bddc212ad99db3b5c9b67a014a76614a7239a19ec3d6764afeae3b5ceeb497c4

General

Target

18a425f00e8d1e1084a42e80b6ab7113.exe
Size

76KB
MD5

18a425f00e8d1e1084a42e80b6ab7113
SHA1

9c8ff0bc7935d50d669e31b3cb6623a23e7f443d
SHA256

bddc212ad99db3b5c9b67a014a76614a7239a19ec3d6764afeae3b5ceeb497c4
SHA512

449538087a36fd52fe5f349ebe2acdf15cd41d7a3736c13b513fec8924729e6b70cc5b179d6dc804a2794c32b24c7f1504821e9ed8ccbbccc1bd047c0c77bd72
SSDEEP

1536:5kp50xHYeGh8wD04WMvsJSDq+JlNkrAaDEIo2m28fUbBHtGmF0W:s0xHYeGh8ww4WMvmSDX3AmA88bBZ/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uzohagasut = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\asypren.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2428	3016	18a425f00e8d1e1084a42e80b6ab7113.exe	28
PID 3016 wrote to memory of 2428	3016	18a425f00e8d1e1084a42e80b6ab7113.exe	28
PID 3016 wrote to memory of 2428	3016	18a425f00e8d1e1084a42e80b6ab7113.exe	28
PID 3016 wrote to memory of 2428	3016	18a425f00e8d1e1084a42e80b6ab7113.exe	28
PID 3016 wrote to memory of 2428	3016	18a425f00e8d1e1084a42e80b6ab7113.exe	28
PID 3016 wrote to memory of 2428	3016	18a425f00e8d1e1084a42e80b6ab7113.exe	28
PID 3016 wrote to memory of 2428	3016	18a425f00e8d1e1084a42e80b6ab7113.exe	28
PID 2428 wrote to memory of 2584	2428	rundll32.exe	29
PID 2428 wrote to memory of 2584	2428	rundll32.exe	29
PID 2428 wrote to memory of 2584	2428	rundll32.exe	29
PID 2428 wrote to memory of 2584	2428	rundll32.exe	29
PID 2428 wrote to memory of 2584	2428	rundll32.exe	29
PID 2428 wrote to memory of 2584	2428	rundll32.exe	29
PID 2428 wrote to memory of 2584	2428	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\18a425f00e8d1e1084a42e80b6ab7113.exe
"C:\Users\Admin\AppData\Local\Temp\18a425f00e8d1e1084a42e80b6ab7113.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\asypren.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\asypren.dll",iep
    3⤵
    - Loads dropped DLL
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\asypren.dll

Filesize
76KB

MD5
1bda70e5cb2b14465c56af28bf061845

SHA1
bd8c4cb2681ddba508ff375fecc8ea3f0fffa01c

SHA256
e13349dd9a62b2740088024cd7e1af19a643e0d04843563b83270a747519718f

SHA512
df22237a7148cd03e796940131e53a15986778cccceb5f587a30c3c16f91f286cd0cbe2584a58e591c89dcf56ed02dbf95a2e1e6e2e2c26c2b3441637f012fbd

Download Submit
\Users\Admin\AppData\Local\asypren.dll

Filesize
57KB

MD5
5d667fd0948b8dfaad6c2ca674bb4eec

SHA1
71ab4c54c50d6c60f271522676810efebcbb60bc

SHA256
543958a0985a4c32adf5b8e8a16a674e38c16c57bddb421971c9d758b09883e8

SHA512
abcd0dede35dc94c3eefa8d434115a150b36996b8390b9bdb4e0fc26b2452754afe43857dfc49a3d3dcd0a3c83b8b8a8e09b75945279384f5fa6539ac6f13811

Download Submit
memory/2428-14-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2428-19-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/2428-11-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2428-10-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/2428-12-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/2428-29-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2428-26-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2584-27-0x0000000000210000-0x0000000000250000-memory.dmp

Filesize
256KB

Download
memory/2584-30-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2584-33-0x0000000000210000-0x0000000000250000-memory.dmp

Filesize
256KB

Download
memory/3016-18-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/3016-17-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/3016-0-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3016-2-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/3016-1-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/3016-13-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads