eb0453754198c3f128a1d86f0ffcc4d5effdc164d63bace0790540266a1bdeea

General

Target

43130985370d76c8d3b3ea6c2cee2e55.exe
Size

355KB
MD5

43130985370d76c8d3b3ea6c2cee2e55
SHA1

fb0cac7d2c4e6bf58df6f2fab053eb7c4e9c4c9d
SHA256

eb0453754198c3f128a1d86f0ffcc4d5effdc164d63bace0790540266a1bdeea
SHA512

5acd6b5637c8d7769c9307a09b76d7d645f21282dde4a60a5ed5849500564b6b23eb92a65fba98ce5243b3793a10aac852ad2fb5bf358d10b685baa1408c5d1f
SSDEEP

6144:GKeVYY3Z4fLdLmrvRTLFFPn8qXmvhz0B4ABqrZLGZHs3qw1GCEyn5:GKeVR3Z4fLdarjRnXXiaHANLiHs3qw1T

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2396	43130985370d76c8d3b3ea6c2cee2e55.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	43130985370d76c8d3b3ea6c2cee2e55.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	43130985370d76c8d3b3ea6c2cee2e55.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3064	2396	WerFault.exe	16

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2396	43130985370d76c8d3b3ea6c2cee2e55.exe
2396	43130985370d76c8d3b3ea6c2cee2e55.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2396	43130985370d76c8d3b3ea6c2cee2e55.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2996	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	28
PID 2396 wrote to memory of 2996	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	28
PID 2396 wrote to memory of 2996	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	28
PID 2396 wrote to memory of 2996	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	28
PID 2396 wrote to memory of 2996	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	28
PID 2396 wrote to memory of 2996	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	28
PID 2396 wrote to memory of 2996	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	28
PID 2396 wrote to memory of 3064	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	29
PID 2396 wrote to memory of 3064	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	29
PID 2396 wrote to memory of 3064	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	29
PID 2396 wrote to memory of 3064	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	29
PID 2396 wrote to memory of 3064	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	29
PID 2396 wrote to memory of 3064	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	29
PID 2396 wrote to memory of 3064	2396	43130985370d76c8d3b3ea6c2cee2e55.exe	29

C:\Users\Admin\AppData\Local\Temp\43130985370d76c8d3b3ea6c2cee2e55.exe
"C:\Users\Admin\AppData\Local\Temp\43130985370d76c8d3b3ea6c2cee2e55.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 400
  2⤵
  - Program crash
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sshnas21.dll

Filesize
320KB

MD5
9b45f5623542f980de3b63393d1f200a

SHA1
42715cc3e4d3477cad8e69ed743af7a6cb34fbef

SHA256
fa26a694c13fadc13ba94eb8965d57b4da2b85452cb018b5156ec493942cf9b4

SHA512
05d149c66f725f656be824b52a075451b6967fe1c0fe8a3577534beb981318dcd374a77c90810ddc328c33f2ca01fe6f0f0711a3cbdc6ae734b7a88e3b4ac5cb

Download Submit
memory/2396-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2396-1-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2396-8-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2396-7-0x0000000000350000-0x0000000000369000-memory.dmp

Filesize
100KB

Download
memory/2396-0-0x0000000000280000-0x000000000029B000-memory.dmp

Filesize
108KB

Download
memory/2996-19-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-22-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-17-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-18-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-14-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-20-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-21-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-16-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-23-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-24-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-25-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-26-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-27-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-28-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2996-29-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads