aee116011409a5bec7d356bd8f704df0a361fb029bf20178d49e02607798d9a1

General

Target

nady6.dll
Size

1.3MB
MD5

1f45bcf1fb8b7ef74a57d19a371f41cf
SHA1

9b7f346a04f8481c22fb6f8853f76349402a7009
SHA256

aee116011409a5bec7d356bd8f704df0a361fb029bf20178d49e02607798d9a1
SHA512

6cdbc392b650420d9238d7400956fa41ec9ede827576b9023b977e232dd18b3dd72f36082fc6cdb5af7f62868b0bd00e9b718522799467c674efb6202a169f9f

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 684 created 1208 684 regsvr32.exe Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

684 regsvr32.exe

description	pid	process	target process
PID 684 created 1208	684	regsvr32.exe	Explorer.EXE

pid	process
684	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\RealtechUpdate = "\"C:\\Windows\\system32\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Damp\\keimjdkhqxa.exe\" mscp arih"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

regsvr32.exechrome.exe

description	pid	process	target process
PID 684 set thread context of 956	684	regsvr32.exe	chrome.exe
PID 956 set thread context of 1396	956	chrome.exe	chrome.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1284 reg.exe
1720 reg.exe
552 reg.exe
1032 reg.exe
1548 reg.exe
1296 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

872 PING.EXE
1824 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

744 regsvr32.exe
684 regsvr32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

regsvr32.exeregsvr32.exechrome.exe

pid process

744 regsvr32.exe
684 regsvr32.exe
684 regsvr32.exe
956 chrome.exe
956 chrome.exe

pid	process
1284	reg.exe
1720	reg.exe
552	reg.exe
1032	reg.exe
1548	reg.exe
1296	reg.exe

pid	process
872	PING.EXE
1824	PING.EXE

pid	process
744	regsvr32.exe
684	regsvr32.exe

pid	process
744	regsvr32.exe
684	regsvr32.exe
684	regsvr32.exe
956	chrome.exe
956	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.execmd.exeregsvr32.execmd.execmd.exeregsvr32.execmd.execmd.exechrome.execmd.execmd.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 792	816	regsvr32.exe	cmd.exe
PID 816 wrote to memory of 792	816	regsvr32.exe	cmd.exe
PID 816 wrote to memory of 792	816	regsvr32.exe	cmd.exe
PID 792 wrote to memory of 872	792	cmd.exe	PING.EXE
PID 792 wrote to memory of 872	792	cmd.exe	PING.EXE
PID 792 wrote to memory of 872	792	cmd.exe	PING.EXE
PID 792 wrote to memory of 744	792	cmd.exe	regsvr32.exe
PID 792 wrote to memory of 744	792	cmd.exe	regsvr32.exe
PID 792 wrote to memory of 744	792	cmd.exe	regsvr32.exe
PID 792 wrote to memory of 744	792	cmd.exe	regsvr32.exe
PID 792 wrote to memory of 744	792	cmd.exe	regsvr32.exe
PID 744 wrote to memory of 1652	744	regsvr32.exe	cmd.exe
PID 744 wrote to memory of 1652	744	regsvr32.exe	cmd.exe
PID 744 wrote to memory of 1652	744	regsvr32.exe	cmd.exe
PID 744 wrote to memory of 428	744	regsvr32.exe	cmd.exe
PID 744 wrote to memory of 428	744	regsvr32.exe	cmd.exe
PID 744 wrote to memory of 428	744	regsvr32.exe	cmd.exe
PID 744 wrote to memory of 1148	744	regsvr32.exe	cmd.exe
PID 744 wrote to memory of 1148	744	regsvr32.exe	cmd.exe
PID 744 wrote to memory of 1148	744	regsvr32.exe	cmd.exe
PID 428 wrote to memory of 1284	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1284	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1284	428	cmd.exe	reg.exe
PID 1148 wrote to memory of 1824	1148	cmd.exe	PING.EXE
PID 1148 wrote to memory of 1824	1148	cmd.exe	PING.EXE
PID 1148 wrote to memory of 1824	1148	cmd.exe	PING.EXE
PID 1148 wrote to memory of 684	1148	cmd.exe	regsvr32.exe
PID 1148 wrote to memory of 684	1148	cmd.exe	regsvr32.exe
PID 1148 wrote to memory of 684	1148	cmd.exe	regsvr32.exe
PID 1148 wrote to memory of 684	1148	cmd.exe	regsvr32.exe
PID 1148 wrote to memory of 684	1148	cmd.exe	regsvr32.exe
PID 684 wrote to memory of 1116	684	regsvr32.exe	cmd.exe
PID 684 wrote to memory of 1116	684	regsvr32.exe	cmd.exe
PID 684 wrote to memory of 1116	684	regsvr32.exe	cmd.exe
PID 1116 wrote to memory of 748	1116	cmd.exe	reg.exe
PID 1116 wrote to memory of 748	1116	cmd.exe	reg.exe
PID 1116 wrote to memory of 748	1116	cmd.exe	reg.exe
PID 684 wrote to memory of 1344	684	regsvr32.exe	cmd.exe
PID 684 wrote to memory of 1344	684	regsvr32.exe	cmd.exe
PID 684 wrote to memory of 1344	684	regsvr32.exe	cmd.exe
PID 1344 wrote to memory of 1952	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1952	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 1952	1344	cmd.exe	reg.exe
PID 684 wrote to memory of 956	684	regsvr32.exe	chrome.exe
PID 684 wrote to memory of 956	684	regsvr32.exe	chrome.exe
PID 684 wrote to memory of 956	684	regsvr32.exe	chrome.exe
PID 684 wrote to memory of 956	684	regsvr32.exe	chrome.exe
PID 684 wrote to memory of 956	684	regsvr32.exe	chrome.exe
PID 956 wrote to memory of 1552	956	chrome.exe	cmd.exe
PID 956 wrote to memory of 1552	956	chrome.exe	cmd.exe
PID 956 wrote to memory of 1552	956	chrome.exe	cmd.exe
PID 1552 wrote to memory of 1720	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 1720	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 1720	1552	cmd.exe	reg.exe
PID 956 wrote to memory of 1648	956	chrome.exe	cmd.exe
PID 956 wrote to memory of 1648	956	chrome.exe	cmd.exe
PID 956 wrote to memory of 1648	956	chrome.exe	cmd.exe
PID 1648 wrote to memory of 552	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 552	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 552	1648	cmd.exe	reg.exe
PID 956 wrote to memory of 1356	956	chrome.exe	cmd.exe
PID 956 wrote to memory of 1356	956	chrome.exe	cmd.exe
PID 956 wrote to memory of 1356	956	chrome.exe	cmd.exe
PID 1356 wrote to memory of 1032	1356	cmd.exe	reg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\nady6.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\nady6.dll" mscp ahis & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 8
4⤵
- Runs ping.exe
PID:872

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\nady6.dll" mscp ahis
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\system32\cmd.exe
cmd.exe /c echo %temp%
5⤵
PID:1652

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\keimjdkhqxa.exe\" mscp arih"
5⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\reg.exe
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\keimjdkhqxa.exe\" mscp arih"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:1284

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\keimjdkhqxa.exe" mscp arih & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 8
6⤵
- Runs ping.exe
PID:1824

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\keimjdkhqxa.exe" mscp arih
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
7⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
8⤵
PID:748

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
7⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
8⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" mscp amw fkprm "C:\Users\Admin\AppData\Local\Temp\Damp\keimjdkhqxa.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe query HKCU\Software\WOW64DataView
3⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\system32\reg.exe
reg.exe query HKCU\Software\WOW64DataView
4⤵
- Modifies registry key
PID:1720

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe query HKCU\Software\IfranInfoView
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\reg.exe
reg.exe query HKCU\Software\IfranInfoView
4⤵
- Modifies registry key
PID:552

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe add HKCU\Software\WOW64DataView /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\system32\reg.exe
reg.exe add HKCU\Software\WOW64DataView /f
4⤵
- Modifies registry key
PID:1032

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe add HKCU\Software\WOW64DataView /f /v datetime /t REG_BINARY /d 453E5E4839371F76485F79021318695D1D106C2B2A032F
3⤵
PID:1028

C:\Windows\system32\reg.exe
reg.exe add HKCU\Software\WOW64DataView /f /v datetime /t REG_BINARY /d 453E5E4839371F76485F79021318695D1D106C2B2A032F
4⤵
- Modifies registry key
PID:1548

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe add HKCU\Software\WOW64DataView /f /v state /t REG_BINARY /d 5661082D3A206A3016407857
3⤵
PID:1312

C:\Windows\system32\reg.exe
reg.exe add HKCU\Software\WOW64DataView /f /v state /t REG_BINARY /d 5661082D3A206A3016407857
4⤵
- Modifies registry key
PID:1296

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
3⤵
PID:1812

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
4⤵
PID:1572

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
3⤵
PID:1064

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
4⤵
PID:620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1140,34097304542653841524,21028115001970037882,294316 --lang=en-US --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=621--no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9808 /prefetch:1
3⤵
PID:1396

C:\Windows\system32\cmd.exe
cmd.exe /c "echo %windir%"
4⤵
PID:688

C:\Windows\system32\cmd.exe
cmd.exe /c "echo %windir%"
4⤵
PID:108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
39c6a52e797c5916a396aa9aef5cae6f

SHA1
13697e8805d972c149a12ccd8eca47683059fe11

SHA256
8f983fb322ba788fada3efefa050cb3f1838d563f50312d5429540109dcb46b0

SHA512
ed7d0c514d993ef6cff139ca2f01ee76729cba9bbb88dac3fe04c1c2bad101925d158744b01bc20c8f74f4899972e8a483d359738ce9a9e258fbb9ce8b1f884e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Damp\keimjdkhqxa.exe
MD5
1f45bcf1fb8b7ef74a57d19a371f41cf

SHA1
9b7f346a04f8481c22fb6f8853f76349402a7009

SHA256
aee116011409a5bec7d356bd8f704df0a361fb029bf20178d49e02607798d9a1

SHA512
6cdbc392b650420d9238d7400956fa41ec9ede827576b9023b977e232dd18b3dd72f36082fc6cdb5af7f62868b0bd00e9b718522799467c674efb6202a169f9f

Download Submit
\Users\Admin\AppData\Local\Temp\Damp\keimjdkhqxa.exe
MD5
1f45bcf1fb8b7ef74a57d19a371f41cf

SHA1
9b7f346a04f8481c22fb6f8853f76349402a7009

SHA256
aee116011409a5bec7d356bd8f704df0a361fb029bf20178d49e02607798d9a1

SHA512
6cdbc392b650420d9238d7400956fa41ec9ede827576b9023b977e232dd18b3dd72f36082fc6cdb5af7f62868b0bd00e9b718522799467c674efb6202a169f9f

Download Submit
memory/108-102-0x0000000000000000-mapping.dmp

Download
memory/428-67-0x0000000000000000-mapping.dmp

Download
memory/552-87-0x0000000000000000-mapping.dmp

Download
memory/620-97-0x0000000000000000-mapping.dmp

Download
memory/684-75-0x0000000001E90000-0x0000000001EF4000-memory.dmp

Filesize
400KB

Download
memory/684-71-0x0000000000000000-mapping.dmp

Download
memory/688-101-0x0000000000000000-mapping.dmp

Download
memory/744-63-0x0000000000000000-mapping.dmp

Download
memory/744-65-0x00000000272F0000-0x0000000027354000-memory.dmp

Filesize
400KB

Download
memory/748-77-0x0000000000000000-mapping.dmp

Download
memory/792-61-0x0000000000000000-mapping.dmp

Download
memory/816-59-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/816-60-0x0000000027210000-0x0000000027274000-memory.dmp

Filesize
400KB

Download
memory/872-62-0x0000000000000000-mapping.dmp

Download
memory/956-83-0x0000000000EC0000-0x0000000000F24000-memory.dmp

Filesize
400KB

Download
memory/956-81-0x0000000000B12020-mapping.dmp

Download
memory/956-82-0x0000000000970000-0x0000000000B13000-memory.dmp

Filesize
1.6MB

Download
memory/956-80-0x0000000000970000-0x0000000000B13000-memory.dmp

Filesize
1.6MB

Download
memory/1028-90-0x0000000000000000-mapping.dmp

Download
memory/1032-89-0x0000000000000000-mapping.dmp

Download
memory/1064-96-0x0000000000000000-mapping.dmp

Download
memory/1116-76-0x0000000000000000-mapping.dmp

Download
memory/1148-68-0x0000000000000000-mapping.dmp

Download
memory/1284-69-0x0000000000000000-mapping.dmp

Download
memory/1296-93-0x0000000000000000-mapping.dmp

Download
memory/1312-92-0x0000000000000000-mapping.dmp

Download
memory/1344-78-0x0000000000000000-mapping.dmp

Download
memory/1356-88-0x0000000000000000-mapping.dmp

Download
memory/1396-99-0x0000000000083960-mapping.dmp

Download
memory/1396-98-0x0000000000060000-0x00000000000A1000-memory.dmp

Filesize
260KB

Download
memory/1396-100-0x0000000000060000-0x00000000000A1000-memory.dmp

Filesize
260KB

Download
memory/1548-91-0x0000000000000000-mapping.dmp

Download
memory/1552-84-0x0000000000000000-mapping.dmp

Download
memory/1572-95-0x0000000000000000-mapping.dmp

Download
memory/1648-86-0x0000000000000000-mapping.dmp

Download
memory/1652-66-0x0000000000000000-mapping.dmp

Download
memory/1720-85-0x0000000000000000-mapping.dmp

Download
memory/1812-94-0x0000000000000000-mapping.dmp

Download
memory/1824-70-0x0000000000000000-mapping.dmp

Download
memory/1952-79-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads