70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef

General

Target

70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe
Size

206KB
MD5

011711065387d89673035cb6d27ddfbb
SHA1

b37ccdc7a278fe0a007bc6cf5ad097d0788f2eee
SHA256

70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef
SHA512

2ce5c4f7dc8a0188f0e3ba4c4200dd03b247dc0c0f6cff55d1f0460cb0f073d2817ec805cf619330639299b15867be3b1117e22725010999f050e95aa220e78d
SSDEEP

6144:tu7XQyUMjLzilgUOclNA3FQ1qgz6FaCXe7Zgm8U:YtqFnlGVgz6YQe7M

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
620	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
620	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe
620	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
620	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1312	620	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe	27
PID 620 wrote to memory of 1312	620	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe	27
PID 620 wrote to memory of 1312	620	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe	27
PID 620 wrote to memory of 1312	620	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe	27
PID 620 wrote to memory of 1312	620	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe	27
PID 620 wrote to memory of 1312	620	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe	27
PID 620 wrote to memory of 1312	620	70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe	27

C:\Users\Admin\AppData\Local\Temp\70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe
"C:\Users\Admin\AppData\Local\Temp\70cf119b0a17fd0d3a2e7668693c9a41f2ee59b5037b691dad9b2151126123ef.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
913042591a2dffa50fa7af42eed89634

SHA1
971a367f164ad89ee492414fe3fa6aaa6b6b15bf

SHA256
86433e30fa404366da7f6e5128cd72c95d45341a07c768915b9a588b0a60315e

SHA512
fbe790232ddf9aa6ba72f7b3ac7e731a7265598c1d208899568d8f3b3b8f51f362dba0a1f3dfff4f5f868b12e3189cf3df796d67bad6581f52486b464c556507

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
913042591a2dffa50fa7af42eed89634

SHA1
971a367f164ad89ee492414fe3fa6aaa6b6b15bf

SHA256
86433e30fa404366da7f6e5128cd72c95d45341a07c768915b9a588b0a60315e

SHA512
fbe790232ddf9aa6ba72f7b3ac7e731a7265598c1d208899568d8f3b3b8f51f362dba0a1f3dfff4f5f868b12e3189cf3df796d67bad6581f52486b464c556507

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
913042591a2dffa50fa7af42eed89634

SHA1
971a367f164ad89ee492414fe3fa6aaa6b6b15bf

SHA256
86433e30fa404366da7f6e5128cd72c95d45341a07c768915b9a588b0a60315e

SHA512
fbe790232ddf9aa6ba72f7b3ac7e731a7265598c1d208899568d8f3b3b8f51f362dba0a1f3dfff4f5f868b12e3189cf3df796d67bad6581f52486b464c556507

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
913042591a2dffa50fa7af42eed89634

SHA1
971a367f164ad89ee492414fe3fa6aaa6b6b15bf

SHA256
86433e30fa404366da7f6e5128cd72c95d45341a07c768915b9a588b0a60315e

SHA512
fbe790232ddf9aa6ba72f7b3ac7e731a7265598c1d208899568d8f3b3b8f51f362dba0a1f3dfff4f5f868b12e3189cf3df796d67bad6581f52486b464c556507

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
913042591a2dffa50fa7af42eed89634

SHA1
971a367f164ad89ee492414fe3fa6aaa6b6b15bf

SHA256
86433e30fa404366da7f6e5128cd72c95d45341a07c768915b9a588b0a60315e

SHA512
fbe790232ddf9aa6ba72f7b3ac7e731a7265598c1d208899568d8f3b3b8f51f362dba0a1f3dfff4f5f868b12e3189cf3df796d67bad6581f52486b464c556507

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
913042591a2dffa50fa7af42eed89634

SHA1
971a367f164ad89ee492414fe3fa6aaa6b6b15bf

SHA256
86433e30fa404366da7f6e5128cd72c95d45341a07c768915b9a588b0a60315e

SHA512
fbe790232ddf9aa6ba72f7b3ac7e731a7265598c1d208899568d8f3b3b8f51f362dba0a1f3dfff4f5f868b12e3189cf3df796d67bad6581f52486b464c556507

Download Submit
memory/620-59-0x0000000000340000-0x0000000000366000-memory.dmp

Filesize
152KB

Download
memory/620-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/620-57-0x0000000000220000-0x0000000000249000-memory.dmp

Filesize
164KB

Download
memory/620-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1312-66-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download
memory/1312-67-0x0000000010000000-0x0000000010054000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing