8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c

General

Target

8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe
Size

115KB
MD5

f92a5666ea36c16b839e87950e4d6ed9
SHA1

55c32079ec63bc4d1a9e8fd33ba829e463eab0b2
SHA256

8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c
SHA512

2ceecf7c1181c256c45d81db084a7a8b3c4d6b1c27c91acbd7495581c892ae167859d22b90f9b1db44e2da28f594ffab73678866d957a2f4bcb223e270c92c87
SSDEEP

3072:CtJlBQjQbrxBSvp7PBEYcORIOCBSqIEkCtQ:OJnQEqPBdXRWSNjX

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1400 cmd.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

468 rundll32.exe
468 rundll32.exe
468 rundll32.exe
468 rundll32.exe

pid	process
1400	cmd.exe

pid	process
468	rundll32.exe
468	rundll32.exe
468	rundll32.exe
468	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d9f2OTQl = "rundll32.exe C:\\6g4hZ0\\d9f2OTQl.dll,KieeBon"	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syotom = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 468 set thread context of 920 468 rundll32.exe svchost.exe

description	pid	process	target process
PID 468 set thread context of 920	468	rundll32.exe	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exerundll32.exe

description	pid	process	target process
PID 1276 wrote to memory of 468	1276	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	rundll32.exe
PID 1276 wrote to memory of 468	1276	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	rundll32.exe
PID 1276 wrote to memory of 468	1276	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	rundll32.exe
PID 1276 wrote to memory of 468	1276	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	rundll32.exe
PID 1276 wrote to memory of 468	1276	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	rundll32.exe
PID 1276 wrote to memory of 468	1276	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	rundll32.exe
PID 1276 wrote to memory of 468	1276	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	rundll32.exe
PID 1276 wrote to memory of 1400	1276	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	cmd.exe
PID 1276 wrote to memory of 1400	1276	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	cmd.exe
PID 1276 wrote to memory of 1400	1276	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	cmd.exe
PID 1276 wrote to memory of 1400	1276	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	cmd.exe
PID 468 wrote to memory of 920	468	rundll32.exe	svchost.exe
PID 468 wrote to memory of 920	468	rundll32.exe	svchost.exe
PID 468 wrote to memory of 920	468	rundll32.exe	svchost.exe
PID 468 wrote to memory of 920	468	rundll32.exe	svchost.exe
PID 468 wrote to memory of 920	468	rundll32.exe	svchost.exe
PID 468 wrote to memory of 920	468	rundll32.exe	svchost.exe
PID 468 wrote to memory of 920	468	rundll32.exe	svchost.exe
PID 468 wrote to memory of 920	468	rundll32.exe	svchost.exe
PID 468 wrote to memory of 920	468	rundll32.exe	svchost.exe
PID 468 wrote to memory of 920	468	rundll32.exe	svchost.exe
PID 468 wrote to memory of 920	468	rundll32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe
"C:\Users\Admin\AppData\Local\Temp\8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\6g4hZ0\d9f2OTQl.dll,KieeBon
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Adds Run key to start application
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe"
2⤵
- Deletes itself
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\6g4hZ0\d9f2OTQl.dll
Filesize
87KB

MD5
3ceaa0d25d7ed31a8f8d57a3356a8b5e

SHA1
278c5c8f823d502958fd4ade03019a1206400765

SHA256
fd5a974df24d838051588459974b6436bb3aef4d9b4fb9a2bdcf265c5e6c39b8

SHA512
29e35eb2b04194d0500a0c4cfece5c55b24d37e38465a17e838b188637a97b5fbbc7dd1eeff7c56b5819c94376d6e569595dd16a2c10b056cffb7299b6f43519

Download Submit
\6g4hZ0\d9f2OTQl.dll
Filesize
87KB

MD5
3ceaa0d25d7ed31a8f8d57a3356a8b5e

SHA1
278c5c8f823d502958fd4ade03019a1206400765

SHA256
fd5a974df24d838051588459974b6436bb3aef4d9b4fb9a2bdcf265c5e6c39b8

SHA512
29e35eb2b04194d0500a0c4cfece5c55b24d37e38465a17e838b188637a97b5fbbc7dd1eeff7c56b5819c94376d6e569595dd16a2c10b056cffb7299b6f43519

Download Submit
\6g4hZ0\d9f2OTQl.dll
Filesize
87KB

MD5
3ceaa0d25d7ed31a8f8d57a3356a8b5e

SHA1
278c5c8f823d502958fd4ade03019a1206400765

SHA256
fd5a974df24d838051588459974b6436bb3aef4d9b4fb9a2bdcf265c5e6c39b8

SHA512
29e35eb2b04194d0500a0c4cfece5c55b24d37e38465a17e838b188637a97b5fbbc7dd1eeff7c56b5819c94376d6e569595dd16a2c10b056cffb7299b6f43519

Download Submit
\6g4hZ0\d9f2OTQl.dll
Filesize
87KB

MD5
3ceaa0d25d7ed31a8f8d57a3356a8b5e

SHA1
278c5c8f823d502958fd4ade03019a1206400765

SHA256
fd5a974df24d838051588459974b6436bb3aef4d9b4fb9a2bdcf265c5e6c39b8

SHA512
29e35eb2b04194d0500a0c4cfece5c55b24d37e38465a17e838b188637a97b5fbbc7dd1eeff7c56b5819c94376d6e569595dd16a2c10b056cffb7299b6f43519

Download Submit
\6g4hZ0\d9f2OTQl.dll
Filesize
87KB

MD5
3ceaa0d25d7ed31a8f8d57a3356a8b5e

SHA1
278c5c8f823d502958fd4ade03019a1206400765

SHA256
fd5a974df24d838051588459974b6436bb3aef4d9b4fb9a2bdcf265c5e6c39b8

SHA512
29e35eb2b04194d0500a0c4cfece5c55b24d37e38465a17e838b188637a97b5fbbc7dd1eeff7c56b5819c94376d6e569595dd16a2c10b056cffb7299b6f43519

Download Submit
memory/468-65-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/468-66-0x0000000000170000-0x0000000000173000-memory.dmp

Filesize
12KB

Download
memory/468-83-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/468-57-0x0000000000000000-mapping.dmp

Download
memory/920-80-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/920-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/920-68-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/920-70-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/920-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/920-76-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/920-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/920-82-0x0000000000401000-mapping.dmp

Download
memory/920-85-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1276-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1276-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1276-56-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1400-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing