798e6d771016bd324773e1b6c700a84dc2bf79e4951b3fc47feef1dcece33626

General

Target

ac97b20edcbafa7d6d2cab6040451b10.exe
Size

65KB
MD5

ac97b20edcbafa7d6d2cab6040451b10
SHA1

ad671ad399a9a71fa6bbc39599aec84480d8a8e7
SHA256

798e6d771016bd324773e1b6c700a84dc2bf79e4951b3fc47feef1dcece33626
SHA512

aa0a5839af959012f9f9dcb3d875cab4f704269059a2d51b85ad1c4c065142328ad11fb561d2e613096682a4006eca5c011f26f4b9e8b876403b55196ef5e1bf
SSDEEP

1536:l+n+yUIDbf1RoSG++GNdKX3SqRE6Bybgftsmb:k+PIDLY++Gu3SqexStsmb

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ac97b20edcbafa7d6d2cab6040451b10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mcc16 = "rundll32 \"C:\\Windows\\Downlo~1\\mcc16.dll\",start"	ac97b20edcbafa7d6d2cab6040451b10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ztjw9b0i = "rundll32 \"C:\\Windows\\Downlo~1\\ztjw9b0i.dll\",Run"	ac97b20edcbafa7d6d2cab6040451b10.exe

Loads dropped DLL 8 IoCs

pid	Process
2576	rundll32.exe
2576	rundll32.exe
2576	rundll32.exe
2576	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Downlo~1\ztjw9b0i.dll	ac97b20edcbafa7d6d2cab6040451b10.exe
File created	C:\Windows\-8073-80-59	ac97b20edcbafa7d6d2cab6040451b10.exe
File opened for modification	C:\Windows\Downlo~1\mcc16.dll	ac97b20edcbafa7d6d2cab6040451b10.exe
File created	C:\Windows\Downlo~1\mcc16.dll	ac97b20edcbafa7d6d2cab6040451b10.exe
File created	C:\Windows\b049b0c5	ac97b20edcbafa7d6d2cab6040451b10.exe
File opened for modification	C:\Windows\Downlo~1\ztjw9b0i.dll	ac97b20edcbafa7d6d2cab6040451b10.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2576	rundll32.exe
2600	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1844	ac97b20edcbafa7d6d2cab6040451b10.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2576	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	28
PID 1844 wrote to memory of 2576	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	28
PID 1844 wrote to memory of 2576	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	28
PID 1844 wrote to memory of 2576	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	28
PID 1844 wrote to memory of 2576	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	28
PID 1844 wrote to memory of 2576	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	28
PID 1844 wrote to memory of 2576	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	28
PID 2576 wrote to memory of 1188	2576	rundll32.exe	7
PID 1844 wrote to memory of 2600	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	29
PID 1844 wrote to memory of 2600	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	29
PID 1844 wrote to memory of 2600	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	29
PID 1844 wrote to memory of 2600	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	29
PID 1844 wrote to memory of 2600	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	29
PID 1844 wrote to memory of 2600	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	29
PID 1844 wrote to memory of 2600	1844	ac97b20edcbafa7d6d2cab6040451b10.exe	29
PID 2600 wrote to memory of 1188	2600	rundll32.exe	7

C:\Users\Admin\AppData\Local\Temp\ac97b20edcbafa7d6d2cab6040451b10.exe
"C:\Users\Admin\AppData\Local\Temp\ac97b20edcbafa7d6d2cab6040451b10.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Windows\Downlo~1\mcc16.dll",start
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2576
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Windows\Downlo~1\ztjw9b0i.dll",Run
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2600

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c2xi9x8\miniDll.dll

Filesize
48KB

MD5
d14a6d6036067babaf54d032fc898c12

SHA1
406039f8ea25005a70a72a099eaa394dec681f01

SHA256
90d121e0590a0a019e54632fa7a1810b4d8169d3cb6daaa6bfe052ea3ebbc918

SHA512
878daa82a00ac723ef08062941c0f69d9f3089efec2875b2754d02b83391161e030deefdf69b3bbb0d0c1e9f874d1b7ac3779d383aefa2d884de53d243466c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2xi9x8\up.dll

Filesize
64KB

MD5
6db4ebf3c1e6d9dfe61781bdd43264ac

SHA1
05faa66d21c82466f718b0a5f60dbaf2067768f1

SHA256
b59ba39bcb8ba9dbd484d363bd57a059b1f886431dffe3ac607553b4ddee72e6

SHA512
0b8d06d3e4c79012837984fdb18b7cefcd0631df80feb187de4a690554d3e0f7f357d36bb25754903043a7b764de7cca36106314a057e631981703e85dc30cae

Download Submit
memory/1188-39-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1844-32-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download
memory/1844-33-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/1844-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1844-55-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads