dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2

General

Target

dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe
Size

209KB
MD5

2cb75b7af243d820e0c37e0b50e4c61b
SHA1

adca7bc90f81339351afced031eb39466c314470
SHA256

dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2
SHA512

2bf9f2b698194cd1859a795c490dde7cd771e8985c864c1703ac39495d81af8a1ea2767de904281ec1fd8231992c4eef264cfb9633a7b96c748a2e9d6562d241
SSDEEP

6144:XbNTOL0/g28bS6tYIyga2ZzyA/S65Ti5DCTXWp:LBV/gJc4z3/P5etCT

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2028	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2028	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe
2028	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2016	2028	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe	28
PID 2028 wrote to memory of 2016	2028	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe	28
PID 2028 wrote to memory of 2016	2028	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe	28
PID 2028 wrote to memory of 2016	2028	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe	28
PID 2028 wrote to memory of 2016	2028	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe	28
PID 2028 wrote to memory of 2016	2028	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe	28
PID 2028 wrote to memory of 2016	2028	dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe	28

C:\Users\Admin\AppData\Local\Temp\dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe
"C:\Users\Admin\AppData\Local\Temp\dc4d4aa69fe33ea6b7d9eec3f9d01e637371fde5647a09ba2cec5f20597d30e2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
C:\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
46a511caa5ad0ce70895f0fc8044a80f

SHA1
5d61b47ce5b46b0629c989abdc73d074f50e9d87

SHA256
2c98291982fa0d2e2a69854180c004f7bdb345d97f057ae4e2068810bfbbf959

SHA512
64baff09642206399414238c1f23dac98f4f10c3117dd3d364715037040c6a8408bcb841042b2e034cd2dff4e44bce27dd59bff7b9aa2fc8a4fdd7898b8c63e4

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
46a511caa5ad0ce70895f0fc8044a80f

SHA1
5d61b47ce5b46b0629c989abdc73d074f50e9d87

SHA256
2c98291982fa0d2e2a69854180c004f7bdb345d97f057ae4e2068810bfbbf959

SHA512
64baff09642206399414238c1f23dac98f4f10c3117dd3d364715037040c6a8408bcb841042b2e034cd2dff4e44bce27dd59bff7b9aa2fc8a4fdd7898b8c63e4

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
46a511caa5ad0ce70895f0fc8044a80f

SHA1
5d61b47ce5b46b0629c989abdc73d074f50e9d87

SHA256
2c98291982fa0d2e2a69854180c004f7bdb345d97f057ae4e2068810bfbbf959

SHA512
64baff09642206399414238c1f23dac98f4f10c3117dd3d364715037040c6a8408bcb841042b2e034cd2dff4e44bce27dd59bff7b9aa2fc8a4fdd7898b8c63e4

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
46a511caa5ad0ce70895f0fc8044a80f

SHA1
5d61b47ce5b46b0629c989abdc73d074f50e9d87

SHA256
2c98291982fa0d2e2a69854180c004f7bdb345d97f057ae4e2068810bfbbf959

SHA512
64baff09642206399414238c1f23dac98f4f10c3117dd3d364715037040c6a8408bcb841042b2e034cd2dff4e44bce27dd59bff7b9aa2fc8a4fdd7898b8c63e4

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
46a511caa5ad0ce70895f0fc8044a80f

SHA1
5d61b47ce5b46b0629c989abdc73d074f50e9d87

SHA256
2c98291982fa0d2e2a69854180c004f7bdb345d97f057ae4e2068810bfbbf959

SHA512
64baff09642206399414238c1f23dac98f4f10c3117dd3d364715037040c6a8408bcb841042b2e034cd2dff4e44bce27dd59bff7b9aa2fc8a4fdd7898b8c63e4

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
46a511caa5ad0ce70895f0fc8044a80f

SHA1
5d61b47ce5b46b0629c989abdc73d074f50e9d87

SHA256
2c98291982fa0d2e2a69854180c004f7bdb345d97f057ae4e2068810bfbbf959

SHA512
64baff09642206399414238c1f23dac98f4f10c3117dd3d364715037040c6a8408bcb841042b2e034cd2dff4e44bce27dd59bff7b9aa2fc8a4fdd7898b8c63e4

Download Submit
memory/2016-67-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2016-68-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2028-57-0x00000000002B0000-0x00000000002D4000-memory.dmp

Filesize
144KB

Download
memory/2028-59-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/2028-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/2028-58-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing