a4406ad8767746b4c116bfc5cb52a2847f860d24ba6c2075e44725c293f0dda8

General

Target

a4406ad8767746b4c116bfc5cb52a2847f860d24ba6c2075e44725c293f0dda8.exe
Size

121KB
MD5

5a624377126ff053507017ccc02cf76b
SHA1

eb6ae38df92c1703b257f2a657d7e9ca86281a5e
SHA256

a4406ad8767746b4c116bfc5cb52a2847f860d24ba6c2075e44725c293f0dda8
SHA512

f6a6aea4674b2eec333c4753dfd0887747632fb1114e7d4f5352c835197f7ab33a2dc2181fb75843209d65a290b9e84bc82713e0a1bf52b18ba82b91cffdb2d7
SSDEEP

3072:tpqUqOtLdVdp3JTMm9KDjeKAj3HBh8orLgyw9XUGQALFy:7q/cLdVdpam29EXB7gJ9XUbALY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2060	rundll32.exe
4636	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysHelpxx = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\AgereWebspl\\sysHelpxx.dll\",WdPath90 unimapARM"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{45BECA6E-B5F0-74DA-36C2-85A5F0B5DA74}\Categories	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{45BECA6E-B5F0-74DA-36C2-85A5F0B5DA74}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{45BECA6E-B5F0-74DA-36C2-85A5F0B5DA74}\Categories\{CAFAF002-45CE-7F9C-B2A9-97ADCE459C7F} = "r4aNUalLBayBEWXDUCDTda"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{45BECA6E-B5F0-74DA-36C2-85A5F0B5DA74}\Categories	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{45BECA6E-B5F0-74DA-36C2-85A5F0B5DA74}\Categories\{E7BE90E5-DA70-C550-390E-F7BD18ECB0FC} = "1670436861"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{45BECA6E-B5F0-74DA-36C2-85A5F0B5DA74}\Categories\{56B26427-DF96-3F6C-EB33-453C1E8A1F46} = "464010"	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 2060	4828	a4406ad8767746b4c116bfc5cb52a2847f860d24ba6c2075e44725c293f0dda8.exe	81
PID 4828 wrote to memory of 2060	4828	a4406ad8767746b4c116bfc5cb52a2847f860d24ba6c2075e44725c293f0dda8.exe	81
PID 4828 wrote to memory of 2060	4828	a4406ad8767746b4c116bfc5cb52a2847f860d24ba6c2075e44725c293f0dda8.exe	81
PID 2060 wrote to memory of 4636	2060	rundll32.exe	82
PID 2060 wrote to memory of 4636	2060	rundll32.exe	82
PID 2060 wrote to memory of 4636	2060	rundll32.exe	82

C:\Users\Admin\AppData\Local\Temp\a4406ad8767746b4c116bfc5cb52a2847f860d24ba6c2075e44725c293f0dda8.exe
"C:\Users\Admin\AppData\Local\Temp\a4406ad8767746b4c116bfc5cb52a2847f860d24ba6c2075e44725c293f0dda8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\smpWebTray.dll", WdPath90 xpUserplugin
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\AgereWebspl\sysHelpxx.dll",WdPath90 unimapARM
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AgereWebspl\sysHelpxx.dll

Filesize
144KB

MD5
9635b8e9c571b02812ae63ab8f9bdd5e

SHA1
81a076e8cd595b517da293f3b8963a604cea5303

SHA256
580f7d089d53fcc4e5c02eaba9f5356bf86bf5ec1472ad10469de8305e94f292

SHA512
6dca608ee270ccd1022a5e4fcaedae3c85ec701e6a9757105f61e29726b0acd6bec5bebadfca7b6db88cab7fb4880704c1ea2f19f3de4910d27af00fc623eb06

Download Submit
C:\Users\Admin\AppData\Local\AgereWebspl\sysHelpxx.dll

Filesize
144KB

MD5
9635b8e9c571b02812ae63ab8f9bdd5e

SHA1
81a076e8cd595b517da293f3b8963a604cea5303

SHA256
580f7d089d53fcc4e5c02eaba9f5356bf86bf5ec1472ad10469de8305e94f292

SHA512
6dca608ee270ccd1022a5e4fcaedae3c85ec701e6a9757105f61e29726b0acd6bec5bebadfca7b6db88cab7fb4880704c1ea2f19f3de4910d27af00fc623eb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\smpWebTray.dll

Filesize
144KB

MD5
9635b8e9c571b02812ae63ab8f9bdd5e

SHA1
81a076e8cd595b517da293f3b8963a604cea5303

SHA256
580f7d089d53fcc4e5c02eaba9f5356bf86bf5ec1472ad10469de8305e94f292

SHA512
6dca608ee270ccd1022a5e4fcaedae3c85ec701e6a9757105f61e29726b0acd6bec5bebadfca7b6db88cab7fb4880704c1ea2f19f3de4910d27af00fc623eb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\smpWebTray.dll

Filesize
144KB

MD5
9635b8e9c571b02812ae63ab8f9bdd5e

SHA1
81a076e8cd595b517da293f3b8963a604cea5303

SHA256
580f7d089d53fcc4e5c02eaba9f5356bf86bf5ec1472ad10469de8305e94f292

SHA512
6dca608ee270ccd1022a5e4fcaedae3c85ec701e6a9757105f61e29726b0acd6bec5bebadfca7b6db88cab7fb4880704c1ea2f19f3de4910d27af00fc623eb06

Download Submit

Analysis

Sharing