eeb7c4af49e7e5daad96703dd2aa97e5c66cd7b94930ec4ba7cc011ffe8fa0ae

General

Target

01f087e43808d90925ec99ccb7154773.exe
Size

203KB
MD5

01f087e43808d90925ec99ccb7154773
SHA1

aa7a69980f2a49ada5bcf162d43bd2b8958fb4b6
SHA256

eeb7c4af49e7e5daad96703dd2aa97e5c66cd7b94930ec4ba7cc011ffe8fa0ae
SHA512

9305109385bad4338bc6a6dd5a46561c789cac54d9fb42d45ccf3bdb9eebd3bf620e0c6e133f5c1d97d50f46c7f89bb7329c33d3032a5d94fe70f07a31e5102b
SSDEEP

6144:838XpOAhmmMKnKrrAoyOWK3dt7bQ0KSRCh8x:COpjnKgkWKtt7ySRCh8

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1240	Explorer.EXE

Loads dropped DLL 8 IoCs

pid	Process
1588	01f087e43808d90925ec99ccb7154773.exe
2708	rundll32.exe
2708	rundll32.exe
2708	rundll32.exe
2708	rundll32.exe
3052	cmd.exe
2968	attrib.exe
836	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dllhPlay.dll	01f087e43808d90925ec99ccb7154773.exe
File opened for modification	C:\Windows\system32\dllhPlay64.dll	01f087e43808d90925ec99ccb7154773.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1588	01f087e43808d90925ec99ccb7154773.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2708	1588	01f087e43808d90925ec99ccb7154773.exe	28
PID 1588 wrote to memory of 2708	1588	01f087e43808d90925ec99ccb7154773.exe	28
PID 1588 wrote to memory of 2708	1588	01f087e43808d90925ec99ccb7154773.exe	28
PID 1588 wrote to memory of 2708	1588	01f087e43808d90925ec99ccb7154773.exe	28
PID 1588 wrote to memory of 3052	1588	01f087e43808d90925ec99ccb7154773.exe	29
PID 1588 wrote to memory of 3052	1588	01f087e43808d90925ec99ccb7154773.exe	29
PID 1588 wrote to memory of 3052	1588	01f087e43808d90925ec99ccb7154773.exe	29
PID 1588 wrote to memory of 3052	1588	01f087e43808d90925ec99ccb7154773.exe	29
PID 1588 wrote to memory of 3052	1588	01f087e43808d90925ec99ccb7154773.exe	29
PID 1588 wrote to memory of 3052	1588	01f087e43808d90925ec99ccb7154773.exe	29
PID 1588 wrote to memory of 3052	1588	01f087e43808d90925ec99ccb7154773.exe	29
PID 2708 wrote to memory of 1240	2708	rundll32.exe	9
PID 2708 wrote to memory of 1240	2708	rundll32.exe	9
PID 3052 wrote to memory of 2968	3052	cmd.exe	31
PID 3052 wrote to memory of 2968	3052	cmd.exe	31
PID 3052 wrote to memory of 2968	3052	cmd.exe	31
PID 3052 wrote to memory of 2968	3052	cmd.exe	31
PID 3052 wrote to memory of 2968	3052	cmd.exe	31
PID 3052 wrote to memory of 2968	3052	cmd.exe	31
PID 3052 wrote to memory of 2968	3052	cmd.exe	31

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2968	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1240
- C:\Users\Admin\AppData\Local\Temp\01f087e43808d90925ec99ccb7154773.exe
  "C:\Users\Admin\AppData\Local\Temp\01f087e43808d90925ec99ccb7154773.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\dllhPlay64.dll",CreateProcessNotify
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259432049.bat" "C:\Users\Admin\AppData\Local\Temp\01f087e43808d90925ec99ccb7154773.exe""
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\01f087e43808d90925ec99ccb7154773.exe"
      4⤵
      Loads dropped DLL
      Views/modifies file attributes
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259432049.bat

Filesize
97B

MD5
d226a657b279c5fc0a892748230a56ff

SHA1
fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

SHA256
9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

SHA512
07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

Download Submit
C:\Windows\system32\dllhPlay64.dll

Filesize
74KB

MD5
0f6ada608f5b44d2ab9985451bf3e7ad

SHA1
3362a15c6107eb6f54bee7a679653edefc94fbc5

SHA256
021669f2daa816dd76882bb89b825a9a31b204499669efb44280c80077b1e7a5

SHA512
f62aeaad64904172eb4b637ae00e11d9683722e695290610c2911b77d0aac532fb2d174614950686fae5ad9bd6b4e77a544488709425edcc86992ad298699484

Download Submit
\Windows\SysWOW64\dllhPlay.dll

Filesize
68KB

MD5
a75036d01acc9d616197f438210f65fd

SHA1
61c520f525d683c326ec0b9ae965c3ae5461bb06

SHA256
3f883c91668d85446f87b0d6162756afdcc5dc77125830bb7b9cd26efa8fdd43

SHA512
40e3304a3efa1a273f3313ad7223a0cac27cd18c652e7496cdaf9f88c5da0e62215b4ef865e4dbd2bc884a644a5dbdc13a95e1940f130046dda66a8fc8e3152e

Download Submit
memory/1240-40-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download
memory/1240-27-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1588-39-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1588-7-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1588-6-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1588-38-0x0000000001000000-0x0000000001035000-memory.dmp

Filesize
212KB

Download
memory/1588-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1588-1-0x0000000001000000-0x0000000001035000-memory.dmp

Filesize
212KB

Download
memory/2708-14-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2708-25-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download
memory/2968-47-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3052-22-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3052-48-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing