046a1ab07d00310dfdbb8390f614bf3cd90aad379c5c713fc62889ea72792335

General

Target

71b2f3c40cf873641f39dde41d160c6a.exe
Size

608KB
MD5

71b2f3c40cf873641f39dde41d160c6a
SHA1

ca0aa9c6e5be1fba93ca3a5da3ed01584f3c9495
SHA256

046a1ab07d00310dfdbb8390f614bf3cd90aad379c5c713fc62889ea72792335
SHA512

1ed5e3b99974e434494d952e65df913dd6dfd599fd08161a024489e8efed78c04facaa91473124b8179f6db97c58186e0b962840f2ba511bf74f9083994fa87e
SSDEEP

12288:72KXHc77k5zsOn91Sbj+1+rG1Bhdk6b4LsXbqFVZguy1ukVLoGERBo2:72KXeCz7I+1GMdkVTcv1VVKt

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

259398540.exe259398541.exelnUMnIoxFh.exe

pid process

1112 259398540.exe
1104 259398541.exe
2588 lnUMnIoxFh.exe

pid	process
1112	259398540.exe
1104	259398541.exe
2588	lnUMnIoxFh.exe

Loads dropped DLL 15 IoCs

Processes:

71b2f3c40cf873641f39dde41d160c6a.exerundll32.exe259398541.exelnUMnIoxFh.exerundll32.exe

pid	process
2220	71b2f3c40cf873641f39dde41d160c6a.exe
2220	71b2f3c40cf873641f39dde41d160c6a.exe
2220	71b2f3c40cf873641f39dde41d160c6a.exe
2220	71b2f3c40cf873641f39dde41d160c6a.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
1104	259398541.exe
1104	259398541.exe
2588	lnUMnIoxFh.exe
2452	rundll32.exe
2452	rundll32.exe
2452	rundll32.exe
2452	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exe259398541.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjetamepixoh = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\SDApencm.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lnUMnIoxFh.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lnUMnIoxFh.exe"	259398541.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

259398541.exelnUMnIoxFh.exerundll32.exe

pid	process
1104	259398541.exe
1104	259398541.exe
2588	lnUMnIoxFh.exe
2588	lnUMnIoxFh.exe
2588	lnUMnIoxFh.exe
2588	lnUMnIoxFh.exe
2588	lnUMnIoxFh.exe
2588	lnUMnIoxFh.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lnUMnIoxFh.exe

pid process

2588 lnUMnIoxFh.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

lnUMnIoxFh.exe

pid process

2588 lnUMnIoxFh.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

259398541.exelnUMnIoxFh.exe

pid process

1104 259398541.exe
2588 lnUMnIoxFh.exe

pid	process
2588	lnUMnIoxFh.exe

pid	process
2588	lnUMnIoxFh.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

71b2f3c40cf873641f39dde41d160c6a.exe259398540.exe259398541.exerundll32.exe

description	pid	process	target process
PID 2220 wrote to memory of 1112	2220	71b2f3c40cf873641f39dde41d160c6a.exe	259398540.exe
PID 2220 wrote to memory of 1112	2220	71b2f3c40cf873641f39dde41d160c6a.exe	259398540.exe
PID 2220 wrote to memory of 1112	2220	71b2f3c40cf873641f39dde41d160c6a.exe	259398540.exe
PID 2220 wrote to memory of 1112	2220	71b2f3c40cf873641f39dde41d160c6a.exe	259398540.exe
PID 2220 wrote to memory of 1104	2220	71b2f3c40cf873641f39dde41d160c6a.exe	259398541.exe
PID 2220 wrote to memory of 1104	2220	71b2f3c40cf873641f39dde41d160c6a.exe	259398541.exe
PID 2220 wrote to memory of 1104	2220	71b2f3c40cf873641f39dde41d160c6a.exe	259398541.exe
PID 2220 wrote to memory of 1104	2220	71b2f3c40cf873641f39dde41d160c6a.exe	259398541.exe
PID 1112 wrote to memory of 2124	1112	259398540.exe	rundll32.exe
PID 1112 wrote to memory of 2124	1112	259398540.exe	rundll32.exe
PID 1112 wrote to memory of 2124	1112	259398540.exe	rundll32.exe
PID 1112 wrote to memory of 2124	1112	259398540.exe	rundll32.exe
PID 1112 wrote to memory of 2124	1112	259398540.exe	rundll32.exe
PID 1112 wrote to memory of 2124	1112	259398540.exe	rundll32.exe
PID 1112 wrote to memory of 2124	1112	259398540.exe	rundll32.exe
PID 1104 wrote to memory of 2588	1104	259398541.exe	lnUMnIoxFh.exe
PID 1104 wrote to memory of 2588	1104	259398541.exe	lnUMnIoxFh.exe
PID 1104 wrote to memory of 2588	1104	259398541.exe	lnUMnIoxFh.exe
PID 1104 wrote to memory of 2588	1104	259398541.exe	lnUMnIoxFh.exe
PID 2124 wrote to memory of 2452	2124	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 2452	2124	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 2452	2124	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 2452	2124	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 2452	2124	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 2452	2124	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 2452	2124	rundll32.exe	rundll32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

259398541.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	259398541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	259398541.exe

C:\Users\Admin\AppData\Local\Temp\71b2f3c40cf873641f39dde41d160c6a.exe
"C:\Users\Admin\AppData\Local\Temp\71b2f3c40cf873641f39dde41d160c6a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\259398540.exe
C:\Users\Admin\AppData\Local\259398540.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\SDApencm.dll",Startup
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\SDApencm.dll",iep
4⤵
- Loads dropped DLL
PID:2452

C:\Users\Admin\AppData\Local\259398541.exe
C:\Users\Admin\AppData\Local\259398541.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1104

C:\Users\Admin\AppData\Local\Temp\lnUMnIoxFh.exe
"C:\Users\Admin\AppData\Local\Temp\lnUMnIoxFh.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\259398540.exe
Filesize
88KB

MD5
38c41dac1a03da5fa94c7c3263eb4313

SHA1
9a3a21497efa4024698aad1d688bed7e9722ec78

SHA256
0aae847ec81a74f12fb5b7e0c95f2be62eb620a64040d4b898b43022cb871e32

SHA512
64e197afbd67b8d06a18b7c52472ab7239727daacdfb8cb458d88cc8fd66dbca5157a81d066f0a7c0008a67e202baf6447241ba6a1d2c07c46339f24eeba5609

Download Submit
\Users\Admin\AppData\Local\259398541.exe
Filesize
459KB

MD5
80938190ace75411254ff102f397a02d

SHA1
ffea9db9ef85e1781c811b224a3abf708c05e2e4

SHA256
11983799b400aad459d846735c178d8d9a9cd9819a63b11eadf83e0c48ef51c7

SHA512
9c8dc6918efcc1684a5c2577b07584c65f4f33e223e3dbf5e63aa9c111a56ca1686e21363bb29831a28c7f7fb65d2263f5325a78cbde5097e6bd1eb9750210b2

Download Submit
\Users\Admin\AppData\Local\SDApencm.dll
Filesize
88KB

MD5
6c99f1d251b1891ca95e1ffbada7ce7c

SHA1
6ae72d1ca54dc5ff28727703fb63482594c585ce

SHA256
2c6944dfcee1c10e5070e6e2432373f94b0f86ec48f31a642eeabc75bde1e87b

SHA512
1a474407816bb48e74fd27854cba86353b0d9cbb2f1ae53f358b40c9ae04e367bb18a5634172a74e7a922b867b610b7257d56fa1984ece7c6879d30914796af5

Download Submit
\Users\Admin\AppData\Local\Temp\DOTQjGgjsJ.dll
Filesize
410KB

MD5
d2a407bd16c924deff68958ca7aaabae

SHA1
03f9cc97a9e652eeac831de823a2c1393a9c794c

SHA256
1b22301ff4e3a571ec6dac8bee069c35a6917a100614640d8c07334f6f8c5e62

SHA512
0d96b22d25842e1a0f48283c6935c3fd0d7dc5955a52b87a67f70599fae5efba852fb806336dd772242777e68504f56ed6d11d23b516add952f5e3792b7e8bcb

Download Submit
memory/1104-26-0x0000000000240000-0x00000000002B0000-memory.dmp

Filesize
448KB

Download
memory/1104-52-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1104-32-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/1112-70-0x0000000001DD0000-0x0000000001E10000-memory.dmp

Filesize
256KB

Download
memory/1112-72-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1112-12-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1112-14-0x0000000001DD0000-0x0000000001E10000-memory.dmp

Filesize
256KB

Download
memory/1112-13-0x0000000001DD0000-0x0000000001E10000-memory.dmp

Filesize
256KB

Download
memory/1112-69-0x0000000001DD0000-0x0000000001E10000-memory.dmp

Filesize
256KB

Download
memory/2124-76-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2124-34-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2124-78-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2124-37-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2124-90-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2124-33-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2124-73-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2124-96-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2220-2-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2220-0-0x0000000002300000-0x0000000002340000-memory.dmp

Filesize
256KB

Download
memory/2220-1-0x0000000002300000-0x0000000002340000-memory.dmp

Filesize
256KB

Download
memory/2452-94-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2452-95-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2452-99-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2452-104-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2452-105-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2588-68-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2588-77-0x0000000002990000-0x0000000002A90000-memory.dmp

Filesize
1024KB

Download
memory/2588-75-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download
memory/2588-83-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2588-84-0x0000000002990000-0x0000000002A90000-memory.dmp

Filesize
1024KB

Download
memory/2588-74-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2588-71-0x0000000002990000-0x0000000002A90000-memory.dmp

Filesize
1024KB

Download
memory/2588-51-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download
memory/2588-67-0x00000000768B0000-0x00000000769C0000-memory.dmp

Filesize
1.1MB

Download
memory/2588-66-0x0000000076F10000-0x0000000076F11000-memory.dmp

Filesize
4KB

Download
memory/2588-47-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2588-50-0x0000000002070000-0x00000000020D4000-memory.dmp

Filesize
400KB

Download
memory/2588-112-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads