e815a48af4af93eb89208edd5d5ce95710fed1d883f8f42d1ee817ce3161aebe

General

Target

5a155113f32db943e00f486a75462838.exe
Size

205KB
MD5

5a155113f32db943e00f486a75462838
SHA1

bdc16b72b7095d54f7c3537f08702e8d8bc0e458
SHA256

e815a48af4af93eb89208edd5d5ce95710fed1d883f8f42d1ee817ce3161aebe
SHA512

998043f1747a98c29314016efa8af276f247165ed2f5121e818cd944e957625a65e562188917fcaf2f7e3d80e30eb7b4a87b82477aef12253daf6a32f08ddbbb
SSDEEP

3072:0IXqry+d3DxQcv7zhWPk65Ui8BhmqjNj8DCUNUO42YwHdKpUUzE0mu87tw:dQCcv7Mk6bgL5jMCeU3dRCUI0mu8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2164	5a155113f32db943e00f486a75462838.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	5a155113f32db943e00f486a75462838.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	5a155113f32db943e00f486a75462838.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2164	5a155113f32db943e00f486a75462838.exe
2164	5a155113f32db943e00f486a75462838.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2164	5a155113f32db943e00f486a75462838.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2080	2164	5a155113f32db943e00f486a75462838.exe	28
PID 2164 wrote to memory of 2080	2164	5a155113f32db943e00f486a75462838.exe	28
PID 2164 wrote to memory of 2080	2164	5a155113f32db943e00f486a75462838.exe	28
PID 2164 wrote to memory of 2080	2164	5a155113f32db943e00f486a75462838.exe	28
PID 2164 wrote to memory of 2080	2164	5a155113f32db943e00f486a75462838.exe	28
PID 2164 wrote to memory of 2080	2164	5a155113f32db943e00f486a75462838.exe	28
PID 2164 wrote to memory of 2080	2164	5a155113f32db943e00f486a75462838.exe	28

C:\Users\Admin\AppData\Local\Temp\5a155113f32db943e00f486a75462838.exe
"C:\Users\Admin\AppData\Local\Temp\5a155113f32db943e00f486a75462838.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
f2a13966519c06d1315551320a97f04c

SHA1
f1133316795be24f33bda67d3e43143484cb5dde

SHA256
72ebef5fe4e4f571017491bd4705a27a1e017b2d208c83f86a7c4b28536cf111

SHA512
900ee9b01fdf3f0bd64e6797b27f23b4cf12fc828ca3b3d4e3936c2b3e91c9722c94e17071d91d9ad9f6c42ceb779880c458986857d4be8a1487053b3a044b20

Download Submit
memory/2080-26-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-22-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-32-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-31-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-30-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-18-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-19-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-20-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-21-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-29-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-23-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-24-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-25-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-28-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2080-27-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2164-1-0x0000000000350000-0x0000000000375000-memory.dmp

Filesize
148KB

Download
memory/2164-8-0x0000000000480000-0x0000000000493000-memory.dmp

Filesize
76KB

Download
memory/2164-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2164-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2164-9-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads