98cdf9280fd6449b15e2b3d519841439bd60e3198e471dbbae8ecbba35339b2e

General

Target

98cdf9280fd6449b15e2b3d519841439bd60e3198e471dbbae8ecbba35339b2eN.dll
Size

56KB
MD5

8fbd55a5c56d992a67250188dea506f0
SHA1

1b8387cd4701c84ce21f24a5d873752f02dbde09
SHA256

98cdf9280fd6449b15e2b3d519841439bd60e3198e471dbbae8ecbba35339b2e
SHA512

d2af17d34e6a1bff287eb585c66bc99c6dd01bb325eb96eabd6a41b55cdc75fb49547777ac4d6461e18b256e5a759b33460f1174473468841db488b6608d04fc
SSDEEP

768:PlGGcRxO4sksBUEm1Hk3CjV3dBEsZy1I+58tsW4pahGmItOxL+KnoRuk3yv4Avjf:PEa4LJkSjVjEsoy+58clmItOxL3dv4

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wpafytsoxlSv\Parameters\ServiceDll = "C:\\Windows\\SysWOW64\\svcwpafyts.dll"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	rundll32.exe
2752	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svcwpafyts.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\svcwpafyts.dll	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2752	svchost.exe
2752	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1968	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1968	1756	rundll32.exe	29
PID 1756 wrote to memory of 1968	1756	rundll32.exe	29
PID 1756 wrote to memory of 1968	1756	rundll32.exe	29
PID 1756 wrote to memory of 1968	1756	rundll32.exe	29
PID 1756 wrote to memory of 1968	1756	rundll32.exe	29
PID 1756 wrote to memory of 1968	1756	rundll32.exe	29
PID 1756 wrote to memory of 1968	1756	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\98cdf9280fd6449b15e2b3d519841439bd60e3198e471dbbae8ecbba35339b2eN.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\98cdf9280fd6449b15e2b3d519841439bd60e3198e471dbbae8ecbba35339b2eN.dll,#1
  2⤵
  - Server Software Component: Terminal Services DLL
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k DcomSec
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\logbot.txt

Filesize
3KB

MD5
614e7d4b0a0ebb1bee8d91c7506c8931

SHA1
be766ccd6d8b827ef7d4c090a438a3174b170cab

SHA256
39f2082ad8528e613c281ca8d2a2334ec2a9f397ebd7224aa2700a8b6a21da09

SHA512
de648f1920e6858e0170f3d76a4b0a2a18f1dadccbb4cda06b1826c81c6c045dc926b33bde7fc34aab1e05a5153bc0117b094bcd533a292a5826527d31be45d0

Download Submit
C:\logbot.txt

Filesize
4KB

MD5
fbc6115cac5c36aaf3ec65c5bb026191

SHA1
292f43816c2bc7be98e8570b7f07799838a1b44e

SHA256
f046faf931a4eaea472a125bc85c50b3c562c20962a19948c10351e67e5de614

SHA512
547d74efc294699dbc40f8a5e3d24ad7c40738c4da8c50db9a7b2d819e9eaf707ef03520371c7a72665300a378be048ade10ae2cecfba62f09634fe75a2716aa

Download Submit
\??\c:\logbot.txt

Filesize
2KB

MD5
b041464d4013075dce8b8477c3e8e906

SHA1
2997f982849279b4b1f0959f0c1c1eb3d747e72c

SHA256
a0ba9a63bef10c30f44a049d4eafde135bd1dd7a48856d6a0fcfb843fa65fbfe

SHA512
7714780f25b2f41590696087fc03f4b6aeabc451d6274c3950d3d24bd7b245de07a7330743450ba2a7c76899c7bb02e69dae7a328513ef592cbcef9c770e395b

Download Submit
\??\c:\logbot.txt

Filesize
4KB

MD5
2820fa35df7c192d81c770e48278590f

SHA1
576015698e76233db2e073a72dbdf03511d4ca75

SHA256
7887aadd9c02d41c9174cb0896863e2a497cee0cd50af704a1b6b30fd501a412

SHA512
d3514786e42973b86bb0ad05d012a5918d8d9ceeb7ea9d8a8cabe03c9b537b1f2ac87a8e8d8dd4dbe8ada662ba0c9cc7de0b04a54f23dcfa4edbf8b5a4bfd943

Download Submit
\??\c:\windows\syswow64\svcwpafyts.dll

Filesize
56KB

MD5
4421bd084e4e388af821f0d9fed21e48

SHA1
293950af6a0e5839876b82c2093b7f35920bb0d4

SHA256
94acff7154ca16db6a97cf845fe0eb280df78c09e600aaa8590fd09fa57a6094

SHA512
11c2742d7a763efc0f8100f58f31debe8afa1a1c0897e2426d1a310a791915c63435cf37f9724e470a9c164bdf92c2d2a847481679e51d40294ff2b71048c101

Download Submit
\Users\Admin\AppData\Local\Temp\lse52D1.tmp

Filesize
56KB

MD5
a4149aa28865646ab0c0d7161939b8bc

SHA1
59f8834ca653006cc4204551d9ed52fcd98970e2

SHA256
23c996a825deebaaef0e97e8a902cc832b8dcdc96e10395f11a687d3013ed265

SHA512
a20bab18527dd8f42f7f3c85838f9b1f7dc38d650cc6bcd80f8e0b285d17bc2e5229c726955462ccdb0fc5c4f68f8fa2b2f05f6ad0805e8d10ed9d378e21cfb3

Download Submit
memory/1968-17-0x00000000752D0000-0x00000000752E1000-memory.dmp

Filesize
68KB

Download
memory/1968-1-0x0000000075540000-0x0000000075551000-memory.dmp

Filesize
68KB

Download
memory/1968-0-0x0000000075580000-0x0000000075591000-memory.dmp

Filesize
68KB

Download
memory/1968-2-0x0000000075580000-0x0000000075591000-memory.dmp

Filesize
68KB

Download
memory/1968-3-0x0000000075560000-0x0000000075571000-memory.dmp

Filesize
68KB

Download
memory/1968-83-0x0000000075560000-0x0000000075571000-memory.dmp

Filesize
68KB

Download
memory/1968-84-0x00000000752D0000-0x00000000752E1000-memory.dmp

Filesize
68KB

Download
memory/1968-104-0x0000000075580000-0x0000000075591000-memory.dmp

Filesize
68KB

Download
memory/1968-105-0x0000000075540000-0x0000000075551000-memory.dmp

Filesize
68KB

Download
memory/2752-36-0x0000000075290000-0x00000000752A1000-memory.dmp

Filesize
68KB

Download
memory/2752-85-0x0000000075290000-0x00000000752A1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing