped DLL
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\System64.dat

Filesize
81B

MD5
e90dd614e9d49dd4d15af8f3bc23138e

SHA1
96ab2a682171994021ff79f3b1457213b3631f80

SHA256
51ff15c1fae0e95704191e28e8a8bc615455420795d2a7d7630fed857d644654

SHA512
fe5deade9ea75b3b894d29f60ca39ff9cfb77f219f4f0ba78a14adc17c27b00aa84caa2895c5dee2199b32634ae3dfad6ce191b0cb684620fda12c634fb75ca3

Download Submit
\??\c:\windows\SysWOW64\system64.dll

Filesize
356KB

MD5
db5860a33597ab0c07dfc1db63ae2f18

SHA1
090ef07a72a2abb760a93cd91843c40830f28bbc

SHA256
fe0111deb680994a2cec676d7a31b70dc1b3f36d54db41046b8f1be5862353b1

SHA512
1d37e5df05f04b88f1c46e08de173bd8d9e67035104d07b15ab8064055c98371ccf962408665a32941e9604df69453de84d0d6a21b72f3ce1fe1c5d6d2ff96a0

Download Submit
memory/1072-20-0x0000000001C80000-0x0000000001CD4000-memory.dmp

Filesize
336KB

Download
memory/1072-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1072-4-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1072-5-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1072-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1072-9-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1072-10-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1072-11-0x00000000031E0000-0x00000000032E0000-memory.dmp

Filesize
1024KB

Download
memory/1072-12-0x00000000031E0000-0x00000000032E0000-memory.dmp

Filesize
1024KB

Download
memory/1072-13-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1072-15-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1072-2-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1072-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1072-21-0x00000000031E0000-0x00000000032E0000-memory.dmp

Filesize
1024KB

Download
memory/1072-1-0x0000000001C80000-0x0000000001CD4000-memory.dmp

Filesize
336KB

Download
memory/1968-29-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-30-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-28-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-37-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-24-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-25-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-26-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-36-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-19-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-27-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-23-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-31-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-32-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-33-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-34-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/1968-35-0x0000000000130000-0x000000000018F000-memory.dmp

Filesize
380KB

Download
memory/2092-17-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/2092-14-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads