bda6c1ed66ad82ca4f51eb589abd5ee768c81e51cac6af4bc606b92d8ddac0ce

Analysis

max time kernel
156s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bda6c1ed66ad82ca4f51eb589abd5ee768c81e51cac6af4bc606b92d8ddac0ce.exe
Size

118KB
MD5

60e0bb0651734e438a73d5fd130dae13
SHA1

3fd37138aeb73d4590f018fade81ce108f550269
SHA256

bda6c1ed66ad82ca4f51eb589abd5ee768c81e51cac6af4bc606b92d8ddac0ce
SHA512

5958b23206568a510ad3e2b01f6446e8ba208d179280206f83f0c4f2635287f7d8753e627a6df141c8f57f68b514ecb6739a06058229ff7d89e93ad0a6ec138d
SSDEEP

3072:hsNCMCN4me7rNzAuxq5XelL044RI4bX1C1uKJrF+SjGeRoc:hscBNqrNUuw5uh04LKi/5F+CGeRo

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3964	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mapap = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\mapap.dll\",FreeTempFileList"	bda6c1ed66ad82ca4f51eb589abd5ee768c81e51cac6af4bc606b92d8ddac0ce.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D2D5C359-4CBA-4017-9D27-B1AB5A282D3F}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{83F109CD-CAB2-4607-ADB3-4BA450548BC8}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 3964	1152	bda6c1ed66ad82ca4f51eb589abd5ee768c81e51cac6af4bc606b92d8ddac0ce.exe	75
PID 1152 wrote to memory of 3964	1152	bda6c1ed66ad82ca4f51eb589abd5ee768c81e51cac6af4bc606b92d8ddac0ce.exe	75
PID 1152 wrote to memory of 3964	1152	bda6c1ed66ad82ca4f51eb589abd5ee768c81e51cac6af4bc606b92d8ddac0ce.exe	75

C:\Users\Admin\AppData\Local\Temp\bda6c1ed66ad82ca4f51eb589abd5ee768c81e51cac6af4bc606b92d8ddac0ce.exe
"C:\Users\Admin\AppData\Local\Temp\bda6c1ed66ad82ca4f51eb589abd5ee768c81e51cac6af4bc606b92d8ddac0ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\mapap.dll",GetCounter
  2⤵
  - Loads dropped DLL
  PID:3964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mapap.dll

Filesize
118KB

MD5
6315fe399f8f99bd5a76a17069efc4a6

SHA1
e957d2c5e35e3d229ebd7345d4902c9c38f94313

SHA256
93c2cd9f62bb4fd9deeb9e85c289521bab9c9e8e27698d26584ea5e170d12e0c

SHA512
9bef788bb4b2dbba0a0cbfd9a324b544d62f21660b55d42ad5e7a7720bd8b1e0bcc2f37f7ea797f8bb388629edb62b12c189b8b13ee9c674c0123390125d58e1

Download Submit
C:\Users\Admin\AppData\Roaming\mapap.dll

Filesize
118KB

MD5
6315fe399f8f99bd5a76a17069efc4a6

SHA1
e957d2c5e35e3d229ebd7345d4902c9c38f94313

SHA256
93c2cd9f62bb4fd9deeb9e85c289521bab9c9e8e27698d26584ea5e170d12e0c

SHA512
9bef788bb4b2dbba0a0cbfd9a324b544d62f21660b55d42ad5e7a7720bd8b1e0bcc2f37f7ea797f8bb388629edb62b12c189b8b13ee9c674c0123390125d58e1

Download Submit
memory/1152-132-0x0000000002130000-0x0000000002140000-memory.dmp

Filesize
64KB

Download
memory/1152-134-0x0000000002150000-0x0000000002171000-memory.dmp

Filesize
132KB

Download
memory/1152-133-0x0000000002130000-0x0000000002140000-memory.dmp

Filesize
64KB

Download
memory/1152-146-0x0000000002130000-0x0000000002140000-memory.dmp

Filesize
64KB

Download
memory/3964-142-0x00000000007B0000-0x00000000007D1000-memory.dmp

Filesize
132KB

Download
memory/3964-147-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads