19ea7bac511355b3b690cd3036a585746194bd2b1e015a1ee169f17dce1fac98

General

Target

2dd1f8250c4e0d9f2ddec638c1d1de67.exe
Size

151KB
MD5

2dd1f8250c4e0d9f2ddec638c1d1de67
SHA1

49bad3744e9a29c4fa3c42aff42a5eb1078f1233
SHA256

19ea7bac511355b3b690cd3036a585746194bd2b1e015a1ee169f17dce1fac98
SHA512

c637c0e46834ac5cdec5a8e93a081b221dcfa0ee210d9b6aadf59be33995a25a088da3624294fc79086a53eef4699d8691f06d7c6f71e445b9fd6d9fdde914fa
SSDEEP

3072:O0cSaH64CXQ253QU6q8TXkKu1eWmmcfyo0:O07Qq15gU6dkFgWmm

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2516	regedit.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe
2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2204	2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe	28
PID 2496 wrote to memory of 2204	2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe	28
PID 2496 wrote to memory of 2204	2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe	28
PID 2496 wrote to memory of 2204	2496	2dd1f8250c4e0d9f2ddec638c1d1de67.exe	28
PID 2204 wrote to memory of 2516	2204	regedt32.exe	29
PID 2204 wrote to memory of 2516	2204	regedt32.exe	29
PID 2204 wrote to memory of 2516	2204	regedt32.exe	29
PID 2204 wrote to memory of 2516	2204	regedt32.exe	29

C:\Users\Admin\AppData\Local\Temp\2dd1f8250c4e0d9f2ddec638c1d1de67.exe
"C:\Users\Admin\AppData\Local\Temp\2dd1f8250c4e0d9f2ddec638c1d1de67.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\regedt32.exe
  "C:\Windows\System32\regedt32.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Iterra\T03emp03.reg

Filesize
217B

MD5
8dd55d8cd478f9d20758acbc8511c6e6

SHA1
b8fec5e7b7841c327819fedee2f08a630950a1bb

SHA256
d5622bafa4a555a46880d20215e4abb240039229221abde4f724339096d6956c

SHA512
571e308e0f43df6a24f0b754e2df0d8b9f8dea21eef5d283cd58e84b48947857916115321b468c08faff71beff23781f0a3166a98b3cdbc95caf9d9344f636dc

Download Submit
\Users\Admin\Documents\Iterra\ykvyfcl.dll

Filesize
39KB

MD5
f217ddb2b49f173bd63c194be9a562a8

SHA1
1239966b877ea3d08e3e41e1d4975d4a9413f6e4

SHA256
e2c4672e38a8773ab52838985dec19a8d2166b4e9f801b3e53d01fead41253d9

SHA512
c11def96d7ca8056387f2480e8ea2d46d2e4a6cb1a886b918f8198083ed9156d8d9a8766871aa8bae5ba1ad3950b9e54f2b2c6313b8a59ba8a6ce0250859e652

Download Submit
memory/2496-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2496-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2496-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2496-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2496-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2496-11-0x0000000002E60000-0x0000000002F33000-memory.dmp

Filesize
844KB

Download
memory/2496-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2496-15-0x0000000002E60000-0x0000000002F33000-memory.dmp

Filesize
844KB

Download
memory/2496-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing