3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
Size

98KB
MD5

7584afd109ede58da3205d10884eb598
SHA1

9b65bab6982025d0769a2a1689504bd9acc170ae
SHA256

3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3
SHA512

e3b12f592c8a666acd8430bc59fe7ab7ca97054db6d9cdc64fe04b3a4aedc70a8f01a6a8e2618b212f377e05879a41e2be88706eb58497801d9a8f45ea6ceaec

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4928	rundll32.exe
4268	svchost.exe
4936	rundll32.exe
4372	svchost.exe
4232	svchost.exe
2224	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\Windows\\system32\\csrss.exe"	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host-process Windows (Rundll32.exe) = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe"	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host Process for Windows = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32.exe	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
File created	C:\Windows\SysWOW64\svchost.exe	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
File created	C:\Windows\SysWOW64\csrss.exe	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
File opened for modification	C:\Windows\SysWOW64\csrss.exe	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3076 set thread context of 3372	3076	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	78
PID 4928 set thread context of 4936	4928	rundll32.exe	81
PID 4268 set thread context of 2224	4268	svchost.exe	84

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3372	3076	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	78
PID 3076 wrote to memory of 3372	3076	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	78
PID 3076 wrote to memory of 3372	3076	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	78
PID 3076 wrote to memory of 3372	3076	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	78
PID 3076 wrote to memory of 3372	3076	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	78
PID 3076 wrote to memory of 3372	3076	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	78
PID 3076 wrote to memory of 3372	3076	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	78
PID 3076 wrote to memory of 3372	3076	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	78
PID 3076 wrote to memory of 3372	3076	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	78
PID 3372 wrote to memory of 4928	3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	79
PID 3372 wrote to memory of 4928	3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	79
PID 3372 wrote to memory of 4928	3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	79
PID 3372 wrote to memory of 4268	3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	80
PID 3372 wrote to memory of 4268	3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	80
PID 3372 wrote to memory of 4268	3372	3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe	80
PID 4268 wrote to memory of 4372	4268	svchost.exe	82
PID 4268 wrote to memory of 4372	4268	svchost.exe	82
PID 4268 wrote to memory of 4372	4268	svchost.exe	82
PID 4928 wrote to memory of 4936	4928	rundll32.exe	81
PID 4928 wrote to memory of 4936	4928	rundll32.exe	81
PID 4928 wrote to memory of 4936	4928	rundll32.exe	81
PID 4928 wrote to memory of 4936	4928	rundll32.exe	81
PID 4928 wrote to memory of 4936	4928	rundll32.exe	81
PID 4928 wrote to memory of 4936	4928	rundll32.exe	81
PID 4928 wrote to memory of 4936	4928	rundll32.exe	81
PID 4928 wrote to memory of 4936	4928	rundll32.exe	81
PID 4928 wrote to memory of 4936	4928	rundll32.exe	81
PID 4268 wrote to memory of 4232	4268	svchost.exe	83
PID 4268 wrote to memory of 4232	4268	svchost.exe	83
PID 4268 wrote to memory of 4232	4268	svchost.exe	83
PID 4268 wrote to memory of 2224	4268	svchost.exe	84
PID 4268 wrote to memory of 2224	4268	svchost.exe	84
PID 4268 wrote to memory of 2224	4268	svchost.exe	84
PID 4268 wrote to memory of 2224	4268	svchost.exe	84
PID 4268 wrote to memory of 2224	4268	svchost.exe	84
PID 4268 wrote to memory of 2224	4268	svchost.exe	84
PID 4268 wrote to memory of 2224	4268	svchost.exe	84
PID 4268 wrote to memory of 2224	4268	svchost.exe	84
PID 4268 wrote to memory of 2224	4268	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
"C:\Users\Admin\AppData\Local\Temp\3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe
  "C:\Users\Admin\AppData\Local\Temp\3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Users\Admin\AppData\Roaming\rundll32.exe
    "C:\Users\Admin\AppData\Roaming\rundll32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Users\Admin\AppData\Roaming\rundll32.exe
      "C:\Users\Admin\AppData\Roaming\rundll32.exe"
      4⤵
      Executes dropped EXE
      PID:4936
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:4372
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:4232
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rundll32.exe

Filesize
98KB

MD5
7584afd109ede58da3205d10884eb598

SHA1
9b65bab6982025d0769a2a1689504bd9acc170ae

SHA256
3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3

SHA512
e3b12f592c8a666acd8430bc59fe7ab7ca97054db6d9cdc64fe04b3a4aedc70a8f01a6a8e2618b212f377e05879a41e2be88706eb58497801d9a8f45ea6ceaec

Download Submit
C:\Users\Admin\AppData\Roaming\rundll32.exe

Filesize
98KB

MD5
7584afd109ede58da3205d10884eb598

SHA1
9b65bab6982025d0769a2a1689504bd9acc170ae

SHA256
3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3

SHA512
e3b12f592c8a666acd8430bc59fe7ab7ca97054db6d9cdc64fe04b3a4aedc70a8f01a6a8e2618b212f377e05879a41e2be88706eb58497801d9a8f45ea6ceaec

Download Submit
C:\Users\Admin\AppData\Roaming\rundll32.exe

Filesize
98KB

MD5
7584afd109ede58da3205d10884eb598

SHA1
9b65bab6982025d0769a2a1689504bd9acc170ae

SHA256
3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3

SHA512
e3b12f592c8a666acd8430bc59fe7ab7ca97054db6d9cdc64fe04b3a4aedc70a8f01a6a8e2618b212f377e05879a41e2be88706eb58497801d9a8f45ea6ceaec

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
98KB

MD5
7584afd109ede58da3205d10884eb598

SHA1
9b65bab6982025d0769a2a1689504bd9acc170ae

SHA256
3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3

SHA512
e3b12f592c8a666acd8430bc59fe7ab7ca97054db6d9cdc64fe04b3a4aedc70a8f01a6a8e2618b212f377e05879a41e2be88706eb58497801d9a8f45ea6ceaec

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
98KB

MD5
7584afd109ede58da3205d10884eb598

SHA1
9b65bab6982025d0769a2a1689504bd9acc170ae

SHA256
3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3

SHA512
e3b12f592c8a666acd8430bc59fe7ab7ca97054db6d9cdc64fe04b3a4aedc70a8f01a6a8e2618b212f377e05879a41e2be88706eb58497801d9a8f45ea6ceaec

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
98KB

MD5
7584afd109ede58da3205d10884eb598

SHA1
9b65bab6982025d0769a2a1689504bd9acc170ae

SHA256
3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3

SHA512
e3b12f592c8a666acd8430bc59fe7ab7ca97054db6d9cdc64fe04b3a4aedc70a8f01a6a8e2618b212f377e05879a41e2be88706eb58497801d9a8f45ea6ceaec

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
98KB

MD5
7584afd109ede58da3205d10884eb598

SHA1
9b65bab6982025d0769a2a1689504bd9acc170ae

SHA256
3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3

SHA512
e3b12f592c8a666acd8430bc59fe7ab7ca97054db6d9cdc64fe04b3a4aedc70a8f01a6a8e2618b212f377e05879a41e2be88706eb58497801d9a8f45ea6ceaec

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
98KB

MD5
7584afd109ede58da3205d10884eb598

SHA1
9b65bab6982025d0769a2a1689504bd9acc170ae

SHA256
3bbdbac11e0186fce751d87830c5f6154a67dbdf7a3c39bc4153491d9641a8c3

SHA512
e3b12f592c8a666acd8430bc59fe7ab7ca97054db6d9cdc64fe04b3a4aedc70a8f01a6a8e2618b212f377e05879a41e2be88706eb58497801d9a8f45ea6ceaec

Download Submit
memory/2224-157-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2224-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-130-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/3076-134-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/3372-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3372-141-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3372-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4268-153-0x0000000074110000-0x00000000746C1000-memory.dmp

Filesize
5.7MB

Download
memory/4928-146-0x0000000074110000-0x00000000746C1000-memory.dmp

Filesize
5.7MB

Download
memory/4936-156-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download