f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019

Analysis

max time kernel
6s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe
Size

30KB
MD5

e6280bd6214b516f4138457e21dcabd6
SHA1

fdf2903b0a7997be7af9fb2819cdcd3a49a7babb
SHA256

f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019
SHA512

8471e71532b09b32d493015474645cfe872a4747652c544d7ce0135a0bb21d6850a907997cd7721c5fa16a195aed2059d3e20ee514fbb046c5cb3e40c6fe930e
SSDEEP

768:NL3JOo71qJiNhs1wPttofkVKdnBJ5OxZMQexY4:tBcJe3KV75O8Y4

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1260	f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mppds = "C:\\Windows\\mppds.exe"	f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mppds.dll	f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\mppds.exe	f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe
File opened for modification	C:\Windows\mppds.exe	f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1260	f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe
1260	f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1260	f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2692	1260	f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe	44
PID 1260 wrote to memory of 2692	1260	f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2692
- C:\Users\Admin\AppData\Local\Temp\f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe
  "C:\Users\Admin\AppData\Local\Temp\f982cfd08e5dc86a7abd9d09c01e089391abf8c4aa7fcfdf5b180c5d6b490019.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mppds.dll

Filesize
23KB

MD5
5ef4db5b20f142387bd827d0c58fcc2d

SHA1
646716407a19b65e8169562a11e384f00974b438

SHA256
27b56e89bf70b8db38652b1bbb08d4b906d67f2b0c1412f7131a172a10e9e30b

SHA512
525e635c6d50aef6c34f052028a057fd3ad556bcd33e07a634d4fe70c404a03393ac2f81f708e0c54ceabc7572441cfc344e9180d85981c1fe9918c01078f101

Download Submit