d00c39d37b3f94d601182a49ea9ca8bf014af569f8da87510152af5bad4ea3f6

General

Target

131526a4f83609a01c47bbc3bafe8e8b.exe
Size

290KB
MD5

131526a4f83609a01c47bbc3bafe8e8b
SHA1

85591cfb0dfc86d0162b75dc5ace18a3c1bf350c
SHA256

d00c39d37b3f94d601182a49ea9ca8bf014af569f8da87510152af5bad4ea3f6
SHA512

7a472f489432987ac8efcd49ad36c4c138060af45a3cd34f5f320617859274fcb1992d2ed54fbebee23e2074eacef80e4e7bdaac94a8a66d40549a4cebb27735
SSDEEP

6144:i4mQH55dt3X7HOThSLBFZkjjJNGsyriSiAVEkE6cJHCco1:i4nX7HOmajlksyrlCkpcpC

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1444	131526a4f83609a01c47bbc3bafe8e8b.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	131526a4f83609a01c47bbc3bafe8e8b.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	131526a4f83609a01c47bbc3bafe8e8b.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1444	131526a4f83609a01c47bbc3bafe8e8b.exe
1444	131526a4f83609a01c47bbc3bafe8e8b.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1444	131526a4f83609a01c47bbc3bafe8e8b.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2792	1444	131526a4f83609a01c47bbc3bafe8e8b.exe	28
PID 1444 wrote to memory of 2792	1444	131526a4f83609a01c47bbc3bafe8e8b.exe	28
PID 1444 wrote to memory of 2792	1444	131526a4f83609a01c47bbc3bafe8e8b.exe	28
PID 1444 wrote to memory of 2792	1444	131526a4f83609a01c47bbc3bafe8e8b.exe	28
PID 1444 wrote to memory of 2792	1444	131526a4f83609a01c47bbc3bafe8e8b.exe	28
PID 1444 wrote to memory of 2792	1444	131526a4f83609a01c47bbc3bafe8e8b.exe	28
PID 1444 wrote to memory of 2792	1444	131526a4f83609a01c47bbc3bafe8e8b.exe	28

C:\Users\Admin\AppData\Local\Temp\131526a4f83609a01c47bbc3bafe8e8b.exe
"C:\Users\Admin\AppData\Local\Temp\131526a4f83609a01c47bbc3bafe8e8b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sshnas21.dll

Filesize
235KB

MD5
f7c3382dae122c09a4d2c95797bbf4fe

SHA1
26dfb004e3f8324776ce18969122c285b9d3e735

SHA256
e8391849a9ee4d381652e72be8f85f23a9be3ad04098d0b57a75cb3a9f0f38c2

SHA512
705cb3e38e975df72ddc7228fd31184335e88c206bfd780d9b1328ac68d0c2be716b55e245090e66d0720b15623d94934da0bb8f10d04cc42fb6b9ce60bdf340

Download Submit
memory/1444-0-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/1444-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1444-7-0x0000000000490000-0x000000000049B000-memory.dmp

Filesize
44KB

Download
memory/1444-8-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/1444-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2792-19-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-22-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-17-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-18-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-15-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-20-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-21-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-16-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-23-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-24-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-25-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-26-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-27-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-28-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download
memory/2792-29-0x0000000010000000-0x0000000010063000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads