9a6a99e76ce170b6abda7ba6fbe18d492b5276db3ca68ed273de74e5cb564e42

General

Target

4925b9c17c5c0de34eedf258f8f4f374.exe
Size

202KB
MD5

4925b9c17c5c0de34eedf258f8f4f374
SHA1

0a66255b71760d6fd467ad48c7be3816e32097c9
SHA256

9a6a99e76ce170b6abda7ba6fbe18d492b5276db3ca68ed273de74e5cb564e42
SHA512

dd49fb95737b42d93cbb3359ceefaa9fcecf3c4c66f22f19207cd513e2184524db666f0641f4896a43b817740b8d40c3c0cb99066d137795f750791be68295aa
SSDEEP

6144:lkaoTSj1byLqohs0g7ltVXPeAayyQqxa1m:UGpbyLLhCJfkyylG

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2604 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
Loads dropped DLL 8 IoCs

Processes:

4925b9c17c5c0de34eedf258f8f4f374.exerundll32.execmd.exeattrib.exe

pid process

1420 4925b9c17c5c0de34eedf258f8f4f374.exe
1704 rundll32.exe
1704 rundll32.exe
1704 rundll32.exe
1704 rundll32.exe
2604 cmd.exe
1352 attrib.exe
852

pid	process
2604	cmd.exe

pid	process
1360	Explorer.EXE

pid	process
1420	4925b9c17c5c0de34eedf258f8f4f374.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
2604	cmd.exe
1352	attrib.exe
852

Drops file in System32 directory 2 IoCs

Processes:

4925b9c17c5c0de34eedf258f8f4f374.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dccwskey.dll	4925b9c17c5c0de34eedf258f8f4f374.exe
File opened for modification	C:\Windows\system32\dccwskey64.dll	4925b9c17c5c0de34eedf258f8f4f374.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4925b9c17c5c0de34eedf258f8f4f374.exe

pid process

1420 4925b9c17c5c0de34eedf258f8f4f374.exe

pid	process
1420	4925b9c17c5c0de34eedf258f8f4f374.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4925b9c17c5c0de34eedf258f8f4f374.exerundll32.execmd.exe

description	pid	process	target process
PID 1420 wrote to memory of 1704	1420	4925b9c17c5c0de34eedf258f8f4f374.exe	rundll32.exe
PID 1420 wrote to memory of 1704	1420	4925b9c17c5c0de34eedf258f8f4f374.exe	rundll32.exe
PID 1420 wrote to memory of 1704	1420	4925b9c17c5c0de34eedf258f8f4f374.exe	rundll32.exe
PID 1420 wrote to memory of 1704	1420	4925b9c17c5c0de34eedf258f8f4f374.exe	rundll32.exe
PID 1420 wrote to memory of 2604	1420	4925b9c17c5c0de34eedf258f8f4f374.exe	cmd.exe
PID 1420 wrote to memory of 2604	1420	4925b9c17c5c0de34eedf258f8f4f374.exe	cmd.exe
PID 1420 wrote to memory of 2604	1420	4925b9c17c5c0de34eedf258f8f4f374.exe	cmd.exe
PID 1420 wrote to memory of 2604	1420	4925b9c17c5c0de34eedf258f8f4f374.exe	cmd.exe
PID 1420 wrote to memory of 2604	1420	4925b9c17c5c0de34eedf258f8f4f374.exe	cmd.exe
PID 1704 wrote to memory of 1360	1704	rundll32.exe	Explorer.EXE
PID 1420 wrote to memory of 2604	1420	4925b9c17c5c0de34eedf258f8f4f374.exe	cmd.exe
PID 1420 wrote to memory of 2604	1420	4925b9c17c5c0de34eedf258f8f4f374.exe	cmd.exe
PID 1704 wrote to memory of 1360	1704	rundll32.exe	Explorer.EXE
PID 2604 wrote to memory of 1352	2604	cmd.exe	attrib.exe
PID 2604 wrote to memory of 1352	2604	cmd.exe	attrib.exe
PID 2604 wrote to memory of 1352	2604	cmd.exe	attrib.exe
PID 2604 wrote to memory of 1352	2604	cmd.exe	attrib.exe
PID 2604 wrote to memory of 1352	2604	cmd.exe	attrib.exe
PID 2604 wrote to memory of 1352	2604	cmd.exe	attrib.exe
PID 2604 wrote to memory of 1352	2604	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1352 attrib.exe

pid	process
1352	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4925b9c17c5c0de34eedf258f8f4f374.exe
"C:\Users\Admin\AppData\Local\Temp\4925b9c17c5c0de34eedf258f8f4f374.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\system32\dccwskey64.dll",CreateProcessNotify
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259414982.bat" "C:\Users\Admin\AppData\Local\Temp\4925b9c17c5c0de34eedf258f8f4f374.exe""
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\4925b9c17c5c0de34eedf258f8f4f374.exe"
3⤵
- Loads dropped DLL
- Views/modifies file attributes
PID:1352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259414982.bat
Filesize
97B

MD5
d226a657b279c5fc0a892748230a56ff

SHA1
fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

SHA256
9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

SHA512
07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

Download Submit
\Windows\SysWOW64\dccwskey.dll
Filesize
66KB

MD5
1b779622c0d6eec48ac0c1f3e39eb7b9

SHA1
db01babafb0bbd256dca940cbe3667774e76c80a

SHA256
ff0d559548eb5bcf7ee0368198cd74d2aca13b54dece875080653b677c81508a

SHA512
fc88df2a55dd082a568ade994ea0eaa6a581f94e797fbe3962eaa692e43ac5403b4e817ccc011445643d690022bfbe14f580f39a06b1cab14cbef0d8091c4a34

Download Submit
\Windows\System32\dccwskey64.dll
Filesize
75KB

MD5
4dab557dad0fb8ec95f66d5efe648b02

SHA1
b52d4d3c8429a132b7582cd8dbe89ec93da3dc05

SHA256
b8a5ae38b6d38327ae2abbeb70dec6ee9ac52cdc421f5585c4907e8088eb3849

SHA512
5dbc616b17578dfb4c620bcca3b040a89b5e771f34053ffe46ff449f0bea5f68f6c7db9eb7d43cddf7de7e34a94aeb29be4c2174bcec3de74a5a09a6bd70afbf

Download Submit
memory/1352-50-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1360-41-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download
memory/1360-25-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1360-23-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1420-42-0x0000000001000000-0x0000000001035000-memory.dmp

Filesize
212KB

Download
memory/1420-7-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1420-6-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1420-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1420-43-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1420-1-0x0000000001000000-0x0000000001035000-memory.dmp

Filesize
212KB

Download
memory/1420-68-0x0000000001000000-0x0000000001035000-memory.dmp

Filesize
212KB

Download
memory/1420-69-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1704-22-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download
memory/1704-14-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/2604-54-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2604-70-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing