86351e5896c2470f511e56539e0c486bd8e08a350d93c426e3043adf35b63fd3

General

Target

5eb8b9f1319f292ba56d4bdd7aca6443.exe
Size

372KB
MD5

5eb8b9f1319f292ba56d4bdd7aca6443
SHA1

eaa0e54891ad885e91e3b3970b32a7bacfdea9c3
SHA256

86351e5896c2470f511e56539e0c486bd8e08a350d93c426e3043adf35b63fd3
SHA512

dfa9b121d800d644ac9cd67d40f743e7a9273c41abe8515e5f72104c6f678369c49f178ad0e54abf48ac108acfd7be11b5fc2ecaa8986c21c738b49b53e8efe5
SSDEEP

6144:6oRBN7rCXDteZ18GzEXIBGKjxqbfygVpGDjwj4vZKxW7qmpEXuIIc/SpzWJgpJDo:6ovN7rCX5s18J4Y1Dj4vZ4PpEcap6Un

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2496	5eb8b9f1319f292ba56d4bdd7aca6443.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	5eb8b9f1319f292ba56d4bdd7aca6443.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	5eb8b9f1319f292ba56d4bdd7aca6443.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2496	5eb8b9f1319f292ba56d4bdd7aca6443.exe
2496	5eb8b9f1319f292ba56d4bdd7aca6443.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2496	5eb8b9f1319f292ba56d4bdd7aca6443.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2288	2496	5eb8b9f1319f292ba56d4bdd7aca6443.exe	27
PID 2496 wrote to memory of 2288	2496	5eb8b9f1319f292ba56d4bdd7aca6443.exe	27
PID 2496 wrote to memory of 2288	2496	5eb8b9f1319f292ba56d4bdd7aca6443.exe	27
PID 2496 wrote to memory of 2288	2496	5eb8b9f1319f292ba56d4bdd7aca6443.exe	27
PID 2496 wrote to memory of 2288	2496	5eb8b9f1319f292ba56d4bdd7aca6443.exe	27
PID 2496 wrote to memory of 2288	2496	5eb8b9f1319f292ba56d4bdd7aca6443.exe	27
PID 2496 wrote to memory of 2288	2496	5eb8b9f1319f292ba56d4bdd7aca6443.exe	27

C:\Users\Admin\AppData\Local\Temp\5eb8b9f1319f292ba56d4bdd7aca6443.exe
"C:\Users\Admin\AppData\Local\Temp\5eb8b9f1319f292ba56d4bdd7aca6443.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sshnas21.dll

Filesize
310KB

MD5
5a2f35b9e0601b499290db95f2bc2859

SHA1
904a7150b74c5ea6375dba7737debdb5c73c025c

SHA256
4e668d05a5dcaa75ed328c1a562737e3795da216c9d4baddc3a28ac82885bc40

SHA512
e7c6faeb15514b6dc7b3904e0c3a06ebaefaedab0db6e6085b63d6af3dd59fe7cf992017f02854d90e34bad79cfcce41cf1da2303e4f41ed03bf3f46f45ac9f2

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
320KB

MD5
90f87c2a64e603dd877c3dfef79aff9c

SHA1
7a83e6852d615cd86ab996c06753784781bc1f6f

SHA256
b8163964145449932433ea59895e5cc6b729fde0d0dd11a637299566e7cae8ca

SHA512
9fe8f2b5ae5d68addd61293da3b90edb1f3abf01c60a4101114703fb6461aa4d605f6331d9c7f87ab3e4d1b4e0bae332d12a6ce51700704e80e04c567ef8ffbe

Download Submit
memory/2288-23-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-19-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-29-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-28-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-27-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-15-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-16-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-17-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-18-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-26-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-20-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-21-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-22-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-25-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2288-24-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2496-0-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/2496-7-0x0000000000600000-0x000000000061B000-memory.dmp

Filesize
108KB

Download
memory/2496-1-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2496-9-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2496-8-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads