05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7

General

Target

05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe
Size

1.4MB
MD5

ab54010702c82bba492dad75a9adbcd3
SHA1

63d17ed4296fb5ee1e7f49e7b100a53dc8ac58cc
SHA256

05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7
SHA512

08410ba5bed0b9eae4c046b0d36fb0cdc659ca29fa674cce1b56775eff5d2237f30a393de6d4cbc0e58321e67571976031e322dbed7067f202e98bdb22ab18fa
SSDEEP

24576:8WrJpitnKSwFkgUB2eziTchJ/UB2unrt5YqUpdIEQfgRdEE:7rJpBF02MiQhdUdrXzDgRdEE

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1940	rundll.exe
1236	rundll.exe

Loads dropped DLL 2 IoCs

pid	Process
900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe
900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\usnscv.exe = "\"C:\\Users\\Admin\\AppData\\Local\\usnscv.exe\" /background"	rundll.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 1940 set thread context of 1236	1940	rundll.exe	28

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 900 wrote to memory of 1940	900	05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe	27
PID 1940 wrote to memory of 1236	1940	rundll.exe	28
PID 1940 wrote to memory of 1236	1940	rundll.exe	28
PID 1940 wrote to memory of 1236	1940	rundll.exe	28
PID 1940 wrote to memory of 1236	1940	rundll.exe	28
PID 1940 wrote to memory of 1236	1940	rundll.exe	28
PID 1940 wrote to memory of 1236	1940	rundll.exe	28

C:\Users\Admin\AppData\Local\Temp\05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe
"C:\Users\Admin\AppData\Local\Temp\05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\rundll.exe
  "C:\Users\Admin\AppData\Local\rundll.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\rundll.exe
    "C:\Users\Admin\AppData\Local\rundll.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\rundll.exe

Filesize
1.4MB

MD5
ab54010702c82bba492dad75a9adbcd3

SHA1
63d17ed4296fb5ee1e7f49e7b100a53dc8ac58cc

SHA256
05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7

SHA512
08410ba5bed0b9eae4c046b0d36fb0cdc659ca29fa674cce1b56775eff5d2237f30a393de6d4cbc0e58321e67571976031e322dbed7067f202e98bdb22ab18fa

Download Submit
C:\Users\Admin\AppData\Local\rundll.exe

Filesize
1.4MB

MD5
ab54010702c82bba492dad75a9adbcd3

SHA1
63d17ed4296fb5ee1e7f49e7b100a53dc8ac58cc

SHA256
05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7

SHA512
08410ba5bed0b9eae4c046b0d36fb0cdc659ca29fa674cce1b56775eff5d2237f30a393de6d4cbc0e58321e67571976031e322dbed7067f202e98bdb22ab18fa

Download Submit
C:\Users\Admin\AppData\Local\rundll.exe

Filesize
1.4MB

MD5
ab54010702c82bba492dad75a9adbcd3

SHA1
63d17ed4296fb5ee1e7f49e7b100a53dc8ac58cc

SHA256
05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7

SHA512
08410ba5bed0b9eae4c046b0d36fb0cdc659ca29fa674cce1b56775eff5d2237f30a393de6d4cbc0e58321e67571976031e322dbed7067f202e98bdb22ab18fa

Download Submit
\Users\Admin\AppData\Local\rundll.exe

Filesize
1.4MB

MD5
ab54010702c82bba492dad75a9adbcd3

SHA1
63d17ed4296fb5ee1e7f49e7b100a53dc8ac58cc

SHA256
05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7

SHA512
08410ba5bed0b9eae4c046b0d36fb0cdc659ca29fa674cce1b56775eff5d2237f30a393de6d4cbc0e58321e67571976031e322dbed7067f202e98bdb22ab18fa

Download Submit
\Users\Admin\AppData\Local\rundll.exe

Filesize
1.4MB

MD5
ab54010702c82bba492dad75a9adbcd3

SHA1
63d17ed4296fb5ee1e7f49e7b100a53dc8ac58cc

SHA256
05df488f060360608ef2cf5a1f2130dcc20ff9dfad3d03588534566473243db7

SHA512
08410ba5bed0b9eae4c046b0d36fb0cdc659ca29fa674cce1b56775eff5d2237f30a393de6d4cbc0e58321e67571976031e322dbed7067f202e98bdb22ab18fa

Download Submit
memory/1236-89-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1236-88-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1236-86-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1236-87-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1236-83-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1236-81-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1940-65-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1940-79-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1940-78-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1940-77-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1940-73-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1940-70-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1940-67-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1940-62-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1940-59-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1940-57-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1940-56-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download

Analysis

Sharing