018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81

General

Target

018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81.dll
Size

74KB
MD5

ab17f2b17c57b731cb930243589ab0cf
SHA1

5a5fafbc3fec8d36fd57b075ebf34119ba3bff04
SHA256

018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81
SHA512

62aac7869c47f89a545eadb2a150181771e1accfe454673d81e3899447e907aae030beea31cfc66820f665fa5060190a6c8823dd6356fbe34af99eae7e4067ce

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ImagePath	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\ImagePath	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\ImagePath	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\ImagePath	rundll32.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops desktop.ini file(s) 3 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	rundll32.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-369956170-74428499-1628131376-1000\desktop.ini	rundll32.exe

Drops file in Program Files directory 64 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mip_core.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\oregres.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdarem.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrw_xl.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll	rundll32.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCuiL.exe	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vcruntime140.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DLL	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jpeg.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dcpr.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\eventlog_provider.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\npdeployJava1.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-file-l2-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2ssv.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\instrument.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\REFEDIT.DLL	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
2352
2888
2980
2244
4032
60
1524
2904
2872
2064
4832
3560
3612
3484
3252
2896
2924
2952
3752
3732
2420
2372
3456
3748
3756
3796
3264
3680
3332
3520
3384
3444
3516
3532
3340
3348
3860
3872
3876
3260
5924
3716
3920
3220
3108
3236
952
660
632
656
708
420
1048
2356
2284
352
1244
1420
1480
5932
1396
1376
1276
6140

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

sihost.exe

pid process

5956 sihost.exe

pid	process
5956	sihost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2372 wrote to memory of 2440	2372	rundll32.exe	rundll32.exe
PID 2372 wrote to memory of 2440	2372	rundll32.exe	rundll32.exe
PID 2372 wrote to memory of 2440	2372	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81.dll,#1
  2⤵
  - Modifies security service
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2440

\??\c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:5976

\??\c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:5956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads