8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a

General

Target

8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe
Size

211KB
MD5

1ba491a2f25e9fbdc78e57eab0909f14
SHA1

2aaf0010c2ed68c7c10b2f40807e36833758b8e1
SHA256

8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a
SHA512

22783a6ef2f647847f491e78817c9acdfcce8e698a63715abc54175d3153b2f2b377b1e85da079624ed087832599d282fc2cfa8fd3c7ea7a2382440c0057e985
SSDEEP

6144:1xOnyc2SQgayyI3yVcIGOLZLqOABI5dtshDneKZ:1xMyHTgaqCJGuT8eKZ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1488	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1488	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe
1488	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe
688	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1488	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 688	1488	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe	28
PID 1488 wrote to memory of 688	1488	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe	28
PID 1488 wrote to memory of 688	1488	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe	28
PID 1488 wrote to memory of 688	1488	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe	28
PID 1488 wrote to memory of 688	1488	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe	28
PID 1488 wrote to memory of 688	1488	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe	28
PID 1488 wrote to memory of 688	1488	8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe	28

C:\Users\Admin\AppData\Local\Temp\8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe
"C:\Users\Admin\AppData\Local\Temp\8fad4697dafdfc1d16724ddf33f748a5704eaab0d97a4d105980c7e71ca45a6a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sshnas21.dll

Filesize
172KB

MD5
e71572dbec17e90d2e48839ccc350804

SHA1
2b0bff691394fc7d64629e85f449d2f46c9da4f2

SHA256
37abe146a400aaa2a55d95b488fed81c51e476ce7489a93daf81f8a11ddd9667

SHA512
4846a273301923b7b5ea1093ee325332b1bf7c1d40f51de3218ca57f854560e6864f1e6488e85c7d062afd9476e7c2353b6cfcb029533a34239323e226d765cb

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
172KB

MD5
e71572dbec17e90d2e48839ccc350804

SHA1
2b0bff691394fc7d64629e85f449d2f46c9da4f2

SHA256
37abe146a400aaa2a55d95b488fed81c51e476ce7489a93daf81f8a11ddd9667

SHA512
4846a273301923b7b5ea1093ee325332b1bf7c1d40f51de3218ca57f854560e6864f1e6488e85c7d062afd9476e7c2353b6cfcb029533a34239323e226d765cb

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
172KB

MD5
e71572dbec17e90d2e48839ccc350804

SHA1
2b0bff691394fc7d64629e85f449d2f46c9da4f2

SHA256
37abe146a400aaa2a55d95b488fed81c51e476ce7489a93daf81f8a11ddd9667

SHA512
4846a273301923b7b5ea1093ee325332b1bf7c1d40f51de3218ca57f854560e6864f1e6488e85c7d062afd9476e7c2353b6cfcb029533a34239323e226d765cb

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
172KB

MD5
e71572dbec17e90d2e48839ccc350804

SHA1
2b0bff691394fc7d64629e85f449d2f46c9da4f2

SHA256
37abe146a400aaa2a55d95b488fed81c51e476ce7489a93daf81f8a11ddd9667

SHA512
4846a273301923b7b5ea1093ee325332b1bf7c1d40f51de3218ca57f854560e6864f1e6488e85c7d062afd9476e7c2353b6cfcb029533a34239323e226d765cb

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
172KB

MD5
e71572dbec17e90d2e48839ccc350804

SHA1
2b0bff691394fc7d64629e85f449d2f46c9da4f2

SHA256
37abe146a400aaa2a55d95b488fed81c51e476ce7489a93daf81f8a11ddd9667

SHA512
4846a273301923b7b5ea1093ee325332b1bf7c1d40f51de3218ca57f854560e6864f1e6488e85c7d062afd9476e7c2353b6cfcb029533a34239323e226d765cb

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
172KB

MD5
e71572dbec17e90d2e48839ccc350804

SHA1
2b0bff691394fc7d64629e85f449d2f46c9da4f2

SHA256
37abe146a400aaa2a55d95b488fed81c51e476ce7489a93daf81f8a11ddd9667

SHA512
4846a273301923b7b5ea1093ee325332b1bf7c1d40f51de3218ca57f854560e6864f1e6488e85c7d062afd9476e7c2353b6cfcb029533a34239323e226d765cb

Download Submit
memory/688-66-0x0000000000640000-0x000000000066C000-memory.dmp

Filesize
176KB

Download
memory/688-67-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download
memory/688-68-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download
memory/1488-58-0x0000000004A70000-0x0000000004A9A000-memory.dmp

Filesize
168KB

Download
memory/1488-59-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1488-60-0x0000000004BD0000-0x0000000004BFC000-memory.dmp

Filesize
176KB

Download
memory/1488-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing