5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f

General

Target

5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe
Size

170KB
MD5

3885f2cdedf7facbec539074330331ab
SHA1

00d27c8dd889dd03559d5ce37330a19b6fd6da22
SHA256

5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f
SHA512

a270c6743a27402ad381046f8c42ec0eb97678605a66b5f70e6c0d343811ed7098a8e978db1b300acee0c7b238ab411105f67e629218d800f89923b043bc0af3
SSDEEP

3072:4gXdZt9P6D3XJcMCFW8p9gyWDlnADWOTosCCLMAjPkbBvrELb8AHmqP:4e34fCFB9TWpnhOTOCLMEeZEL1H1P

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
904	rundll32.exe
904	rundll32.exe
904	rundll32.exe
904	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netscape = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Netscape\\eynybybg.dll,DllRegisterServer"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
904	rundll32.exe
1756	rundll32.exe
1756	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1756	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 904	1940	5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe	27
PID 1940 wrote to memory of 904	1940	5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe	27
PID 1940 wrote to memory of 904	1940	5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe	27
PID 1940 wrote to memory of 904	1940	5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe	27
PID 1940 wrote to memory of 904	1940	5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe	27
PID 1940 wrote to memory of 904	1940	5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe	27
PID 1940 wrote to memory of 904	1940	5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe	27
PID 904 wrote to memory of 1756	904	rundll32.exe	28
PID 904 wrote to memory of 1756	904	rundll32.exe	28
PID 904 wrote to memory of 1756	904	rundll32.exe	28
PID 904 wrote to memory of 1756	904	rundll32.exe	28
PID 904 wrote to memory of 1756	904	rundll32.exe	28
PID 904 wrote to memory of 1756	904	rundll32.exe	28
PID 904 wrote to memory of 1756	904	rundll32.exe	28

C:\Users\Admin\AppData\Local\Temp\5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe
"C:\Users\Admin\AppData\Local\Temp\5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\nsy6569.tmp\bgrjolsd.dll",DllRegisterServer
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Netscape\eynybybg.dll,DllRegisterServer
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy6569.tmp\bgrjolsd.dll

Filesize
782KB

MD5
0617d89053acad4f0259b515b8ae42ee

SHA1
2c651d9f62d4cfb24997f02a860b2634ec815cac

SHA256
f64bcac34581e0ede38ab3e1d191c27a3651317de7f825162d7f4852756b1f32

SHA512
96961937a72a527ceb318d035ee711eadadc316627cbeec51728a7d9d1e20d6f54c80f03d320baa1a416e8f818fcf4c89d099268ef0e4aac2e0dae7857d15e52

Download Submit
\Users\Admin\AppData\Local\Temp\nsy6569.tmp\bgrjolsd.dll

Filesize
782KB

MD5
0617d89053acad4f0259b515b8ae42ee

SHA1
2c651d9f62d4cfb24997f02a860b2634ec815cac

SHA256
f64bcac34581e0ede38ab3e1d191c27a3651317de7f825162d7f4852756b1f32

SHA512
96961937a72a527ceb318d035ee711eadadc316627cbeec51728a7d9d1e20d6f54c80f03d320baa1a416e8f818fcf4c89d099268ef0e4aac2e0dae7857d15e52

Download Submit
\Users\Admin\AppData\Local\Temp\nsy6569.tmp\bgrjolsd.dll

Filesize
782KB

MD5
0617d89053acad4f0259b515b8ae42ee

SHA1
2c651d9f62d4cfb24997f02a860b2634ec815cac

SHA256
f64bcac34581e0ede38ab3e1d191c27a3651317de7f825162d7f4852756b1f32

SHA512
96961937a72a527ceb318d035ee711eadadc316627cbeec51728a7d9d1e20d6f54c80f03d320baa1a416e8f818fcf4c89d099268ef0e4aac2e0dae7857d15e52

Download Submit
\Users\Admin\AppData\Local\Temp\nsy6569.tmp\bgrjolsd.dll

Filesize
782KB

MD5
0617d89053acad4f0259b515b8ae42ee

SHA1
2c651d9f62d4cfb24997f02a860b2634ec815cac

SHA256
f64bcac34581e0ede38ab3e1d191c27a3651317de7f825162d7f4852756b1f32

SHA512
96961937a72a527ceb318d035ee711eadadc316627cbeec51728a7d9d1e20d6f54c80f03d320baa1a416e8f818fcf4c89d099268ef0e4aac2e0dae7857d15e52

Download Submit
\Users\Admin\AppData\Local\Temp\nsy6569.tmp\bgrjolsd.dll

Filesize
782KB

MD5
0617d89053acad4f0259b515b8ae42ee

SHA1
2c651d9f62d4cfb24997f02a860b2634ec815cac

SHA256
f64bcac34581e0ede38ab3e1d191c27a3651317de7f825162d7f4852756b1f32

SHA512
96961937a72a527ceb318d035ee711eadadc316627cbeec51728a7d9d1e20d6f54c80f03d320baa1a416e8f818fcf4c89d099268ef0e4aac2e0dae7857d15e52

Download Submit
memory/1756-64-0x0000000008730000-0x0000000008802000-memory.dmp

Filesize
840KB

Download
memory/1756-65-0x0000000008730000-0x0000000008802000-memory.dmp

Filesize
840KB

Download
memory/1940-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing