fceeab75497486c488d14c0d720ffa76e1f05ccede93781e33eef26df1d5b469

General

Target

7cb945c8a66cf7aadb612f1f663f2d81.exe
Size

92KB
MD5

7cb945c8a66cf7aadb612f1f663f2d81
SHA1

892460af249270abe759f8ddbe75213297b174d9
SHA256

fceeab75497486c488d14c0d720ffa76e1f05ccede93781e33eef26df1d5b469
SHA512

aa3a80112aaac5e8b0142e7f9772eb31c3556a65d7457bb0b4e0d473cd2e6f379229dcecf93806fc192b1e3808bd8cd8fef8cbc11cc8a3b431c3d5dfd3bf1ac9
SSDEEP

1536:Hn9YBCSyQ2ViQ7fb5mezJE/4urFTpMCpcIJSdih0sHlMWq1OvuZF47x:dcUVNf9e4aFp1pc+/OI6W6ouZFu

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2216	rundll32.exe
2216	rundll32.exe
2216	rundll32.exe
2216	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adozisayiko = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\aupsLene.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2216	rundll32.exe
2216	rundll32.exe
2216	rundll32.exe
2216	rundll32.exe
2216	rundll32.exe
2216	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2216	2316	7cb945c8a66cf7aadb612f1f663f2d81.exe	17
PID 2316 wrote to memory of 2216	2316	7cb945c8a66cf7aadb612f1f663f2d81.exe	17
PID 2316 wrote to memory of 2216	2316	7cb945c8a66cf7aadb612f1f663f2d81.exe	17
PID 2316 wrote to memory of 2216	2316	7cb945c8a66cf7aadb612f1f663f2d81.exe	17
PID 2316 wrote to memory of 2216	2316	7cb945c8a66cf7aadb612f1f663f2d81.exe	17
PID 2316 wrote to memory of 2216	2316	7cb945c8a66cf7aadb612f1f663f2d81.exe	17
PID 2316 wrote to memory of 2216	2316	7cb945c8a66cf7aadb612f1f663f2d81.exe	17
PID 2216 wrote to memory of 2700	2216	rundll32.exe	29
PID 2216 wrote to memory of 2700	2216	rundll32.exe	29
PID 2216 wrote to memory of 2700	2216	rundll32.exe	29
PID 2216 wrote to memory of 2700	2216	rundll32.exe	29
PID 2216 wrote to memory of 2700	2216	rundll32.exe	29
PID 2216 wrote to memory of 2700	2216	rundll32.exe	29
PID 2216 wrote to memory of 2700	2216	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\7cb945c8a66cf7aadb612f1f663f2d81.exe
"C:\Users\Admin\AppData\Local\Temp\7cb945c8a66cf7aadb612f1f663f2d81.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\aupsLene.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\aupsLene.dll",iep
    3⤵
    - Loads dropped DLL
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\aupsLene.dll

Filesize
11KB

MD5
4e95ddb9f6cbd851a4cae7129f131efe

SHA1
b1e9c823463480dd645362bd1ae8327c71d93849

SHA256
62710de60574a10ed34ec6c808b85eee8c18da26e061a2a4c031ce56923c2591

SHA512
7b4500026015e6d85c8591bbad39dfab890ef3123974c490e516a8cbfb41aada11b5b3ab8c993cabf0fab7f5c7e83fe0a328e3f79a12d222926d41fe72a778a4

Download Submit
\Users\Admin\AppData\Local\aupsLene.dll

Filesize
50KB

MD5
819f4f39d7dbc42dd2f37dd6bda6e9b7

SHA1
d0fd00bfd01a26766256aa2095fff7932c1140eb

SHA256
f1a15e479366f51b796f89335969d5e1514ddd145a7e5b7e2b3c0ac32fba2a1e

SHA512
1c7edbabcd107e411c607b04923e4a9837ba1aa01b0dd806da22b1c813e0009561b6ec5bdb13e16fff06f4d87dfc3229128ae9dfaffa598dc1a80a5508a2b6e2

Download Submit
\Users\Admin\AppData\Local\aupsLene.dll

Filesize
92KB

MD5
a95251c5d1ac879e40b9ddbe88ec84d1

SHA1
1f605fa585c08261bfb58311a27555b2f6609b6a

SHA256
c9e8595d932fab0251c3edf43e92c4611bd785135a728d03eacaf29cd6e44a93

SHA512
747223baea6a3d5a7438b457a33c4e1ff6bf99e0dfbbf0d25dd370331430f648a18194548db76b870a114143e239cd9b0898eb94282f073d5ccc5932b4f580dd

Download Submit
memory/2216-13-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2216-10-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2216-11-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/2216-28-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2216-25-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2316-16-0x0000000001FB0000-0x0000000001FF0000-memory.dmp

Filesize
256KB

Download
memory/2316-12-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2316-2-0x0000000001FB0000-0x0000000001FF0000-memory.dmp

Filesize
256KB

Download
memory/2316-17-0x0000000001FB0000-0x0000000001FF0000-memory.dmp

Filesize
256KB

Download
memory/2316-0-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2316-1-0x0000000001FB0000-0x0000000001FF0000-memory.dmp

Filesize
256KB

Download
memory/2700-27-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2700-26-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2700-29-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2700-32-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads