18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 00:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe
Size

2.8MB
MD5

1c73b5436b2573fe0f6c6a9128dafc20
SHA1

de6c45ffd85ff221fe0cf9477d6ee466220d9cc1
SHA256

18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934
SHA512

4f32bef4a81199448c86182bdb21f537cb0aaecc421d515e332569d3231d8c7e3e39f1afce176b551f50cb0cbb401834c2651b181e68d1a616f1e0c09f996976
SSDEEP

49152:RwGOuxArlWrOh/461qBANKVK9rosF1d2p0hvyVjTrDkbJj1m6mY8NEr:R2uxd0KM9rotpqsDq4Y8

Score

8^/10

discovery persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 3 IoCs

pid	Process
5116	18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe
4944	rundll32.exe
384	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\StatMaker\StatMaker.dll	18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\3c09c42b = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\f1f24e29 = "Vl/l/C/////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\48bd1aff = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\51d2f2ea = "JlAh/XD/c/AM/XD/HlAu/YZ////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\7f69fa1f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\c6c5dd44 = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\00000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\37b7a6d8 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\6185d035 = "Vx/2/Cx/V//l////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\8b9e4cbc = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\bbf88800 = "///%"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\iiid = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\2d71d5ab = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\00000000\3efeb33e = 00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\060df2cd = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\0c230bcb = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\72758a5d = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\d94388d2 = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\340d3099 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\f0bf0bde = "///%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\00000000\493c7345 = 6900300031002b0030003600620030006f003000310044003000360049003000700078003000530030003600490030007000780031004f003000300025002500000070006c00310065003000360062003000690030003100540030003700380030006a0078003100420030003600450030006e0055003100680030003200490030006e006c0031002b00300037007800300000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\f2c53c49 = "UlAr/XJ/c//k////"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\65114b36 = "VP/l////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\c99a5f5c = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\27ddcf6f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\2e22d94e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\7367429f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\d1abcdb6 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\1520c6f1 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\414bc593 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\a1dcff5b = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\c5705860 = "Vx////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\0e93c3f3 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\1c311243 = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\587b5709 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\38583bc3 = "Ml/2/CF/M//g/CZ////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\a2e3b941 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\e8f9dcc7 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\0dc3ee96 = "/P////%%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\00000000\370856c7 = 00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\a0743acc = "N/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\c24899a6 = "VP/g/CV/Vl/2/Cx////%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\00000000\a47da861 = 6f00300031004f0030003700780030006d00300030004b003000320045003000610055003100650030003700300030006d00300031002b0030003600340030006d006c0031006500300036004900300061006c00310054003000370038003000700055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100650030003700300030006d003000310065003000370038003000700078003000530030003600450030006d006c00310042003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310057003000360074003000690030003100410030003700380030007000780031002b0030003200490030006e00550031004d00300036006d003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031005900300036006800300071006c0031004d0030003600340030006d006c0031004a0030003700620030007100780031004100300036007400300061006c00310054003000370038003000700055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100410030003600340030007100550031004f0030003600450030006d006c0031004a00300036006d0030006e00550031005400300036007800300061006c003100670030003600450030006e0078003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100410030003600340030007100550031004f0030003600450030006d006c0031004a00300036006d0030006e00550031005400300036007800300061006c00310054003000370038003000700055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100570030003600450030006f0030003100530030003700620030006e0078003100440030003700780030006f00300031004e0030003600590030006a0078003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100570030003600450030006f0030003100530030003700620030006e0078003100440030003700780030006f00300031004e0030003600590030006a0078003000530030003600450030006d006c00310042003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031005a0030003600340030006a00300031004400300036004f0030006900780031004e0030003700740030006f00550031004e0030003600590030006a0078003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031005a0030003600340030006a00300031004400300036004f0030006900780031005a0030003600340030006e0030003100590030003200490030006e006c0031002b003000370078003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\f6ad6fa6 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\e46c271e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_078b2995\eae10f9d\fe94ce1e = "V/////%%"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5116	18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe
5116	18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe
5116	18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe
5116	18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe
5116	18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe
5116	18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4944	5116	18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe	83
PID 5116 wrote to memory of 4944	5116	18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe	83
PID 5116 wrote to memory of 4944	5116	18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe	83
PID 2408 wrote to memory of 384	2408	rundll32.exe	85
PID 2408 wrote to memory of 384	2408	rundll32.exe	85
PID 2408 wrote to memory of 384	2408	rundll32.exe	85

C:\Users\Admin\AppData\Local\Temp\18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe
"C:\Users\Admin\AppData\Local\Temp\18a15d56f85fb05b07a481d2bf43ed8342f52d1f908d40d7cd0ffc93ae957934.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\StatMaker\StatMaker.dll",serv -install
  2⤵
  - Loads dropped DLL
  PID:4944

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\StatMaker\StatMaker.dll",serv
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\StatMaker\StatMaker.dll",serv
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\StatMaker\StatMaker.dll

Filesize
1.9MB

MD5
78c8d1bc7fbb01b622ce76b7ae415f32

SHA1
487951edba051fb9453bbf4e8961abbf559f6704

SHA256
1417b2131f5b7bb9d7acc1c2ffc1313ff3b47de1552f47f8fea8cae4087c2740

SHA512
85ca0c9507a37fb23c516f85ae0763d8a83f886763d922e502a8a2793a5b5484298663185f9b3ebf9525be75ddde104849ee4d3491f813bb6546301193651038

Download Submit
C:\Program Files (x86)\StatMaker\StatMaker.dll

Filesize
1.9MB

MD5
78c8d1bc7fbb01b622ce76b7ae415f32

SHA1
487951edba051fb9453bbf4e8961abbf559f6704

SHA256
1417b2131f5b7bb9d7acc1c2ffc1313ff3b47de1552f47f8fea8cae4087c2740

SHA512
85ca0c9507a37fb23c516f85ae0763d8a83f886763d922e502a8a2793a5b5484298663185f9b3ebf9525be75ddde104849ee4d3491f813bb6546301193651038

Download Submit
C:\Users\Admin\AppData\Local\Temp\tf5d831960.dll

Filesize
1.9MB

MD5
78c8d1bc7fbb01b622ce76b7ae415f32

SHA1
487951edba051fb9453bbf4e8961abbf559f6704

SHA256
1417b2131f5b7bb9d7acc1c2ffc1313ff3b47de1552f47f8fea8cae4087c2740

SHA512
85ca0c9507a37fb23c516f85ae0763d8a83f886763d922e502a8a2793a5b5484298663185f9b3ebf9525be75ddde104849ee4d3491f813bb6546301193651038

Download Submit
\??\c:\Program Files (x86)\StatMaker\StatMaker.dll

Filesize
1.9MB

MD5
78c8d1bc7fbb01b622ce76b7ae415f32

SHA1
487951edba051fb9453bbf4e8961abbf559f6704

SHA256
1417b2131f5b7bb9d7acc1c2ffc1313ff3b47de1552f47f8fea8cae4087c2740

SHA512
85ca0c9507a37fb23c516f85ae0763d8a83f886763d922e502a8a2793a5b5484298663185f9b3ebf9525be75ddde104849ee4d3491f813bb6546301193651038

Download Submit
memory/384-153-0x000000007FA00000-0x000000007FD58000-memory.dmp

Filesize
3.3MB

Download
memory/4944-146-0x000000007F3C0000-0x000000007F718000-memory.dmp

Filesize
3.3MB

Download
memory/5116-132-0x000000007ED10000-0x000000007F009000-memory.dmp

Filesize
3.0MB

Download
memory/5116-138-0x000000007E860000-0x000000007EBB8000-memory.dmp

Filesize
3.3MB

Download