7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f

General

Target

7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe
Size

332KB
MD5

5102d7af1a6ddc808ac871c3f94014be
SHA1

ed0bb3d0679322ce5f0950e83ee06dbe17a1f00f
SHA256

7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f
SHA512

36b31c4c9ace6c1e85325566c301f98e8c717de14a94f14593f7d03b929409fcf84dd5de6baaec08274068045cd688dab8656a6c411694acdbec0054ace74229
SSDEEP

6144:K2qllNMJ3m4yEJAjXs/GXbrTI+I1CjmUC9/syjgF0PS0AXaktfZRZagAatLO:/qnkm4y2yXbrTI1C6UiJbPHAXrtfrZE2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1812	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1812	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe
1812	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe
1748	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1812	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1748	1812	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe	28
PID 1812 wrote to memory of 1748	1812	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe	28
PID 1812 wrote to memory of 1748	1812	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe	28
PID 1812 wrote to memory of 1748	1812	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe	28
PID 1812 wrote to memory of 1748	1812	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe	28
PID 1812 wrote to memory of 1748	1812	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe	28
PID 1812 wrote to memory of 1748	1812	7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe	28

C:\Users\Admin\AppData\Local\Temp\7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe
"C:\Users\Admin\AppData\Local\Temp\7ea999402515f9b025096bfa3a24caf06cb659f32fe96346c4deef5c3eb5c69f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sshnas21.dll

Filesize
263KB

MD5
3030cff04c234575e8c3d16dcc03faa3

SHA1
01413da90d659e60ed7a82407dc27cb57572e760

SHA256
089cda11a6be8f07afe160815c2040651bc32e2667a75cc1f4633b79c1d0e53e

SHA512
230f93899bc19811f9c74b13910361b7597ae4f7a8887c975b4a039bc8d2607593994d9f48b338999d0b5f0c8a7e1f005c86bcc66dc957be38e38692f4f14758

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
263KB

MD5
3030cff04c234575e8c3d16dcc03faa3

SHA1
01413da90d659e60ed7a82407dc27cb57572e760

SHA256
089cda11a6be8f07afe160815c2040651bc32e2667a75cc1f4633b79c1d0e53e

SHA512
230f93899bc19811f9c74b13910361b7597ae4f7a8887c975b4a039bc8d2607593994d9f48b338999d0b5f0c8a7e1f005c86bcc66dc957be38e38692f4f14758

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
263KB

MD5
3030cff04c234575e8c3d16dcc03faa3

SHA1
01413da90d659e60ed7a82407dc27cb57572e760

SHA256
089cda11a6be8f07afe160815c2040651bc32e2667a75cc1f4633b79c1d0e53e

SHA512
230f93899bc19811f9c74b13910361b7597ae4f7a8887c975b4a039bc8d2607593994d9f48b338999d0b5f0c8a7e1f005c86bcc66dc957be38e38692f4f14758

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
263KB

MD5
3030cff04c234575e8c3d16dcc03faa3

SHA1
01413da90d659e60ed7a82407dc27cb57572e760

SHA256
089cda11a6be8f07afe160815c2040651bc32e2667a75cc1f4633b79c1d0e53e

SHA512
230f93899bc19811f9c74b13910361b7597ae4f7a8887c975b4a039bc8d2607593994d9f48b338999d0b5f0c8a7e1f005c86bcc66dc957be38e38692f4f14758

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
263KB

MD5
3030cff04c234575e8c3d16dcc03faa3

SHA1
01413da90d659e60ed7a82407dc27cb57572e760

SHA256
089cda11a6be8f07afe160815c2040651bc32e2667a75cc1f4633b79c1d0e53e

SHA512
230f93899bc19811f9c74b13910361b7597ae4f7a8887c975b4a039bc8d2607593994d9f48b338999d0b5f0c8a7e1f005c86bcc66dc957be38e38692f4f14758

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
263KB

MD5
3030cff04c234575e8c3d16dcc03faa3

SHA1
01413da90d659e60ed7a82407dc27cb57572e760

SHA256
089cda11a6be8f07afe160815c2040651bc32e2667a75cc1f4633b79c1d0e53e

SHA512
230f93899bc19811f9c74b13910361b7597ae4f7a8887c975b4a039bc8d2607593994d9f48b338999d0b5f0c8a7e1f005c86bcc66dc957be38e38692f4f14758

Download Submit
memory/1748-66-0x0000000010000000-0x000000001005F000-memory.dmp

Filesize
380KB

Download
memory/1748-67-0x0000000010000000-0x000000001005F000-memory.dmp

Filesize
380KB

Download
memory/1812-59-0x0000000000230000-0x0000000000241000-memory.dmp

Filesize
68KB

Download
memory/1812-58-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1812-55-0x00000000001B0000-0x00000000001C8000-memory.dmp

Filesize
96KB

Download
memory/1812-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing