ce9057071330e14edcb9a4ced48826ac5752c24219aa0db23229d23202eba283

General

Target

165b4cd047c192b68270335fe1dc6a3b.exe
Size

145KB
MD5

165b4cd047c192b68270335fe1dc6a3b
SHA1

6ef991bf751d7cce189c7f017fabe7546f5fed87
SHA256

ce9057071330e14edcb9a4ced48826ac5752c24219aa0db23229d23202eba283
SHA512

55687e248b9f789d4300618bf9fbe0637f29843d0971f8427c683500c2f133a9fe3de5463e30560b254218d4e319d10e40a82b52f348d379df3b8b2fe88bceb6

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

14 4036 rundll32.exe
21 4036 rundll32.exe
22 4036 rundll32.exe
48 4036 rundll32.exe
61 4036 rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

165b4cd047c192b68270335fe1dc6a3b.exesvchost.exerundll32.exe

pid process

3480 165b4cd047c192b68270335fe1dc6a3b.exe
3840 svchost.exe
4036 rundll32.exe

flow	pid	process
14	4036	rundll32.exe
21	4036	rundll32.exe
22	4036	rundll32.exe
48	4036	rundll32.exe
61	4036	rundll32.exe

pid	process
3480	165b4cd047c192b68270335fe1dc6a3b.exe
3840	svchost.exe
4036	rundll32.exe

Drops file in Program Files directory 4 IoCs

Processes:

svchost.exe165b4cd047c192b68270335fe1dc6a3b.exe

description	ioc	process
File created	C:\Program Files (x86)\Kghi\Pghijklmn.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Kghi\Pghijklmn.jpg	165b4cd047c192b68270335fe1dc6a3b.exe
File created	C:\Program Files (x86)\Kghi\Pghijklmn.jpg	165b4cd047c192b68270335fe1dc6a3b.exe
File opened for modification	C:\Program Files (x86)\Kghi\Pghijklmn.jpg	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

165b4cd047c192b68270335fe1dc6a3b.exe

description	ioc	process
File created	\??\c:\windows\win.log	165b4cd047c192b68270335fe1dc6a3b.exe
File created	C:\Windows\atiamellVFeM.dll	165b4cd047c192b68270335fe1dc6a3b.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\NetSubKey rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\NetSubKey	rundll32.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

165b4cd047c192b68270335fe1dc6a3b.exesvchost.exe

description	pid	process
Token: SeBackupPrivilege	3480	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeRestorePrivilege	3480	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeBackupPrivilege	3480	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeRestorePrivilege	3480	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeBackupPrivilege	3480	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeRestorePrivilege	3480	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeBackupPrivilege	3480	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeRestorePrivilege	3480	165b4cd047c192b68270335fe1dc6a3b.exe
Token: SeBackupPrivilege	3840	svchost.exe
Token: SeRestorePrivilege	3840	svchost.exe
Token: SeBackupPrivilege	3840	svchost.exe
Token: SeRestorePrivilege	3840	svchost.exe
Token: SeBackupPrivilege	3840	svchost.exe
Token: SeRestorePrivilege	3840	svchost.exe
Token: SeDebugPrivilege	3840	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 3840 wrote to memory of 4036	3840	svchost.exe	rundll32.exe
PID 3840 wrote to memory of 4036	3840	svchost.exe	rundll32.exe
PID 3840 wrote to memory of 4036	3840	svchost.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\165b4cd047c192b68270335fe1dc6a3b.exe
"C:\Users\Admin\AppData\Local\Temp\165b4cd047c192b68270335fe1dc6a3b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Program Files (x86)\Kghi\Pghijklmn.jpg", FineView
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kghi\Pghijklmn.jpg
Filesize
224KB

MD5
756e179305690189fad3d3c91a5983b6

SHA1
ec94118ba4e7548e134548e98a578c420f029928

SHA256
5b08ea503a400172c4f7af8c4a0450d7dcc6a877e073039e5a258304a3780412

SHA512
9a438609d3433eb5b5b5cbc69271c0761db80b142a426f85d7afd29268699081dd2d60833726da56389de5ba61e39bdec4e6602183604ec2a7849895b5721089

Download Submit
C:\Program Files (x86)\Kghi\Pghijklmn.jpg
Filesize
224KB

MD5
756e179305690189fad3d3c91a5983b6

SHA1
ec94118ba4e7548e134548e98a578c420f029928

SHA256
5b08ea503a400172c4f7af8c4a0450d7dcc6a877e073039e5a258304a3780412

SHA512
9a438609d3433eb5b5b5cbc69271c0761db80b142a426f85d7afd29268699081dd2d60833726da56389de5ba61e39bdec4e6602183604ec2a7849895b5721089

Download Submit
C:\Windows\atiamellVFeM.dll
Filesize
224KB

MD5
756e179305690189fad3d3c91a5983b6

SHA1
ec94118ba4e7548e134548e98a578c420f029928

SHA256
5b08ea503a400172c4f7af8c4a0450d7dcc6a877e073039e5a258304a3780412

SHA512
9a438609d3433eb5b5b5cbc69271c0761db80b142a426f85d7afd29268699081dd2d60833726da56389de5ba61e39bdec4e6602183604ec2a7849895b5721089

Download Submit
C:\Windows\atiamellVFeM.dll
Filesize
224KB

MD5
756e179305690189fad3d3c91a5983b6

SHA1
ec94118ba4e7548e134548e98a578c420f029928

SHA256
5b08ea503a400172c4f7af8c4a0450d7dcc6a877e073039e5a258304a3780412

SHA512
9a438609d3433eb5b5b5cbc69271c0761db80b142a426f85d7afd29268699081dd2d60833726da56389de5ba61e39bdec4e6602183604ec2a7849895b5721089

Download Submit
\??\c:\program files (x86)\kghi\pghijklmn.jpg
Filesize
224KB

MD5
756e179305690189fad3d3c91a5983b6

SHA1
ec94118ba4e7548e134548e98a578c420f029928

SHA256
5b08ea503a400172c4f7af8c4a0450d7dcc6a877e073039e5a258304a3780412

SHA512
9a438609d3433eb5b5b5cbc69271c0761db80b142a426f85d7afd29268699081dd2d60833726da56389de5ba61e39bdec4e6602183604ec2a7849895b5721089

Download Submit
\??\c:\windows\win.log
Filesize
98B

MD5
49beb840fc18f1bbf3890dac14fa75ab

SHA1
c6a369580ef7673780ef9f8c40f4de6000843f00

SHA256
0a4525b47a5bd44da5ca164f32eb9b57f68a21ace9aea01d4ce5801724c6d51e

SHA512
5a50e012b18a71b52ce0e216c0133eaa3f62b4b05a7ec0e2f05519239d7c9d12e7efcf4f356c9c1871f3057b93671eaf0e96c7ac9c11373ebe70005594178e7b

Download Submit
memory/4036-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads