ce9057071330e14edcb9a4ced48826ac5752c24219aa0db23229d23202eba283

General

Target

165b4cd047c192b68270335fe1dc6a3b.exe
Size

145KB
MD5

165b4cd047c192b68270335fe1dc6a3b
SHA1

6ef991bf751d7cce189c7f017fabe7546f5fed87
SHA256

ce9057071330e14edcb9a4ced48826ac5752c24219aa0db23229d23202eba283
SHA512

55687e248b9f789d4300618bf9fbe0637f29843d0971f8427c683500c2f133a9fe3de5463e30560b254218d4e319d10e40a82b52f348d379df3b8b2fe88bceb6

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

2 1560 rundll32.exe
4 1560 rundll32.exe
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

908 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

svchost.exerundll32.exe

pid process

908 svchost.exe
1560 rundll32.exe

flow	pid	process
2	1560	rundll32.exe
4	1560	rundll32.exe

pid	process
908	svchost.exe

pid	process
908	svchost.exe
1560	rundll32.exe

Drops file in Program Files directory 4 IoCs

Processes:

165b4cd047c192b68270335fe1dc6a3b.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Kghi\Pghijklmn.jpg	165b4cd047c192b68270335fe1dc6a3b.exe
File created	C:\Program Files (x86)\Kghi\Pghijklmn.jpg	165b4cd047c192b68270335fe1dc6a3b.exe
File opened for modification	C:\Program Files (x86)\Kghi\Pghijklmn.jpg	svchost.exe
File created	C:\Program Files (x86)\Kghi\Pghijklmn.jpg	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

165b4cd047c192b68270335fe1dc6a3b.exe

description	ioc	process
File created	C:\Windows\atiamellcfaV.dll	165b4cd047c192b68270335fe1dc6a3b.exe
File created	\??\c:\windows\win.log	165b4cd047c192b68270335fe1dc6a3b.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\NetSubKey rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\NetSubKey	rundll32.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

165b4cd047c192b68270335fe1dc6a3b.exesvchost.exe

description	pid	process
Token: SeBackupPrivilege	2028	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeRestorePrivilege	2028	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeBackupPrivilege	2028	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeRestorePrivilege	2028	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeBackupPrivilege	2028	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeRestorePrivilege	2028	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeBackupPrivilege	2028	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeRestorePrivilege	2028	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeBackupPrivilege	908	svchost.exe
Token: SeRestorePrivilege	908	svchost.exe
Token: SeBackupPrivilege	908	svchost.exe
Token: SeRestorePrivilege	908	svchost.exe
Token: SeBackupPrivilege	908	svchost.exe
Token: SeRestorePrivilege	908	svchost.exe
Token: SeDebugPrivilege	908	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 908 wrote to memory of 1560	908	svchost.exe	rundll32.exe
PID 908 wrote to memory of 1560	908	svchost.exe	rundll32.exe
PID 908 wrote to memory of 1560	908	svchost.exe	rundll32.exe
PID 908 wrote to memory of 1560	908	svchost.exe	rundll32.exe
PID 908 wrote to memory of 1560	908	svchost.exe	rundll32.exe
PID 908 wrote to memory of 1560	908	svchost.exe	rundll32.exe
PID 908 wrote to memory of 1560	908	svchost.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\165b4cd047c192b68270335fe1dc6a3b.exe
"C:\Users\Admin\AppData\Local\Temp\165b4cd047c192b68270335fe1dc6a3b.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files (x86)\Kghi\Pghijklmn.jpg", FineView
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\atiamellcfaV.dll

Filesize
224KB

MD5
756e179305690189fad3d3c91a5983b6

SHA1
ec94118ba4e7548e134548e98a578c420f029928

SHA256
5b08ea503a400172c4f7af8c4a0450d7dcc6a877e073039e5a258304a3780412

SHA512
9a438609d3433eb5b5b5cbc69271c0761db80b142a426f85d7afd29268699081dd2d60833726da56389de5ba61e39bdec4e6602183604ec2a7849895b5721089

Download Submit
\??\c:\program files (x86)\kghi\pghijklmn.jpg

Filesize
224KB

MD5
756e179305690189fad3d3c91a5983b6

SHA1
ec94118ba4e7548e134548e98a578c420f029928

SHA256
5b08ea503a400172c4f7af8c4a0450d7dcc6a877e073039e5a258304a3780412

SHA512
9a438609d3433eb5b5b5cbc69271c0761db80b142a426f85d7afd29268699081dd2d60833726da56389de5ba61e39bdec4e6602183604ec2a7849895b5721089

Download Submit
\??\c:\windows\win.log

Filesize
98B

MD5
7994c84b9ab3019719a9c7ac10bccde5

SHA1
b9381ba0e7659a8829928849c9328863500208bb

SHA256
1c92a02e16588754fd59d278b724926bd6aaf816437be484503d8d83eef028d7

SHA512
469835425beecd4cab5ac526acd347a3c2de259873e45030910ae26d1948355519f7712069c23ab2df1c10ca5249b2e9df198e361e65469cd2652305eb2562ec

Download Submit
\Program Files (x86)\Kghi\Pghijklmn.jpg

Filesize
224KB

MD5
756e179305690189fad3d3c91a5983b6

SHA1
ec94118ba4e7548e134548e98a578c420f029928

SHA256
5b08ea503a400172c4f7af8c4a0450d7dcc6a877e073039e5a258304a3780412

SHA512
9a438609d3433eb5b5b5cbc69271c0761db80b142a426f85d7afd29268699081dd2d60833726da56389de5ba61e39bdec4e6602183604ec2a7849895b5721089

Download Submit
\Program Files (x86)\Kghi\Pghijklmn.jpg

Filesize
224KB

MD5
756e179305690189fad3d3c91a5983b6

SHA1
ec94118ba4e7548e134548e98a578c420f029928

SHA256
5b08ea503a400172c4f7af8c4a0450d7dcc6a877e073039e5a258304a3780412

SHA512
9a438609d3433eb5b5b5cbc69271c0761db80b142a426f85d7afd29268699081dd2d60833726da56389de5ba61e39bdec4e6602183604ec2a7849895b5721089

Download Submit
memory/1560-60-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads