c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24

General

Target

c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24.exe
Size

126KB
MD5

ea272cc0a9e2e49a5fa04f4ea04baef4
SHA1

54f79b4233a7981e72e6a2bffeb9dfb2cb913d35
SHA256

c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24
SHA512

277f8fca063f69755068d87d03d44c6819c91f7ec7e349fe8b5e83f3b71c9ab754933b927a5bd586c23108873ca589eea3f9a22a358906a62ce19a1560a8d3ae
SSDEEP

1536:2UBGDs5dcfacfNogEJ/0MvC3sNpxuhvQ7jsSj9J4OmjzH1DAanaamScEUFQTPCMu:2I5d0fNLOP68NpEvQntBHKHR5nIiaMmD

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3208	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jmp98Cq7 = "rundll32.exe C:\\9x7kQ8\\jmp98Cq7.dll,GrhcRgxar"	c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syotom = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3208 set thread context of 528	3208	rundll32.exe	82

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	svchost.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.naver.com"	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3208	5052	c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24.exe	79
PID 5052 wrote to memory of 3208	5052	c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24.exe	79
PID 5052 wrote to memory of 3208	5052	c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24.exe	79
PID 5052 wrote to memory of 3680	5052	c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24.exe	80
PID 5052 wrote to memory of 3680	5052	c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24.exe	80
PID 5052 wrote to memory of 3680	5052	c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24.exe	80
PID 3208 wrote to memory of 528	3208	rundll32.exe	82
PID 3208 wrote to memory of 528	3208	rundll32.exe	82
PID 3208 wrote to memory of 528	3208	rundll32.exe	82
PID 3208 wrote to memory of 528	3208	rundll32.exe	82
PID 3208 wrote to memory of 528	3208	rundll32.exe	82
PID 3208 wrote to memory of 528	3208	rundll32.exe	82
PID 3208 wrote to memory of 528	3208	rundll32.exe	82
PID 3208 wrote to memory of 528	3208	rundll32.exe	82
PID 3208 wrote to memory of 528	3208	rundll32.exe	82
PID 3208 wrote to memory of 528	3208	rundll32.exe	82

C:\Users\Admin\AppData\Local\Temp\c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24.exe
"C:\Users\Admin\AppData\Local\Temp\c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\9x7kQ8\jmp98Cq7.dll,GrhcRgxar
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\System32\svchost.exe
    3⤵
    - Adds Run key to start application
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\c6b1ea1dc17260a09c0b277a766ecdc73c3257f318bc00fbec95bd9fca48ce24.exe"
  2⤵
  PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9x7kQ8\jmp98Cq7.dll

Filesize
102KB

MD5
002c306669afa6d78fc2b4b247bbf611

SHA1
d50b49ab153cd2c427a5a22f148677e24e942c32

SHA256
84d1b3a687e6bd96a580499ff9f970a8253501501718c486605f20e4e41a1621

SHA512
57d655820c7fe52b80c6d0c2777d8e8d9335a0fcc5d0da55e4e46e79cc714f4653842556071b5f28ff6a201e0480b225f00ff2bff259eef391757a19398158fd

Download Submit
C:\9x7kQ8\jmp98Cq7.dll

Filesize
102KB

MD5
002c306669afa6d78fc2b4b247bbf611

SHA1
d50b49ab153cd2c427a5a22f148677e24e942c32

SHA256
84d1b3a687e6bd96a580499ff9f970a8253501501718c486605f20e4e41a1621

SHA512
57d655820c7fe52b80c6d0c2777d8e8d9335a0fcc5d0da55e4e46e79cc714f4653842556071b5f28ff6a201e0480b225f00ff2bff259eef391757a19398158fd

Download Submit
memory/528-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/528-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/528-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/528-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/528-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/528-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-139-0x00000000010B0000-0x00000000010B3000-memory.dmp

Filesize
12KB

Download
memory/3208-138-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/3208-147-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/5052-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5052-135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads