3f7418da1183ff5a5097153edeaf660f79d087e14c80c5ff83adac65e7f1d31d

General

Target

478a5b6c41a8fa5c13ad7ac81610bc77.exe
Size

277KB
MD5

478a5b6c41a8fa5c13ad7ac81610bc77
SHA1

4b51f9c35ae4bb561ad09fd57b81e493bf0fba2a
SHA256

3f7418da1183ff5a5097153edeaf660f79d087e14c80c5ff83adac65e7f1d31d
SHA512

fc6bd61143fe673f8c41b9aae4360b17769d04a05aafefa8f9c30302a941a17d64482d04cb5881e1968ee5d4e76132b68c3b55c334ca7ca3a837cea4b1f931ab
SSDEEP

6144:PweE9zK9FCp1ZLOSEMtmjYF6fmdKKpdOudK4RnttQAhFj+5S:GKOxEM6YFxe8Kont95

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.exe	dll.exe

Executes dropped EXE 2 IoCs

pid	Process
1632	dll.exe
1292	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe
1292	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\X3IN5YUUVH = "\"C:\\Users\\Admin\\AppData\\Roaming\\dll.exe\""	dll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\manifest_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\manifest_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\.manifest\ = "manifest_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\manifest_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\manifest_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\.manifest	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\manifest_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\manifest_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
568	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
568	AcroRd32.exe
568	AcroRd32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1632	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	29
PID 2004 wrote to memory of 1632	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	29
PID 2004 wrote to memory of 1632	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	29
PID 2004 wrote to memory of 1632	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	29
PID 2004 wrote to memory of 1632	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	29
PID 2004 wrote to memory of 2860	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	28
PID 2004 wrote to memory of 2860	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	28
PID 2004 wrote to memory of 2860	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	28
PID 2004 wrote to memory of 2860	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	28
PID 2004 wrote to memory of 2860	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	28
PID 2004 wrote to memory of 2860	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	28
PID 2004 wrote to memory of 2860	2004	478a5b6c41a8fa5c13ad7ac81610bc77.exe	28
PID 2860 wrote to memory of 568	2860	rundll32.exe	30
PID 2860 wrote to memory of 568	2860	rundll32.exe	30
PID 2860 wrote to memory of 568	2860	rundll32.exe	30
PID 2860 wrote to memory of 568	2860	rundll32.exe	30

C:\Users\Admin\AppData\Local\Temp\478a5b6c41a8fa5c13ad7ac81610bc77.exe
"C:\Users\Admin\AppData\Local\Temp\478a5b6c41a8fa5c13ad7ac81610bc77.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\dll.exe.manifest
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\dll.exe.manifest"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:568
- C:\Users\Admin\AppData\Local\Temp\dll.exe
  "C:\Users\Admin\AppData\Local\Temp\dll.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab5EF4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5F16.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
415KB

MD5
6e2eefe43b144ad2e85fb1216e926718

SHA1
db62fecb530cc884fa006ecc0032e8ef1fbccd82

SHA256
85934660529cc3b150e0d6227a7849bf946dee985a05e318a3d5b7510c12e463

SHA512
943395c71648fe1ce26ff91d24b8d1f71a18890fa264945299baf21d85f6f6b46e940aa5d092c80ff3857b350c8fea7f6dcd18f4873b267a3c14cbfefb4fca29

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
343KB

MD5
440dde4a389255c5e40cb4bc4e0d06d0

SHA1
6bf22f69bbc235b3d6629aa9d7be506934e7eda0

SHA256
eedc8cb38c28efd6c5374b20d1d2e4cc045a80295ed9b41abe6a4ec56be218f2

SHA512
60a8746f5fa35a7f1bb5ed81f146ed20eb3e7eb3adbbc479476127558510220d7f36832ccc15ac85767185a5503f1a7d835fdae57660ff2ae701c9eb95ba92af

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe.manifest

Filesize
6KB

MD5
a281ebbfe607cc01b42843b9b993789a

SHA1
71ab44901bc9aaee8c94c0d924a95f9984842efb

SHA256
5823b8b8809f04b2aacdb215defe9559395a809e6ca97d44fdcdc577d85d3824

SHA512
ce0c327076e1336fa4a4ad5dc5685433dfacdcd1fbb4a7546735d3e3fe3cf343437067947a612efb30355be4881c316aa6f136523909cccbd91a870839013f04

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2b9bbb2c52771f913135b1b601d6193e

SHA1
1aa29d530c643a4e3d7f2a89f6c54f8cd60462cb

SHA256
5df919519c89312ce8587a13d470c2fb6e7f95ec8daf96fbbb6aed7df4b583bf

SHA512
bda1e48f5ad8fd2a02490625ed89fcfa0e35dcb8a110a97b2fdcc4ecd23de0f2d6ab1f646df44bc60fd873b7d123bc4f729964259c300dec455a60c887c3dc36

Download Submit
\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
412KB

MD5
b3e7eaa70abc3ebeaaff1aac3a3351e4

SHA1
d52d6c6e7639f1e21664cec6256a5f53a5c64e75

SHA256
c2c209260b65974d61818d9502061468e4d019b4637ab0a3c0b9bf75536331d2

SHA512
42693d834ec89922d8f31b1822c7bc3e13bf7785ff714687040240a7227e733fae5b74276d8e2dd59b3f53d4c9e1b6fb845c1e47e061a8c1cb3ceb7dab8d1240

Download Submit
\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
411KB

MD5
dec3af422a18168d8e90e8146b294c06

SHA1
823f6e437128a50fb8e7fb65878140e0c1c61cd3

SHA256
b4763b168aaba6cbe5c3b5db823268fec4f1516a9e7e437d342ec28966a42152

SHA512
0ee5e969a81c25adf9f703aac8a4e203d77c8281ec568e73a2aa90d41e784f35b5a438343f7ee592d02507e66a61cd8f921bd4d1c5e0e0cc55b5a64821a7108f

Download Submit
memory/1632-7-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1632-157-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads