661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817

General

Target

661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Size

543KB
MD5

825100d6daff20bdd270b180f808d806
SHA1

c79792ebd55b9b917b80eb96c5775c3b82e802b7
SHA256

661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817
SHA512

4e1097be9dfcd225739d9e5c25b98bb7e3eccc1ea7b31b849c474fb67290e6262c78b188971f3e6217036e76c83e476d33d930ffebe2c2f3d92adf62372f497c
SSDEEP

6144:oa7m8DALU2df1HgpW+AvnfHFfCzGaEsu3c3ylXbWSullT/qYsgbWa6nU52QSFpnz:PUk5L52QSFpIc3bIKTsusSDz8hFPhs7

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lsm service	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lsm service = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\lsm.exe"	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WinLogon	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WinLogon = "C:\\Windows\\System32\\drivers\\winlogon.exe"	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\winlogon.exe	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RCX208A.tmp	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe

Executes dropped EXE 2 IoCs

pid	Process
3636	dllhost.exe
4584	dllhost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spooler	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spooler = "C:\\ProgramData\\spoolsv.exe"	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinLogon	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinLogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\MICROS~1\dllhost.exe	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
File opened for modification	C:\PROGRA~3\MICROS~1\RCX22BF.tmp	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\spoolsv.exe	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
File opened for modification	C:\Windows\RCX2241.tmp	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DllHost3g	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\DllHost3g	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\DllHost3g = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\dllhst3g.exe"	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Key created	\REGISTRY\USER\.DEFAULT	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DllHost3g = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\dllhst3g.exe"	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 3636	2288	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe	81
PID 2288 wrote to memory of 3636	2288	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe	81
PID 2288 wrote to memory of 3636	2288	661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe	81
PID 3636 wrote to memory of 4584	3636	dllhost.exe	83
PID 3636 wrote to memory of 4584	3636	dllhost.exe	83
PID 3636 wrote to memory of 4584	3636	dllhost.exe	83

C:\Users\Admin\AppData\Local\Temp\661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe
"C:\Users\Admin\AppData\Local\Temp\661b7a8563f9623a5cb7d25c0d2da3428beb62e4582ac05e1839997a6ee30817.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2288
- C:\PROGRA~3\MICROS~1\dllhost.exe
  C:\PROGRA~3\MICROS~1\dllhost.exe /a 1
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\PROGRA~3\MICROS~1\dllhost.exe
    C:\PROGRA~3\MICROS~1\dllhost.exe /a 2
    3⤵
    - Executes dropped EXE
    PID:4584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\MICROS~1\dllhost.exe

Filesize
543KB

MD5
cb3a643097a29585754a90beb0b52289

SHA1
998922b4975fdf1f5a8d0f616e51454fa39f3af4

SHA256
7759324731afc62e0187af8cc658d6ef066f3dd7ebfd233f28b92281fe4a05b2

SHA512
9098d8e71ec87bc72207f8078655e9fd445635ee2677005a4a390fc24cddbbd5370f5f31fab431ad61bcbba08fa16ae8e2c18a8cfb01d8573f14b8b3075d8e3d

Download Submit
C:\ProgramData\Microsoft\dllhost.exe

Filesize
543KB

MD5
cb3a643097a29585754a90beb0b52289

SHA1
998922b4975fdf1f5a8d0f616e51454fa39f3af4

SHA256
7759324731afc62e0187af8cc658d6ef066f3dd7ebfd233f28b92281fe4a05b2

SHA512
9098d8e71ec87bc72207f8078655e9fd445635ee2677005a4a390fc24cddbbd5370f5f31fab431ad61bcbba08fa16ae8e2c18a8cfb01d8573f14b8b3075d8e3d

Download Submit
C:\ProgramData\Microsoft\dllhost.exe

Filesize
543KB

MD5
cb3a643097a29585754a90beb0b52289

SHA1
998922b4975fdf1f5a8d0f616e51454fa39f3af4

SHA256
7759324731afc62e0187af8cc658d6ef066f3dd7ebfd233f28b92281fe4a05b2

SHA512
9098d8e71ec87bc72207f8078655e9fd445635ee2677005a4a390fc24cddbbd5370f5f31fab431ad61bcbba08fa16ae8e2c18a8cfb01d8573f14b8b3075d8e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
10B

MD5
0add040528c8215d040ce3489ad106ad

SHA1
181f07eedc4bcd43efbe1d88880eaf2806eecb3a

SHA256
27abd241b03c78cb1d40cc8b51c69958ac4ec1b192d9b65b101bbeba39cd0106

SHA512
a485664036cfae46939595f61718ecd2c9d17f985da9213e1fc394f59442eebda9351d258260a0f00895186bc62b20f16d3a5921a45666431c2b6aa9b9876393

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads