8fb843ba497dfa1f6020cd072322efd3260b8b284423631aeda1d8712288c878

General

Target

0601bbf81cb7ab4aa18a55d9086f636e.exe
Size

61KB
MD5

0601bbf81cb7ab4aa18a55d9086f636e
SHA1

77cb5557dc22dba7d17959994914288f8c652274
SHA256

8fb843ba497dfa1f6020cd072322efd3260b8b284423631aeda1d8712288c878
SHA512

20dc5ade693ff65db105a91f76d97bb04efa41e3943b32d83a86645d9acb0e7d82ade725253b75496deea606a93284dda052dad4e553f93504bf54d4edc9ad50
SSDEEP

1536:xRw1zNZQaeG0wiIyZd2iQqGu4oyI2OxhAIMFsOIDT6dm:xRwlnQnG0wiIy4uMIrxTc

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Loads dropped DLL 2 IoCs

pid	Process
1936	0601bbf81cb7ab4aa18a55d9086f636e.exe
2368	RunDll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Share = "RunDll32 \"C:\\Windows\\Media\\svclsaet.dll\",Init"	0601bbf81cb7ab4aa18a55d9086f636e.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\oobe\mshostup.dll	0601bbf81cb7ab4aa18a55d9086f636e.exe
File opened for modification	C:\Windows\SysWOW64\oobe\mshostup.dll	0601bbf81cb7ab4aa18a55d9086f636e.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Media\svclsaet.dll	0601bbf81cb7ab4aa18a55d9086f636e.exe
File opened for modification	C:\Windows\Media\svclsaet.dll	0601bbf81cb7ab4aa18a55d9086f636e.exe
File created	C:\Windows\Panther\logsrvet.dll	0601bbf81cb7ab4aa18a55d9086f636e.exe
File opened for modification	C:\Windows\Panther\logsrvet.dll	0601bbf81cb7ab4aa18a55d9086f636e.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	0601bbf81cb7ab4aa18a55d9086f636e.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController	0601bbf81cb7ab4aa18a55d9086f636e.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	0601bbf81cb7ab4aa18a55d9086f636e.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0	0601bbf81cb7ab4aa18a55d9086f636e.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	0601bbf81cb7ab4aa18a55d9086f636e.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	0601bbf81cb7ab4aa18a55d9086f636e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	0601bbf81cb7ab4aa18a55d9086f636e.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter	0601bbf81cb7ab4aa18a55d9086f636e.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	0601bbf81cb7ab4aa18a55d9086f636e.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0	0601bbf81cb7ab4aa18a55d9086f636e.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	0601bbf81cb7ab4aa18a55d9086f636e.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	0601bbf81cb7ab4aa18a55d9086f636e.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1936	0601bbf81cb7ab4aa18a55d9086f636e.exe
1936	0601bbf81cb7ab4aa18a55d9086f636e.exe
1936	0601bbf81cb7ab4aa18a55d9086f636e.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2368	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	27
PID 1936 wrote to memory of 2368	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	27
PID 1936 wrote to memory of 2368	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	27
PID 1936 wrote to memory of 2368	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	27
PID 1936 wrote to memory of 2368	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	27
PID 1936 wrote to memory of 2368	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	27
PID 1936 wrote to memory of 2368	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	27
PID 1936 wrote to memory of 1128	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	6
PID 1936 wrote to memory of 1128	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	6
PID 1936 wrote to memory of 1220	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	12
PID 1936 wrote to memory of 1220	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	12
PID 1936 wrote to memory of 1264	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	11
PID 1936 wrote to memory of 1264	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	11
PID 1936 wrote to memory of 2368	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	27
PID 1936 wrote to memory of 2368	1936	0601bbf81cb7ab4aa18a55d9086f636e.exe	27

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\0601bbf81cb7ab4aa18a55d9086f636e.exe
  "C:\Users\Admin\AppData\Local\Temp\0601bbf81cb7ab4aa18a55d9086f636e.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\RunDll32.exe
    RunDll32 "C:\Users\Admin\AppData\Local\Temp\96F2.tmp",Init
    3⤵
    - Loads dropped DLL
    PID:2368

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\96F2.tmp

Filesize
58KB

MD5
954ae278062ec5db4f5c1e2fcfa79905

SHA1
a1f1ae731a955e4c688e5667981649baf47acada

SHA256
4683241676f4974d0f5ad3aab04724f9953ca959b5eaf895cdc4db2778e4351b

SHA512
2b750e5e63175d2c90c7e4e9a0f0074fd26e55341dfd8aabb7561985bc5508dbc6bb3ab7d5b2fa135676f6490203b58f3236775af1fda869ec89936003c3f471

Download Submit
memory/1128-16-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1128-17-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1936-4-0x0000000075160000-0x0000000075183000-memory.dmp

Filesize
140KB

Download
memory/1936-5-0x0000000075160000-0x0000000075183000-memory.dmp

Filesize
140KB

Download
memory/1936-32-0x0000000075160000-0x0000000075183000-memory.dmp

Filesize
140KB

Download
memory/2368-26-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2368-29-0x0000000075160000-0x0000000075183000-memory.dmp

Filesize
140KB

Download
memory/2368-31-0x0000000075160000-0x0000000075183000-memory.dmp

Filesize
140KB

Download
memory/2368-30-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2368-33-0x0000000075160000-0x0000000075183000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads