c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729

General

Target

c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe
Size

180KB
MD5

5ac9fd08110f4ed22a09ae581a6b0c38
SHA1

9aa7c22cee19760ee7ea8b85c9e63b7c7c6d3d91
SHA256

c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729
SHA512

cf107e1e3e675ab77c310aeceb9e802753a62369a2d1dcb2531117a30102271d1a2cfbb54d2e2be58373f3f4edcbd559cad876e24af1350f1b0af9f665d05943
SSDEEP

3072:Q5LCtd5s2Gns8MKrXm2SGqlOx4NG63c8q9ile+HcRZCCy7iZN7vR:Ed2Gns8M4SGqlOx4RU9yORZgiPR

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2044	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
1948	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Remoete.dll	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe
File created	C:\Program Files\Common Files\s.dll	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32\ = "C:\\Program Files\\Common Files\\s.dll"	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32\Both = "C:\\windows\\temp\\svchost.exe"	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1948	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2044	1948	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe	27
PID 1948 wrote to memory of 2044	1948	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe	27
PID 1948 wrote to memory of 2044	1948	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe	27
PID 1948 wrote to memory of 2044	1948	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe	27
PID 1948 wrote to memory of 2044	1948	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe	27
PID 1948 wrote to memory of 2044	1948	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe	27
PID 1948 wrote to memory of 2044	1948	c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe	27

C:\Users\Admin\AppData\Local\Temp\c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe
"C:\Users\Admin\AppData\Local\Temp\c6e301a8ddf7dcc8dd847feb8c439165b8da7c9d3529b6c220d58524aae46729.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\Remoete.dll" WWWW
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Remoete.dll

Filesize
11.1MB

MD5
a6c84f16343ccd8d9fce81bdd87bb337

SHA1
a8940ef5bb847176fdcf7b08829b5e9b16ea2956

SHA256
39374e9cb65bd04ec25d3118720b4c8c2c8aa7ba8abfe03a29e7d9833f7580b4

SHA512
4f596a57df36468d3013edbcacde87d01b71a5eedcc4153a42027e40b6f1c3de83dd3bceb00c59d32df3ab6c424218f09ba3f5c5e48f9abdfdbb44572406f9fd

Download Submit
\Program Files\Common Files\Remoete.dll

Filesize
11.1MB

MD5
a6c84f16343ccd8d9fce81bdd87bb337

SHA1
a8940ef5bb847176fdcf7b08829b5e9b16ea2956

SHA256
39374e9cb65bd04ec25d3118720b4c8c2c8aa7ba8abfe03a29e7d9833f7580b4

SHA512
4f596a57df36468d3013edbcacde87d01b71a5eedcc4153a42027e40b6f1c3de83dd3bceb00c59d32df3ab6c424218f09ba3f5c5e48f9abdfdbb44572406f9fd

Download Submit
\Program Files\Common Files\Remoete.dll

Filesize
11.1MB

MD5
a6c84f16343ccd8d9fce81bdd87bb337

SHA1
a8940ef5bb847176fdcf7b08829b5e9b16ea2956

SHA256
39374e9cb65bd04ec25d3118720b4c8c2c8aa7ba8abfe03a29e7d9833f7580b4

SHA512
4f596a57df36468d3013edbcacde87d01b71a5eedcc4153a42027e40b6f1c3de83dd3bceb00c59d32df3ab6c424218f09ba3f5c5e48f9abdfdbb44572406f9fd

Download Submit
\Program Files\Common Files\Remoete.dll

Filesize
11.1MB

MD5
a6c84f16343ccd8d9fce81bdd87bb337

SHA1
a8940ef5bb847176fdcf7b08829b5e9b16ea2956

SHA256
39374e9cb65bd04ec25d3118720b4c8c2c8aa7ba8abfe03a29e7d9833f7580b4

SHA512
4f596a57df36468d3013edbcacde87d01b71a5eedcc4153a42027e40b6f1c3de83dd3bceb00c59d32df3ab6c424218f09ba3f5c5e48f9abdfdbb44572406f9fd

Download Submit
\Program Files\Common Files\Remoete.dll

Filesize
11.1MB

MD5
a6c84f16343ccd8d9fce81bdd87bb337

SHA1
a8940ef5bb847176fdcf7b08829b5e9b16ea2956

SHA256
39374e9cb65bd04ec25d3118720b4c8c2c8aa7ba8abfe03a29e7d9833f7580b4

SHA512
4f596a57df36468d3013edbcacde87d01b71a5eedcc4153a42027e40b6f1c3de83dd3bceb00c59d32df3ab6c424218f09ba3f5c5e48f9abdfdbb44572406f9fd

Download Submit
\Program Files\Common Files\s.dll

Filesize
11.0MB

MD5
89705ef7c6641e04db2a4d85eed44a75

SHA1
daebd11bf830ccb7b7c67c5c8ad4b62fc5eae32e

SHA256
abf47a4d4d077d165810c99d048cfc9ee516bf891ae366563694d978fc82b023

SHA512
6968cbcd257dfe97d87463e5845868e70bd74c6530a5b720c21f28fd3dbf6488000f1b0aa70c81c055b0eadddc551bbb5fb804abafed9e2109147f5b6046e6c0

Download Submit
memory/1948-55-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/1948-63-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2044-57-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing