e535913fa648bab922d87c9c2f1d4dcd0da6ea1878351a3656dbba0120c021d0

General

Target

063ca7f6fa16a021317cb3294be101d9.dll
Size

230KB
MD5

063ca7f6fa16a021317cb3294be101d9
SHA1

a5a2182ec396372f86174aaa466c8cccaa5ca538
SHA256

e535913fa648bab922d87c9c2f1d4dcd0da6ea1878351a3656dbba0120c021d0
SHA512

6ddefe61117898d3d04d18f94cab3aed49b7539dcaef6d24fde2a1349fe6391827c7403a00814896a15c010dfcfcc8c4d9276b25573d612cfecc3417e0c84afd
SSDEEP

1536:rlX3piGV13fYn/yF73wVComfIwIZqkbhwaQVTfOW0lsEr+5gL/lG8G8wik5it:JN13gnOZIwNo4fO7rMgbNwik5O

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pgn = "{f8515a1e-70d9-c52e-81ea-70d9d2965863}"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
868	rundll32.exe
868	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cta.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\cta.dll	rundll32.exe
File created	C:\Windows\SysWOW64\ofm.dll	rundll32.exe
File created	C:\Windows\SysWOW64\kbi.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f8515a1e-70d9-c52e-81ea-70d9d2965863}\InprocServer32\ = "C:\\Windows\\SysWow64\\kbi.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f8515a1e-70d9-c52e-81ea-70d9d2965863}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f8515a1e-70d9-c52e-81ea-70d9d2965863}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f8515a1e-70d9-c52e-81ea-70d9d2965863}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f8515a1e-70d9-c52e-81ea-70d9d2965863}\InprocServer32	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
868	rundll32.exe
868	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
868	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 868	3528	rundll32.exe	88
PID 3528 wrote to memory of 868	3528	rundll32.exe	88
PID 3528 wrote to memory of 868	3528	rundll32.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\063ca7f6fa16a021317cb3294be101d9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\063ca7f6fa16a021317cb3294be101d9.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cta.dll

Filesize
444KB

MD5
4695e0c34e61f616882f6c005b5eaebd

SHA1
b199fb05bbbe084c70777193a8e08ec4d3a67fd9

SHA256
9d3a51aca42b2dfc3657aa4850edac368eb51fae1d704be674d91fadd94e1c3f

SHA512
d511a5ce4bececc273c96763ebb663ceb1f6938ab2560f35cb43f29cd88169e3b002cb07ae6c94e160ab8e5e64b399ab4f68f48856ca695e5b9e8f23e005fa0c

Download Submit
C:\Windows\SysWOW64\cta.dll

Filesize
351KB

MD5
4a30c67f7ca6e2871aabc3ff6a01871b

SHA1
8bf4c2463826b986af9974c370f31794143bffd1

SHA256
28b401aa9df6b372d8f5191b3952410e357f99a1e465d7d1ce80a04531506008

SHA512
65a873fb363c06540780019a64fac5ea7013c7e6f989d7033d967bc9b4701083501d6a1daf7aaf3f71ef108776f16760980b5ababdb052b26f46d09834bdf02e

Download Submit
C:\Windows\SysWOW64\ofm.dll

Filesize
425KB

MD5
1f5adc9db50015eba86960bc06f546df

SHA1
6dafe0b844078808141e1d2fcc0678f799ff44c3

SHA256
0e3d7352e1e2746596c7a048890cfb2599fab958af4a3a6dab30a9935acf82c0

SHA512
7d3025620196977d597d8864a8a59fbbcce2cbf880e92359f9922011d83f82ce6c8273022aa3697cb9beb2b22178a5a9d59d3fe4fd0ddb2348872141d1d2e359

Download Submit
memory/868-14-0x00000000765D0000-0x00000000766C0000-memory.dmp

Filesize
960KB

Download
memory/868-12-0x00000000765D0000-0x00000000766C0000-memory.dmp

Filesize
960KB

Download
memory/868-13-0x00000000765D0000-0x00000000766C0000-memory.dmp

Filesize
960KB

Download
memory/868-6-0x00000000775C0000-0x000000007763A000-memory.dmp

Filesize
488KB

Download
memory/868-16-0x00000000775C0000-0x000000007763A000-memory.dmp

Filesize
488KB

Download
memory/868-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/868-19-0x00000000775C0000-0x000000007763A000-memory.dmp

Filesize
488KB

Download
memory/868-20-0x00000000765D0000-0x00000000766C0000-memory.dmp

Filesize
960KB

Download
memory/868-21-0x00000000765D0000-0x00000000766C0000-memory.dmp

Filesize
960KB

Download
memory/868-22-0x00000000765D0000-0x00000000766C0000-memory.dmp

Filesize
960KB

Download
memory/868-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads