c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048

Resubmissions

29-07-2021 08:36

210729-5h67qwvrd2 10

27-07-2021 14:54

210727-v3d6d2mxcs 10

Analysis

max time kernel
278s
max time network
292s
platform
windows10_x64
resource
win10v20210410
submitted
29-07-2021 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iCoreBr.jpg.dll
Size

1.3MB
MD5

132e6560ca121679635684e812586bba
SHA1

6f48b7929e65aac27f3bf3cce24c7ad40624dc74
SHA256

c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048
SHA512

3c3fd439c29e36a2ef174f82c4df36c89a87bbc2e280753166bc25b14b6066fc6b0eff7101e4b301e51722271b76ebdb79dbf58a201a7a4c8bcb64e708e6a4a5

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2024 created 2492	2024	regsvr32.exe	23

Loads dropped DLL 1 IoCs

pid	Process
2024	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\RealtechUpdate = "\"C:\\Windows\\system32\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Damp\\ktjwabiyhe.exe\" mscp arih"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 188	2024	regsvr32.exe	97

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3340	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1656	PING.EXE
1784	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2112	regsvr32.exe
2112	regsvr32.exe
2024	regsvr32.exe
2024	regsvr32.exe
2024	regsvr32.exe
2024	regsvr32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 3492	4048	regsvr32.exe	78
PID 4048 wrote to memory of 3492	4048	regsvr32.exe	78
PID 3492 wrote to memory of 1656	3492	cmd.exe	80
PID 3492 wrote to memory of 1656	3492	cmd.exe	80
PID 3492 wrote to memory of 2112	3492	cmd.exe	81
PID 3492 wrote to memory of 2112	3492	cmd.exe	81
PID 2112 wrote to memory of 912	2112	regsvr32.exe	82
PID 2112 wrote to memory of 912	2112	regsvr32.exe	82
PID 2112 wrote to memory of 2468	2112	regsvr32.exe	84
PID 2112 wrote to memory of 2468	2112	regsvr32.exe	84
PID 2112 wrote to memory of 2476	2112	regsvr32.exe	87
PID 2112 wrote to memory of 2476	2112	regsvr32.exe	87
PID 2468 wrote to memory of 3340	2468	cmd.exe	88
PID 2468 wrote to memory of 3340	2468	cmd.exe	88
PID 2476 wrote to memory of 1784	2476	cmd.exe	89
PID 2476 wrote to memory of 1784	2476	cmd.exe	89
PID 2476 wrote to memory of 2024	2476	cmd.exe	90
PID 2476 wrote to memory of 2024	2476	cmd.exe	90
PID 2024 wrote to memory of 756	2024	regsvr32.exe	91
PID 2024 wrote to memory of 756	2024	regsvr32.exe	91
PID 756 wrote to memory of 2464	756	cmd.exe	93
PID 756 wrote to memory of 2464	756	cmd.exe	93
PID 2024 wrote to memory of 2176	2024	regsvr32.exe	94
PID 2024 wrote to memory of 2176	2024	regsvr32.exe	94
PID 2176 wrote to memory of 3288	2176	cmd.exe	96
PID 2176 wrote to memory of 3288	2176	cmd.exe	96
PID 2024 wrote to memory of 188	2024	regsvr32.exe	97
PID 2024 wrote to memory of 188	2024	regsvr32.exe	97
PID 2024 wrote to memory of 188	2024	regsvr32.exe	97
PID 2024 wrote to memory of 188	2024	regsvr32.exe	97

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2492
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\system32\cmd.exe
    cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll" mscp ahis & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 8
      4⤵
      Runs ping.exe
      PID:1656
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll" mscp ahis
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c echo %temp%
        5⤵
        
        PID:912
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe\" mscp arih"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Windows\system32\reg.exe
        
        reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe\" mscp arih"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3340
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe" mscp arih & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 8
        6⤵
        Runs ping.exe
        
        PID:1784
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe" mscp arih
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\system32\reg.exe
        
        reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
        8⤵
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\system32\reg.exe
        
        reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" /v "Path"
        8⤵
        
        PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" mscp amw fkprm "C:\Users\Admin\AppData\Local\Temp\Damp\ktjwabiyhe.exe"
  2⤵
  PID:188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/188-150-0x000001F82E830000-0x000001F82E9D3000-memory.dmp

Filesize
1.6MB

Download
memory/188-151-0x000001F854130000-0x000001F854194000-memory.dmp

Filesize
400KB

Download
memory/188-144-0x000001F82E830000-0x000001F82E9D3000-memory.dmp

Filesize
1.6MB

Download
memory/2024-139-0x00000000278F0000-0x0000000027954000-memory.dmp

Filesize
400KB

Download
memory/2112-125-0x0000000001140000-0x0000000001142000-memory.dmp

Filesize
8KB

Download
memory/2112-126-0x0000000028090000-0x00000000280F4000-memory.dmp

Filesize
400KB

Download
memory/2112-124-0x0000000001140000-0x0000000001142000-memory.dmp

Filesize
8KB

Download
memory/2112-123-0x0000000001140000-0x0000000001142000-memory.dmp

Filesize
8KB

Download
memory/4048-118-0x0000000027A70000-0x0000000027AD4000-memory.dmp

Filesize
400KB

Download