f6c643e1e29177914ad70b4c2b40d28d9d05b0518bfb358888bab8f68736f118

Analysis

max time kernel
150s
max time network
41s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6c643e1e29177914ad70b4c2b40d28d9d05b0518bfb358888bab8f68736f118.dll
Size

886KB
MD5

471a11a667025ad95b5c6ee9690d7036
SHA1

27e65af61719544741b1efb7065e8172534f1acd
SHA256

f6c643e1e29177914ad70b4c2b40d28d9d05b0518bfb358888bab8f68736f118
SHA512

e1b7d25e163dd1264e456bcb6b494a43a1392ee5766f05e57dea9e4ec9fde6056177ca5f52d323837fc8f21c93ce2beaf836fc533c123952ec65b3d0832ae327

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

unregmp2.exeshrpubw.exedpapimig.exe

pid process

1232 unregmp2.exe
760 shrpubw.exe
324 dpapimig.exe
Loads dropped DLL 7 IoCs

Processes:

unregmp2.exeshrpubw.exedpapimig.exe

pid process

1240
1232 unregmp2.exe
1240
760 shrpubw.exe
1240
324 dpapimig.exe
1240

pid	process
1232	unregmp2.exe
760	shrpubw.exe
324	dpapimig.exe

pid	process
1240
1232	unregmp2.exe
1240
760	shrpubw.exe
1240
324	dpapimig.exe
1240

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lwausnzctoco = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\CTBHLAPR\\I5l\\shrpubw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

shrpubw.exedpapimig.exerundll32.exeunregmp2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeunregmp2.exe

pid	process
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1232	unregmp2.exe
1232	unregmp2.exe
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1240 wrote to memory of 1724	1240	unregmp2.exe
PID 1240 wrote to memory of 1724	1240	unregmp2.exe
PID 1240 wrote to memory of 1724	1240	unregmp2.exe
PID 1240 wrote to memory of 1232	1240	unregmp2.exe
PID 1240 wrote to memory of 1232	1240	unregmp2.exe
PID 1240 wrote to memory of 1232	1240	unregmp2.exe
PID 1240 wrote to memory of 560	1240	shrpubw.exe
PID 1240 wrote to memory of 560	1240	shrpubw.exe
PID 1240 wrote to memory of 560	1240	shrpubw.exe
PID 1240 wrote to memory of 760	1240	shrpubw.exe
PID 1240 wrote to memory of 760	1240	shrpubw.exe
PID 1240 wrote to memory of 760	1240	shrpubw.exe
PID 1240 wrote to memory of 1980	1240	dpapimig.exe
PID 1240 wrote to memory of 1980	1240	dpapimig.exe
PID 1240 wrote to memory of 1980	1240	dpapimig.exe
PID 1240 wrote to memory of 324	1240	dpapimig.exe
PID 1240 wrote to memory of 324	1240	dpapimig.exe
PID 1240 wrote to memory of 324	1240	dpapimig.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6c643e1e29177914ad70b4c2b40d28d9d05b0518bfb358888bab8f68736f118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:1724

C:\Users\Admin\AppData\Local\hL03rpV\unregmp2.exe
C:\Users\Admin\AppData\Local\hL03rpV\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:560

C:\Users\Admin\AppData\Local\VNLn1\shrpubw.exe
C:\Users\Admin\AppData\Local\VNLn1\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:760

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:1980

C:\Users\Admin\AppData\Local\TNIygkjS\dpapimig.exe
C:\Users\Admin\AppData\Local\TNIygkjS\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:324

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TNIygkjS\DUI70.dll
Filesize
1.1MB

MD5
cb9c03236cf7ff3c65264e1c9029a1e6

SHA1
ae1081f65e71429bf4c92bc1f410869eb41083bc

SHA256
291d829e1138042bd088bc9443c2741006e69fe927579f1a900a759f1b91b16e

SHA512
aa3b5ba576283992f090992594b7319b4ab513fcb728f33f0ddf0558f3846db5bdd7a059d823982f3d146663b930de4340400bff98bfd204a99d595efcf96f5a

Download Submit
C:\Users\Admin\AppData\Local\TNIygkjS\dpapimig.exe
Filesize
73KB

MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
C:\Users\Admin\AppData\Local\VNLn1\MFC42u.dll
Filesize
914KB

MD5
24e59539618a927481693044a461e821

SHA1
e789aed5866dafb7200321aa7eb5ddb19169cb92

SHA256
9271fb6912c2dacb9ddd3e7865e548281a95eb9ddadfd4c9c979f6afaa92af41

SHA512
9e049bf5d59faa21f9264ecdb6a1012650464cfdd9de7beece00060a14b00fde6fec2333371a4e82ef04d0ffc071c96823801d541ccaf92f45ff173a7a420bf5

Download Submit
C:\Users\Admin\AppData\Local\VNLn1\shrpubw.exe
Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
C:\Users\Admin\AppData\Local\hL03rpV\slc.dll
Filesize
888KB

MD5
4e6f6b32fad8d5f91c61dde7fd366cdb

SHA1
0110fef3b837f5a5ce019f31f36c20638da3fd6c

SHA256
f1e574dfb1cf230d37905505809b358eaaa916a6a7d85cbdbcbc09a799a95700

SHA512
82568c7b56829165daee894017ca448b48eb7524b924e62b6ad5657add0e5d1f62939200684d621c7d911aa3c5c3e1f8b52f29a2f9eeee71f3301f66e5fb68ab

Download Submit
C:\Users\Admin\AppData\Local\hL03rpV\unregmp2.exe
Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
\Users\Admin\AppData\Local\TNIygkjS\DUI70.dll
Filesize
1.1MB

MD5
cb9c03236cf7ff3c65264e1c9029a1e6

SHA1
ae1081f65e71429bf4c92bc1f410869eb41083bc

SHA256
291d829e1138042bd088bc9443c2741006e69fe927579f1a900a759f1b91b16e

SHA512
aa3b5ba576283992f090992594b7319b4ab513fcb728f33f0ddf0558f3846db5bdd7a059d823982f3d146663b930de4340400bff98bfd204a99d595efcf96f5a

Download Submit
\Users\Admin\AppData\Local\TNIygkjS\dpapimig.exe
Filesize
73KB

MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
\Users\Admin\AppData\Local\VNLn1\MFC42u.dll
Filesize
914KB

MD5
24e59539618a927481693044a461e821

SHA1
e789aed5866dafb7200321aa7eb5ddb19169cb92

SHA256
9271fb6912c2dacb9ddd3e7865e548281a95eb9ddadfd4c9c979f6afaa92af41

SHA512
9e049bf5d59faa21f9264ecdb6a1012650464cfdd9de7beece00060a14b00fde6fec2333371a4e82ef04d0ffc071c96823801d541ccaf92f45ff173a7a420bf5

Download Submit
\Users\Admin\AppData\Local\VNLn1\shrpubw.exe
Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\hL03rpV\slc.dll
Filesize
888KB

MD5
4e6f6b32fad8d5f91c61dde7fd366cdb

SHA1
0110fef3b837f5a5ce019f31f36c20638da3fd6c

SHA256
f1e574dfb1cf230d37905505809b358eaaa916a6a7d85cbdbcbc09a799a95700

SHA512
82568c7b56829165daee894017ca448b48eb7524b924e62b6ad5657add0e5d1f62939200684d621c7d911aa3c5c3e1f8b52f29a2f9eeee71f3301f66e5fb68ab

Download Submit
\Users\Admin\AppData\Local\hL03rpV\unregmp2.exe
Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\D5k\dpapimig.exe
Filesize
73KB

MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
memory/324-78-0x0000000000000000-mapping.dmp

Download
memory/760-76-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/760-72-0x0000000000000000-mapping.dmp

Download
memory/1232-67-0x0000000000000000-mapping.dmp

Download
memory/1240-54-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1240-63-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1240-64-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1240-65-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1240-62-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1240-58-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1240-59-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1240-61-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1240-60-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1240-57-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1240-56-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1240-55-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads