c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048

General

Target

iCoreBr.jpg.dll
Size

1.3MB
MD5

132e6560ca121679635684e812586bba
SHA1

6f48b7929e65aac27f3bf3cce24c7ad40624dc74
SHA256

c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048
SHA512

3c3fd439c29e36a2ef174f82c4df36c89a87bbc2e280753166bc25b14b6066fc6b0eff7101e4b301e51722271b76ebdb79dbf58a201a7a4c8bcb64e708e6a4a5

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 848 created 1208 848 regsvr32.exe Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

848 regsvr32.exe

description	pid	process	target process
PID 848 created 1208	848	regsvr32.exe	Explorer.EXE

pid	process
848	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\RealtechUpdate = "\"C:\\Windows\\system32\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Damp\\ixswdpbvpsyhy.exe\" mscp arih"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 848 set thread context of 1128 848 regsvr32.exe chrome.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

300 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

768 PING.EXE
664 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1700 regsvr32.exe
848 regsvr32.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1700 regsvr32.exe
848 regsvr32.exe
848 regsvr32.exe

description	pid	process	target process
PID 848 set thread context of 1128	848	regsvr32.exe	chrome.exe

pid	process
300	reg.exe

pid	process
768	PING.EXE
664	PING.EXE

pid	process
1700	regsvr32.exe
848	regsvr32.exe

pid	process
1700	regsvr32.exe
848	regsvr32.exe
848	regsvr32.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

regsvr32.execmd.exeregsvr32.execmd.execmd.exeregsvr32.execmd.execmd.exe

description	pid	process	target process
PID 1648 wrote to memory of 648	1648	regsvr32.exe	cmd.exe
PID 1648 wrote to memory of 648	1648	regsvr32.exe	cmd.exe
PID 1648 wrote to memory of 648	1648	regsvr32.exe	cmd.exe
PID 648 wrote to memory of 768	648	cmd.exe	PING.EXE
PID 648 wrote to memory of 768	648	cmd.exe	PING.EXE
PID 648 wrote to memory of 768	648	cmd.exe	PING.EXE
PID 648 wrote to memory of 1700	648	cmd.exe	regsvr32.exe
PID 648 wrote to memory of 1700	648	cmd.exe	regsvr32.exe
PID 648 wrote to memory of 1700	648	cmd.exe	regsvr32.exe
PID 648 wrote to memory of 1700	648	cmd.exe	regsvr32.exe
PID 648 wrote to memory of 1700	648	cmd.exe	regsvr32.exe
PID 1700 wrote to memory of 1084	1700	regsvr32.exe	cmd.exe
PID 1700 wrote to memory of 1084	1700	regsvr32.exe	cmd.exe
PID 1700 wrote to memory of 1084	1700	regsvr32.exe	cmd.exe
PID 1700 wrote to memory of 1292	1700	regsvr32.exe	cmd.exe
PID 1700 wrote to memory of 1292	1700	regsvr32.exe	cmd.exe
PID 1700 wrote to memory of 1292	1700	regsvr32.exe	cmd.exe
PID 1700 wrote to memory of 1300	1700	regsvr32.exe	cmd.exe
PID 1700 wrote to memory of 1300	1700	regsvr32.exe	cmd.exe
PID 1700 wrote to memory of 1300	1700	regsvr32.exe	cmd.exe
PID 1292 wrote to memory of 300	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 300	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 300	1292	cmd.exe	reg.exe
PID 1300 wrote to memory of 664	1300	cmd.exe	PING.EXE
PID 1300 wrote to memory of 664	1300	cmd.exe	PING.EXE
PID 1300 wrote to memory of 664	1300	cmd.exe	PING.EXE
PID 1300 wrote to memory of 848	1300	cmd.exe	regsvr32.exe
PID 1300 wrote to memory of 848	1300	cmd.exe	regsvr32.exe
PID 1300 wrote to memory of 848	1300	cmd.exe	regsvr32.exe
PID 1300 wrote to memory of 848	1300	cmd.exe	regsvr32.exe
PID 1300 wrote to memory of 848	1300	cmd.exe	regsvr32.exe
PID 848 wrote to memory of 1536	848	regsvr32.exe	cmd.exe
PID 848 wrote to memory of 1536	848	regsvr32.exe	cmd.exe
PID 848 wrote to memory of 1536	848	regsvr32.exe	cmd.exe
PID 1536 wrote to memory of 744	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 744	1536	cmd.exe	reg.exe
PID 1536 wrote to memory of 744	1536	cmd.exe	reg.exe
PID 848 wrote to memory of 1608	848	regsvr32.exe	cmd.exe
PID 848 wrote to memory of 1608	848	regsvr32.exe	cmd.exe
PID 848 wrote to memory of 1608	848	regsvr32.exe	cmd.exe
PID 1608 wrote to memory of 1792	1608	cmd.exe	reg.exe
PID 1608 wrote to memory of 1792	1608	cmd.exe	reg.exe
PID 1608 wrote to memory of 1792	1608	cmd.exe	reg.exe
PID 848 wrote to memory of 1128	848	regsvr32.exe	chrome.exe
PID 848 wrote to memory of 1128	848	regsvr32.exe	chrome.exe
PID 848 wrote to memory of 1128	848	regsvr32.exe	chrome.exe
PID 848 wrote to memory of 1128	848	regsvr32.exe	chrome.exe
PID 848 wrote to memory of 1128	848	regsvr32.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll" mscp ahis & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 8
4⤵
- Runs ping.exe
PID:768

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll" mscp ahis
4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\cmd.exe
cmd.exe /c echo %temp%
5⤵
PID:1084

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe\" mscp arih"
5⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\reg.exe
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe\" mscp arih"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:300

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe" mscp arih & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 8
6⤵
- Runs ping.exe
PID:664

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe" mscp arih
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
7⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
8⤵
PID:744

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
7⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
8⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" mscp amw fkprm "C:\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe"
2⤵
PID:1128

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe
MD5
132e6560ca121679635684e812586bba

SHA1
6f48b7929e65aac27f3bf3cce24c7ad40624dc74

SHA256
c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048

SHA512
3c3fd439c29e36a2ef174f82c4df36c89a87bbc2e280753166bc25b14b6066fc6b0eff7101e4b301e51722271b76ebdb79dbf58a201a7a4c8bcb64e708e6a4a5

Download Submit
\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe
MD5
132e6560ca121679635684e812586bba

SHA1
6f48b7929e65aac27f3bf3cce24c7ad40624dc74

SHA256
c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048

SHA512
3c3fd439c29e36a2ef174f82c4df36c89a87bbc2e280753166bc25b14b6066fc6b0eff7101e4b301e51722271b76ebdb79dbf58a201a7a4c8bcb64e708e6a4a5

Download Submit
memory/300-70-0x0000000000000000-mapping.dmp

Download
memory/648-62-0x0000000000000000-mapping.dmp

Download
memory/664-71-0x0000000000000000-mapping.dmp

Download
memory/744-78-0x0000000000000000-mapping.dmp

Download
memory/768-63-0x0000000000000000-mapping.dmp

Download
memory/848-76-0x0000000001D90000-0x0000000001DF4000-memory.dmp

Filesize
400KB

Download
memory/848-72-0x0000000000000000-mapping.dmp

Download
memory/1084-67-0x0000000000000000-mapping.dmp

Download
memory/1128-83-0x00000000009E0000-0x0000000000B83000-memory.dmp

Filesize
1.6MB

Download
memory/1128-82-0x0000000000B82020-mapping.dmp

Download
memory/1128-84-0x0000000029020000-0x0000000029084000-memory.dmp

Filesize
400KB

Download
memory/1128-81-0x00000000009E0000-0x0000000000B83000-memory.dmp

Filesize
1.6MB

Download
memory/1292-68-0x0000000000000000-mapping.dmp

Download
memory/1300-69-0x0000000000000000-mapping.dmp

Download
memory/1536-77-0x0000000000000000-mapping.dmp

Download
memory/1608-79-0x0000000000000000-mapping.dmp

Download
memory/1648-60-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/1648-61-0x0000000001F40000-0x0000000001FA4000-memory.dmp

Filesize
400KB

Download
memory/1700-66-0x00000000020E0000-0x0000000002144000-memory.dmp

Filesize
400KB

Download
memory/1700-64-0x0000000000000000-mapping.dmp

Download
memory/1792-80-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing