a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146

General

Target

a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe
Size

202KB
MD5

148270bf298fcb4033d6c42c91648176
SHA1

6cba9f11e63ecb3289e57cc5712a0147423d40b2
SHA256

a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146
SHA512

ac7aa90c6d0db79d8702c5ccfa2ad1d5e544108d140a528c70ade071f00a9f1e5367a6e9a4734f979ff259d35a4c7be17fa62516b7fd968385cdecec688ab715
SSDEEP

6144:ikG6TWCM3bi3P+KwqGFnoYvTK4XiMz9Hp7gfgT2uwI1k2:06/r/+GYbKc9J78gT2i1

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2032	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2032	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe
2032	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2028	2032	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe	27
PID 2032 wrote to memory of 2028	2032	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe	27
PID 2032 wrote to memory of 2028	2032	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe	27
PID 2032 wrote to memory of 2028	2032	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe	27
PID 2032 wrote to memory of 2028	2032	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe	27
PID 2032 wrote to memory of 2028	2032	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe	27
PID 2032 wrote to memory of 2028	2032	a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe	27

C:\Users\Admin\AppData\Local\Temp\a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe
"C:\Users\Admin\AppData\Local\Temp\a4865ca33b0d587f210d984cbce591c690f59cf2122c62cb9d2eb4a13cc3a146.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
C:\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
2b78b21016e70b909ee844f754dd30c9

SHA1
562bdffe94743b2c38c6f49b2415b6addee208e9

SHA256
4ac4c7a95c530228811ec3457fb73fc3614d9c6d36da563a83f5cea1dc26a1cc

SHA512
e0c549e7b0c922b67c605e2fd8dd945955111e59b329ea9a285a144f5d34c57b99b3d19e13ea22e96256a1194b56026e96d47a34a76c0d907748d843fbf80d7b

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
2b78b21016e70b909ee844f754dd30c9

SHA1
562bdffe94743b2c38c6f49b2415b6addee208e9

SHA256
4ac4c7a95c530228811ec3457fb73fc3614d9c6d36da563a83f5cea1dc26a1cc

SHA512
e0c549e7b0c922b67c605e2fd8dd945955111e59b329ea9a285a144f5d34c57b99b3d19e13ea22e96256a1194b56026e96d47a34a76c0d907748d843fbf80d7b

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
2b78b21016e70b909ee844f754dd30c9

SHA1
562bdffe94743b2c38c6f49b2415b6addee208e9

SHA256
4ac4c7a95c530228811ec3457fb73fc3614d9c6d36da563a83f5cea1dc26a1cc

SHA512
e0c549e7b0c922b67c605e2fd8dd945955111e59b329ea9a285a144f5d34c57b99b3d19e13ea22e96256a1194b56026e96d47a34a76c0d907748d843fbf80d7b

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
2b78b21016e70b909ee844f754dd30c9

SHA1
562bdffe94743b2c38c6f49b2415b6addee208e9

SHA256
4ac4c7a95c530228811ec3457fb73fc3614d9c6d36da563a83f5cea1dc26a1cc

SHA512
e0c549e7b0c922b67c605e2fd8dd945955111e59b329ea9a285a144f5d34c57b99b3d19e13ea22e96256a1194b56026e96d47a34a76c0d907748d843fbf80d7b

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
2b78b21016e70b909ee844f754dd30c9

SHA1
562bdffe94743b2c38c6f49b2415b6addee208e9

SHA256
4ac4c7a95c530228811ec3457fb73fc3614d9c6d36da563a83f5cea1dc26a1cc

SHA512
e0c549e7b0c922b67c605e2fd8dd945955111e59b329ea9a285a144f5d34c57b99b3d19e13ea22e96256a1194b56026e96d47a34a76c0d907748d843fbf80d7b

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
2b78b21016e70b909ee844f754dd30c9

SHA1
562bdffe94743b2c38c6f49b2415b6addee208e9

SHA256
4ac4c7a95c530228811ec3457fb73fc3614d9c6d36da563a83f5cea1dc26a1cc

SHA512
e0c549e7b0c922b67c605e2fd8dd945955111e59b329ea9a285a144f5d34c57b99b3d19e13ea22e96256a1194b56026e96d47a34a76c0d907748d843fbf80d7b

Download Submit
memory/2028-67-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2028-68-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2032-59-0x0000000000330000-0x0000000000344000-memory.dmp

Filesize
80KB

Download
memory/2032-58-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2032-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2032-57-0x00000000002D0000-0x00000000002E8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing