1e26ec8397bdc7b7b6ffb3169dbeb7f16ce8bd2d80398ccb0edcbd7b189d639e

Analysis

max time kernel
265s
max time network
312s
platform
windows10_x64
resource
win10v20210410
submitted
21-07-2021 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

haveSimpleAnd.dll
Size

454KB
MD5

fdd1d81128f8fe9022d3cd6ae0f08bf1
SHA1

25f03defe490c9cc8455a0216e626217ca19abe5
SHA256

1e26ec8397bdc7b7b6ffb3169dbeb7f16ce8bd2d80398ccb0edcbd7b189d639e
SHA512

c3186b17f5b49b1c1d9ce102c227aa384e1a829f0e8bd682977a9bbad6b32e148b99f98f965a0608cf5d37914d8ac76d1308c3ca3c2fded7af48575bf69d70f1

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 2016 created 3036 2016 regsvr32.exe Explorer.EXE
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 myexternalip.com
25 myexternalip.com
26 myexternalip.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 2016 set thread context of 4092 2016 regsvr32.exe chrome.exe
Discovers systems in the same network 1 TTPs 6 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exenet.exenet.exenet.exe

pid process

3220 net.exe
3732 net.exe
2208 net.exe
732 net.exe
3776 net.exe
3392 net.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

regsvr32.exechrome.exe

pid process

2016 regsvr32.exe
2016 regsvr32.exe
4092 chrome.exe
4092 chrome.exe
4092 chrome.exe
4092 chrome.exe
4092 chrome.exe
4092 chrome.exe

description	pid	process	target process
PID 2016 created 3036	2016	regsvr32.exe	Explorer.EXE

flow	ioc
35	myexternalip.com
25	myexternalip.com
26	myexternalip.com

description	pid	process	target process
PID 2016 set thread context of 4092	2016	regsvr32.exe	chrome.exe

pid	process
3220	net.exe
3732	net.exe
2208	net.exe
732	net.exe
3776	net.exe
3392	net.exe

pid	process
2016	regsvr32.exe
2016	regsvr32.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe
PID 2016 wrote to memory of 4092	2016	regsvr32.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3036
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\haveSimpleAnd.dll
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4092
- - C:\Windows\SYSTEM32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:3776
- - C:\Windows\SYSTEM32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:3392
- - C:\Windows\SYSTEM32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:2136
- - C:\Windows\SYSTEM32\net.exe
    net localgroup administrator
    3⤵
    PID:644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrator
      4⤵
      PID:2756
- - C:\Windows\SYSTEM32\net.exe
    net group /domain admins
    3⤵
    PID:2768
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group /domain admins
      4⤵
      PID:2512
- - C:\Windows\SYSTEM32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:3220
- - C:\Windows\SYSTEM32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:3732
- - C:\Windows\SYSTEM32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:3128
- - C:\Windows\SYSTEM32\net.exe
    net localgroup administrator
    3⤵
    PID:2296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrator
      4⤵
      PID:2516
- - C:\Windows\SYSTEM32\net.exe
    net group /domain admins
    3⤵
    PID:848
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group /domain admins
      4⤵
      PID:3728
- - C:\Windows\SYSTEM32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:2208
- - C:\Windows\SYSTEM32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:732
- - C:\Windows\SYSTEM32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:3864
- - C:\Windows\SYSTEM32\net.exe
    net localgroup administrator
    3⤵
    PID:1260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrator
      4⤵
      PID:1416
- - C:\Windows\SYSTEM32\net.exe
    net group /domain admins
    3⤵
    PID:2288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group /domain admins
      4⤵
      PID:2272

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\haveSimpleAnd.dll"
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-122-0x0000000000000000-mapping.dmp

Download
memory/732-134-0x0000000000000000-mapping.dmp

Download
memory/848-131-0x0000000000000000-mapping.dmp

Download
memory/1260-136-0x0000000000000000-mapping.dmp

Download
memory/1416-137-0x0000000000000000-mapping.dmp

Download
memory/2016-114-0x0000000002380000-0x000000000262A000-memory.dmp

Filesize
2.7MB

Download
memory/2136-121-0x0000000000000000-mapping.dmp

Download
memory/2208-133-0x0000000000000000-mapping.dmp

Download
memory/2272-139-0x0000000000000000-mapping.dmp

Download
memory/2288-138-0x0000000000000000-mapping.dmp

Download
memory/2296-129-0x0000000000000000-mapping.dmp

Download
memory/2512-125-0x0000000000000000-mapping.dmp

Download
memory/2516-130-0x0000000000000000-mapping.dmp

Download
memory/2756-123-0x0000000000000000-mapping.dmp

Download
memory/2768-124-0x0000000000000000-mapping.dmp

Download
memory/3128-128-0x0000000000000000-mapping.dmp

Download
memory/3220-126-0x0000000000000000-mapping.dmp

Download
memory/3392-120-0x0000000000000000-mapping.dmp

Download
memory/3728-132-0x0000000000000000-mapping.dmp

Download
memory/3732-127-0x0000000000000000-mapping.dmp

Download
memory/3756-118-0x0000000002AE0000-0x0000000002D8A000-memory.dmp

Filesize
2.7MB

Download
memory/3776-119-0x0000000000000000-mapping.dmp

Download
memory/3864-135-0x0000000000000000-mapping.dmp

Download
memory/4092-117-0x00007FF710DE0000-0x00007FF711025000-memory.dmp

Filesize
2.3MB

Download
memory/4092-116-0x00007FF710FF77D8-mapping.dmp

Download
memory/4092-115-0x00007FF710DE0000-0x00007FF711025000-memory.dmp

Filesize
2.3MB

Download