c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048

Resubmissions

29/07/2021, 08:36

210729-5h67qwvrd2 10

27/07/2021, 14:54

210727-v3d6d2mxcs 10

Analysis

max time kernel
253s
max time network
155s
platform
windows7_x64
resource
win7v20210408
submitted
29/07/2021, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iCoreBr.jpg.dll
Size

1.3MB
MD5

132e6560ca121679635684e812586bba
SHA1

6f48b7929e65aac27f3bf3cce24c7ad40624dc74
SHA256

c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048
SHA512

3c3fd439c29e36a2ef174f82c4df36c89a87bbc2e280753166bc25b14b6066fc6b0eff7101e4b301e51722271b76ebdb79dbf58a201a7a4c8bcb64e708e6a4a5

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 848 created 1208	848	regsvr32.exe	11

Loads dropped DLL 1 IoCs

pid	Process
848	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\RealtechUpdate = "\"C:\\Windows\\system32\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Damp\\ixswdpbvpsyhy.exe\" mscp arih"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 1128	848	regsvr32.exe	48

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
300	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
768	PING.EXE
664	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
1700	regsvr32.exe
848	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1700	regsvr32.exe
848	regsvr32.exe
848	regsvr32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 648	1648	regsvr32.exe	29
PID 1648 wrote to memory of 648	1648	regsvr32.exe	29
PID 1648 wrote to memory of 648	1648	regsvr32.exe	29
PID 648 wrote to memory of 768	648	cmd.exe	31
PID 648 wrote to memory of 768	648	cmd.exe	31
PID 648 wrote to memory of 768	648	cmd.exe	31
PID 648 wrote to memory of 1700	648	cmd.exe	32
PID 648 wrote to memory of 1700	648	cmd.exe	32
PID 648 wrote to memory of 1700	648	cmd.exe	32
PID 648 wrote to memory of 1700	648	cmd.exe	32
PID 648 wrote to memory of 1700	648	cmd.exe	32
PID 1700 wrote to memory of 1084	1700	regsvr32.exe	33
PID 1700 wrote to memory of 1084	1700	regsvr32.exe	33
PID 1700 wrote to memory of 1084	1700	regsvr32.exe	33
PID 1700 wrote to memory of 1292	1700	regsvr32.exe	35
PID 1700 wrote to memory of 1292	1700	regsvr32.exe	35
PID 1700 wrote to memory of 1292	1700	regsvr32.exe	35
PID 1700 wrote to memory of 1300	1700	regsvr32.exe	36
PID 1700 wrote to memory of 1300	1700	regsvr32.exe	36
PID 1700 wrote to memory of 1300	1700	regsvr32.exe	36
PID 1292 wrote to memory of 300	1292	cmd.exe	39
PID 1292 wrote to memory of 300	1292	cmd.exe	39
PID 1292 wrote to memory of 300	1292	cmd.exe	39
PID 1300 wrote to memory of 664	1300	cmd.exe	40
PID 1300 wrote to memory of 664	1300	cmd.exe	40
PID 1300 wrote to memory of 664	1300	cmd.exe	40
PID 1300 wrote to memory of 848	1300	cmd.exe	41
PID 1300 wrote to memory of 848	1300	cmd.exe	41
PID 1300 wrote to memory of 848	1300	cmd.exe	41
PID 1300 wrote to memory of 848	1300	cmd.exe	41
PID 1300 wrote to memory of 848	1300	cmd.exe	41
PID 848 wrote to memory of 1536	848	regsvr32.exe	42
PID 848 wrote to memory of 1536	848	regsvr32.exe	42
PID 848 wrote to memory of 1536	848	regsvr32.exe	42
PID 1536 wrote to memory of 744	1536	cmd.exe	44
PID 1536 wrote to memory of 744	1536	cmd.exe	44
PID 1536 wrote to memory of 744	1536	cmd.exe	44
PID 848 wrote to memory of 1608	848	regsvr32.exe	45
PID 848 wrote to memory of 1608	848	regsvr32.exe	45
PID 848 wrote to memory of 1608	848	regsvr32.exe	45
PID 1608 wrote to memory of 1792	1608	cmd.exe	47
PID 1608 wrote to memory of 1792	1608	cmd.exe	47
PID 1608 wrote to memory of 1792	1608	cmd.exe	47
PID 848 wrote to memory of 1128	848	regsvr32.exe	48
PID 848 wrote to memory of 1128	848	regsvr32.exe	48
PID 848 wrote to memory of 1128	848	regsvr32.exe	48
PID 848 wrote to memory of 1128	848	regsvr32.exe	48
PID 848 wrote to memory of 1128	848	regsvr32.exe	48

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\system32\cmd.exe
    cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll" mscp ahis & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 8
      4⤵
      Runs ping.exe
      PID:768
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll" mscp ahis
      4⤵
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c echo %temp%
        5⤵
        
        PID:1084
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe\" mscp arih"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\system32\reg.exe
        
        reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe\" mscp arih"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:300
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe" mscp arih & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 8
        6⤵
        Runs ping.exe
        
        PID:664
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe" mscp arih
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\system32\reg.exe
        
        reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
        8⤵
        
        PID:744
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\system32\reg.exe
        
        reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
        8⤵
        
        PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" mscp amw fkprm "C:\Users\Admin\AppData\Local\Temp\Damp\ixswdpbvpsyhy.exe"
  2⤵
  PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-76-0x0000000001D90000-0x0000000001DF4000-memory.dmp

Filesize
400KB

Download
memory/1128-83-0x00000000009E0000-0x0000000000B83000-memory.dmp

Filesize
1.6MB

Download
memory/1128-84-0x0000000029020000-0x0000000029084000-memory.dmp

Filesize
400KB

Download
memory/1128-81-0x00000000009E0000-0x0000000000B83000-memory.dmp

Filesize
1.6MB

Download
memory/1648-60-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/1648-61-0x0000000001F40000-0x0000000001FA4000-memory.dmp

Filesize
400KB

Download
memory/1700-66-0x00000000020E0000-0x0000000002144000-memory.dmp

Filesize
400KB

Download