e56d21401db107c5e6c7b7e71a8236bf506cb352ff14b38495a7944e5f8a1397

General

Target

56bf51ba72b6aa8cf3876d17869be47a.dll
Size

60KB
MD5

56bf51ba72b6aa8cf3876d17869be47a
SHA1

1edd5c50a648f5e42dd3e3912810c2abe6b6b8ca
SHA256

e56d21401db107c5e6c7b7e71a8236bf506cb352ff14b38495a7944e5f8a1397
SHA512

edc6302b57786253fc88e22d7223e5ec1907944b63628849c720994b337c540c661e8e7315639e054c2b1d9d31c1eea48902f0137bdae4814b4eb3d16bdc8eac
SSDEEP

1536:H4Mev4M8IeRw/gbx1WOXlh9lYTOn8ZAWm26rPrjdeh7:H4Mgue/gbxUS4xZnm2OT5A7

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Canvas = "RunDll32 \"C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\msethost.dll\",Init"	rundll32.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\lsalogms.dll	rundll32.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\msethost.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\msethost.dll	rundll32.exe
File created	C:\Program Files (x86)\Common Files\Services\srvupsvc.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\srvupsvc.dll	rundll32.exe
File created	C:\Program Files (x86)\Common Files\lsalogms.dll	rundll32.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1744	rundll32.exe
1744	rundll32.exe
1744	rundll32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1744	1648	rundll32.exe	28
PID 1648 wrote to memory of 1744	1648	rundll32.exe	28
PID 1648 wrote to memory of 1744	1648	rundll32.exe	28
PID 1648 wrote to memory of 1744	1648	rundll32.exe	28
PID 1648 wrote to memory of 1744	1648	rundll32.exe	28
PID 1648 wrote to memory of 1744	1648	rundll32.exe	28
PID 1648 wrote to memory of 1744	1648	rundll32.exe	28
PID 1744 wrote to memory of 1952	1744	rundll32.exe	29
PID 1744 wrote to memory of 1952	1744	rundll32.exe	29
PID 1744 wrote to memory of 1952	1744	rundll32.exe	29
PID 1744 wrote to memory of 1952	1744	rundll32.exe	29
PID 1744 wrote to memory of 1952	1744	rundll32.exe	29
PID 1744 wrote to memory of 1952	1744	rundll32.exe	29
PID 1744 wrote to memory of 1952	1744	rundll32.exe	29
PID 1744 wrote to memory of 1216	1744	rundll32.exe	13
PID 1744 wrote to memory of 1216	1744	rundll32.exe	13
PID 1744 wrote to memory of 1320	1744	rundll32.exe	12
PID 1744 wrote to memory of 1320	1744	rundll32.exe	12
PID 1744 wrote to memory of 1360	1744	rundll32.exe	11
PID 1744 wrote to memory of 1360	1744	rundll32.exe	11
PID 1744 wrote to memory of 1648	1744	rundll32.exe	20
PID 1744 wrote to memory of 1648	1744	rundll32.exe	20
PID 1744 wrote to memory of 1952	1744	rundll32.exe	29
PID 1744 wrote to memory of 1952	1744	rundll32.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\56bf51ba72b6aa8cf3876d17869be47a.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\56bf51ba72b6aa8cf3876d17869be47a.dll,#1
    3⤵
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\RunDll32.exe
      RunDll32 "C:\Users\Admin\AppData\Local\Temp\56bf51ba72b6aa8cf3876d17869be47a.dll",Init
      4⤵
      PID:1952

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\lsalogms.dll

Filesize
60KB

MD5
56bf51ba72b6aa8cf3876d17869be47a

SHA1
1edd5c50a648f5e42dd3e3912810c2abe6b6b8ca

SHA256
e56d21401db107c5e6c7b7e71a8236bf506cb352ff14b38495a7944e5f8a1397

SHA512
edc6302b57786253fc88e22d7223e5ec1907944b63628849c720994b337c540c661e8e7315639e054c2b1d9d31c1eea48902f0137bdae4814b4eb3d16bdc8eac

Download Submit
memory/1216-10-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/1216-9-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/1744-0-0x0000000075530000-0x0000000075553000-memory.dmp

Filesize
140KB

Download
memory/1744-1-0x0000000075530000-0x0000000075553000-memory.dmp

Filesize
140KB

Download
memory/1744-25-0x0000000075530000-0x0000000075553000-memory.dmp

Filesize
140KB

Download
memory/1952-23-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1952-24-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1952-26-0x0000000075530000-0x0000000075553000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads