c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048

General

Target

iCoreBr.jpg.dll
Size

1.3MB
MD5

132e6560ca121679635684e812586bba
SHA1

6f48b7929e65aac27f3bf3cce24c7ad40624dc74
SHA256

c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048
SHA512

3c3fd439c29e36a2ef174f82c4df36c89a87bbc2e280753166bc25b14b6066fc6b0eff7101e4b301e51722271b76ebdb79dbf58a201a7a4c8bcb64e708e6a4a5

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 2024 created 2492 2024 regsvr32.exe Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2024 regsvr32.exe

description	pid	process	target process
PID 2024 created 2492	2024	regsvr32.exe	Explorer.EXE

pid	process
2024	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\RealtechUpdate = "\"C:\\Windows\\system32\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Damp\\ktjwabiyhe.exe\" mscp arih"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 2024 set thread context of 188 2024 regsvr32.exe chrome.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3340 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1656 PING.EXE
1784 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2112 regsvr32.exe
2112 regsvr32.exe
2024 regsvr32.exe
2024 regsvr32.exe
2024 regsvr32.exe
2024 regsvr32.exe

description	pid	process	target process
PID 2024 set thread context of 188	2024	regsvr32.exe	chrome.exe

pid	process
3340	reg.exe

pid	process
1656	PING.EXE
1784	PING.EXE

pid	process
2112	regsvr32.exe
2112	regsvr32.exe
2024	regsvr32.exe
2024	regsvr32.exe
2024	regsvr32.exe
2024	regsvr32.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

regsvr32.execmd.exeregsvr32.execmd.execmd.exeregsvr32.execmd.execmd.exe

description	pid	process	target process
PID 4048 wrote to memory of 3492	4048	regsvr32.exe	cmd.exe
PID 4048 wrote to memory of 3492	4048	regsvr32.exe	cmd.exe
PID 3492 wrote to memory of 1656	3492	cmd.exe	PING.EXE
PID 3492 wrote to memory of 1656	3492	cmd.exe	PING.EXE
PID 3492 wrote to memory of 2112	3492	cmd.exe	regsvr32.exe
PID 3492 wrote to memory of 2112	3492	cmd.exe	regsvr32.exe
PID 2112 wrote to memory of 912	2112	regsvr32.exe	cmd.exe
PID 2112 wrote to memory of 912	2112	regsvr32.exe	cmd.exe
PID 2112 wrote to memory of 2468	2112	regsvr32.exe	cmd.exe
PID 2112 wrote to memory of 2468	2112	regsvr32.exe	cmd.exe
PID 2112 wrote to memory of 2476	2112	regsvr32.exe	cmd.exe
PID 2112 wrote to memory of 2476	2112	regsvr32.exe	cmd.exe
PID 2468 wrote to memory of 3340	2468	cmd.exe	reg.exe
PID 2468 wrote to memory of 3340	2468	cmd.exe	reg.exe
PID 2476 wrote to memory of 1784	2476	cmd.exe	PING.EXE
PID 2476 wrote to memory of 1784	2476	cmd.exe	PING.EXE
PID 2476 wrote to memory of 2024	2476	cmd.exe	regsvr32.exe
PID 2476 wrote to memory of 2024	2476	cmd.exe	regsvr32.exe
PID 2024 wrote to memory of 756	2024	regsvr32.exe	cmd.exe
PID 2024 wrote to memory of 756	2024	regsvr32.exe	cmd.exe
PID 756 wrote to memory of 2464	756	cmd.exe	reg.exe
PID 756 wrote to memory of 2464	756	cmd.exe	reg.exe
PID 2024 wrote to memory of 2176	2024	regsvr32.exe	cmd.exe
PID 2024 wrote to memory of 2176	2024	regsvr32.exe	cmd.exe
PID 2176 wrote to memory of 3288	2176	cmd.exe	reg.exe
PID 2176 wrote to memory of 3288	2176	cmd.exe	reg.exe
PID 2024 wrote to memory of 188	2024	regsvr32.exe	chrome.exe
PID 2024 wrote to memory of 188	2024	regsvr32.exe	chrome.exe
PID 2024 wrote to memory of 188	2024	regsvr32.exe	chrome.exe
PID 2024 wrote to memory of 188	2024	regsvr32.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2492

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll" mscp ahis & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 8
4⤵
- Runs ping.exe
PID:1656

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll" mscp ahis
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\cmd.exe
cmd.exe /c echo %temp%
5⤵
PID:912

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe\" mscp arih"
5⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\system32\reg.exe
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe\" mscp arih"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:3340

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe" mscp arih & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 8
6⤵
- Runs ping.exe
PID:1784

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe" mscp arih
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
7⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
8⤵
PID:2464

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
7⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
8⤵
PID:3288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" mscp amw fkprm "C:\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe"
2⤵
PID:188

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe
MD5
132e6560ca121679635684e812586bba

SHA1
6f48b7929e65aac27f3bf3cce24c7ad40624dc74

SHA256
c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048

SHA512
3c3fd439c29e36a2ef174f82c4df36c89a87bbc2e280753166bc25b14b6066fc6b0eff7101e4b301e51722271b76ebdb79dbf58a201a7a4c8bcb64e708e6a4a5

Download Submit
\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe
MD5
132e6560ca121679635684e812586bba

SHA1
6f48b7929e65aac27f3bf3cce24c7ad40624dc74

SHA256
c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048

SHA512
3c3fd439c29e36a2ef174f82c4df36c89a87bbc2e280753166bc25b14b6066fc6b0eff7101e4b301e51722271b76ebdb79dbf58a201a7a4c8bcb64e708e6a4a5

Download Submit
memory/188-150-0x000001F82E830000-0x000001F82E9D3000-memory.dmp

Filesize
1.6MB

Download
memory/188-151-0x000001F854130000-0x000001F854194000-memory.dmp

Filesize
400KB

Download
memory/188-144-0x000001F82E830000-0x000001F82E9D3000-memory.dmp

Filesize
1.6MB

Download
memory/188-145-0x000001F82E9D2020-mapping.dmp

Download
memory/756-140-0x0000000000000000-mapping.dmp

Download
memory/912-127-0x0000000000000000-mapping.dmp

Download
memory/1656-120-0x0000000000000000-mapping.dmp

Download
memory/1784-131-0x0000000000000000-mapping.dmp

Download
memory/2024-139-0x00000000278F0000-0x0000000027954000-memory.dmp

Filesize
400KB

Download
memory/2024-132-0x0000000000000000-mapping.dmp

Download
memory/2112-125-0x0000000001140000-0x0000000001142000-memory.dmp

Filesize
8KB

Download
memory/2112-126-0x0000000028090000-0x00000000280F4000-memory.dmp

Filesize
400KB

Download
memory/2112-124-0x0000000001140000-0x0000000001142000-memory.dmp

Filesize
8KB

Download
memory/2112-123-0x0000000001140000-0x0000000001142000-memory.dmp

Filesize
8KB

Download
memory/2112-121-0x0000000000000000-mapping.dmp

Download
memory/2176-142-0x0000000000000000-mapping.dmp

Download
memory/2464-141-0x0000000000000000-mapping.dmp

Download
memory/2468-128-0x0000000000000000-mapping.dmp

Download
memory/2476-129-0x0000000000000000-mapping.dmp

Download
memory/3288-143-0x0000000000000000-mapping.dmp

Download
memory/3340-130-0x0000000000000000-mapping.dmp

Download
memory/3492-119-0x0000000000000000-mapping.dmp

Download
memory/4048-118-0x0000000027A70000-0x0000000027AD4000-memory.dmp

Filesize
400KB

Download

Resubmissions

Analysis

Sharing