8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7

General

Target

8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Size

123KB
MD5

57c5d54f639a1ced3f7fcd3f491dd521
SHA1

834300a234db29ac8daef39a85e25823eb2a2032
SHA256

8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7
SHA512

5e9f399fcba2e00511828b74fc39d3ccf9a4fca9cf71dd87061d093625e2de5e742bf6cdfbc039650d592160a968b38a47eca3e149e95721b0afa203a2ff256c
SSDEEP

1536:sNUTgkYHzIdL6Kvom0jORkfZrzoVgja5EQ+1x51a+iZZB9t/hfKvO7vFR2n:siTnezQ+Kv7HR4zoWj0K8+iHLKvCvk

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
968	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	85.17.138.145

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\unjikog = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\unjikog.dll\",unjikog"	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe

Modifies WinLogon 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\unjikog\Startup = "unjikog"	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\unjikog	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\unjikog\Impersonate = "1"	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\unjikog\Asynchronous = "1"	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\unjikog\MaxWait = "1"	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\unjikog\vaufdkeu = cd960e67355b3a9c6bb6	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\unjikog\DllName = "C:\\Users\\Admin\\AppData\\Local\\unjikog.dll"	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 968	1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe	28

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mul	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mul\ShellNew	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\ = "SdiMul Document"	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\open\command	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8F21C6~1.EXE \"%1\""	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\printto\command	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8F21C6~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\DefaultIcon	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\print	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\open	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\print\command	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mul\ShellNew\NullFile	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8F21C6~1.EXE,0"	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8F21C6~1.EXE /p \"%1\""	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\printto	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mul\ = "SdiMul.Document"	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 968	1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe	28
PID 1632 wrote to memory of 968	1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe	28
PID 1632 wrote to memory of 968	1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe	28
PID 1632 wrote to memory of 968	1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe	28
PID 1632 wrote to memory of 968	1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe	28
PID 1632 wrote to memory of 968	1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe	28
PID 1632 wrote to memory of 968	1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe	28
PID 1632 wrote to memory of 968	1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe	28
PID 1632 wrote to memory of 968	1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe	28
PID 1632 wrote to memory of 968	1632	8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe	28

C:\Users\Admin\AppData\Local\Temp\8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
"C:\Users\Admin\AppData\Local\Temp\8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
  C:\Users\Admin\AppData\Local\Temp\8f21c6f69a0808ce3292f58e0852c1c90000f705f09e007978f281281f3632e7.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies WinLogon
  PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\unjikog.dll

Filesize
17KB

MD5
4e180fe282178586e5f4017575872157

SHA1
0e5d163bb4e413dcdec54aec5222e275bcbaf470

SHA256
0ac771727834b866d3693ac427c0bce49193353ace834f83855e3b058007b6f6

SHA512
9cc0878dd3876fa9e9c7b5fdd7ea14956becf5713329b3828c23e47397442b399758ea5e4a443ad484a663178a937530ccbe7b05b31ea0d45c72db7cd47670b9

Download Submit
memory/968-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-71-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1632-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1632-65-0x00000000004B0000-0x00000000004B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads