bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816

General

Target

bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe
Size

295KB
MD5

a14af4090402ebf401341ea892a73996
SHA1

709ae1754821921eaa9570b77ef56bc8fdbcda37
SHA256

bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816
SHA512

45fe13f4383af42935539694320a5791e9e05aa7faab1d81d83f4caa671e8a59de818c9538bcbf750d5f13e9e8a14b5c9199da1fcc4507b379fff5d270f06cde
SSDEEP

6144:XFOXUAadJYiZo0/pitBvvmpsmwRog2ZBG1ScCGp3Fkh4:XAXU/n/o0/pitBmpsmwR4ZB4CGp3Fk

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2012	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2012	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe
2012	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2012	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1360	2012	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe	28
PID 2012 wrote to memory of 1360	2012	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe	28
PID 2012 wrote to memory of 1360	2012	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe	28
PID 2012 wrote to memory of 1360	2012	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe	28
PID 2012 wrote to memory of 1360	2012	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe	28
PID 2012 wrote to memory of 1360	2012	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe	28
PID 2012 wrote to memory of 1360	2012	bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe	28

C:\Users\Admin\AppData\Local\Temp\bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe
"C:\Users\Admin\AppData\Local\Temp\bd1b0207b0431c94627254179e1c44cd116e24af9c8b3fb7b55aa3adc7b83816.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sshnas21.dll

Filesize
237KB

MD5
0c1b3a560336a2da0b1b085da65033ff

SHA1
f1464b49f243c8930d94bab899a16b03014a2bad

SHA256
953483217e070698e56f6e98afbff4d895ee0ca3312dd5c38875428275afd039

SHA512
d97806a470013edaac05dde1c6b8be49391e4069993364dc3291b7428665e4e07a80b55509cd69d2f6905ca95c193bf0f7a064fb3f0c808a1a9a35f5644ff646

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
237KB

MD5
0c1b3a560336a2da0b1b085da65033ff

SHA1
f1464b49f243c8930d94bab899a16b03014a2bad

SHA256
953483217e070698e56f6e98afbff4d895ee0ca3312dd5c38875428275afd039

SHA512
d97806a470013edaac05dde1c6b8be49391e4069993364dc3291b7428665e4e07a80b55509cd69d2f6905ca95c193bf0f7a064fb3f0c808a1a9a35f5644ff646

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
237KB

MD5
0c1b3a560336a2da0b1b085da65033ff

SHA1
f1464b49f243c8930d94bab899a16b03014a2bad

SHA256
953483217e070698e56f6e98afbff4d895ee0ca3312dd5c38875428275afd039

SHA512
d97806a470013edaac05dde1c6b8be49391e4069993364dc3291b7428665e4e07a80b55509cd69d2f6905ca95c193bf0f7a064fb3f0c808a1a9a35f5644ff646

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
237KB

MD5
0c1b3a560336a2da0b1b085da65033ff

SHA1
f1464b49f243c8930d94bab899a16b03014a2bad

SHA256
953483217e070698e56f6e98afbff4d895ee0ca3312dd5c38875428275afd039

SHA512
d97806a470013edaac05dde1c6b8be49391e4069993364dc3291b7428665e4e07a80b55509cd69d2f6905ca95c193bf0f7a064fb3f0c808a1a9a35f5644ff646

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
237KB

MD5
0c1b3a560336a2da0b1b085da65033ff

SHA1
f1464b49f243c8930d94bab899a16b03014a2bad

SHA256
953483217e070698e56f6e98afbff4d895ee0ca3312dd5c38875428275afd039

SHA512
d97806a470013edaac05dde1c6b8be49391e4069993364dc3291b7428665e4e07a80b55509cd69d2f6905ca95c193bf0f7a064fb3f0c808a1a9a35f5644ff646

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
237KB

MD5
0c1b3a560336a2da0b1b085da65033ff

SHA1
f1464b49f243c8930d94bab899a16b03014a2bad

SHA256
953483217e070698e56f6e98afbff4d895ee0ca3312dd5c38875428275afd039

SHA512
d97806a470013edaac05dde1c6b8be49391e4069993364dc3291b7428665e4e07a80b55509cd69d2f6905ca95c193bf0f7a064fb3f0c808a1a9a35f5644ff646

Download Submit
memory/1360-68-0x0000000010000000-0x000000001005F000-memory.dmp

Filesize
380KB

Download
memory/1360-69-0x0000000010000000-0x000000001005F000-memory.dmp

Filesize
380KB

Download
memory/2012-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/2012-59-0x0000000010000000-0x000000001005F000-memory.dmp

Filesize
380KB

Download
memory/2012-58-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/2012-57-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2012-56-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/2012-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing