e56af0fe01834fd6c75200ddd87d4f6ef7e1d32a97d6f329bf2dbd25410c65dd

General

Target

e56af0fe01834fd6c75200ddd87d4f6ef7e1d32a97d6f329bf2dbd25410c65dd.dll
Size

3.3MB
MD5

ec203098f0e1d9ab5db48e0b73ced3f7
SHA1

80588a32e25db376f6f8132826e147c89185981c
SHA256

e56af0fe01834fd6c75200ddd87d4f6ef7e1d32a97d6f329bf2dbd25410c65dd
SHA512

cdd2ab19c6c8e762502a6dcae5bea0d2c039bf9ec86fa9caf0cb8cda5049e9347d6eae99171d32096781e78c260f5295b87abc0ac527126258a04237a190fc12
SSDEEP

98304:sKwKFd1dlcfQ8JJUomw7GQu8R9lhpN7X3eHv:p1aJUeBtH7X6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2676	mailx.exe
2712	winhts.exe
2700	diskperfa.dat

Loads dropped DLL 3 IoCs

pid	Process
1924	rundll32.exe
2676	mailx.exe
2712	winhts.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mailx.zip	rundll32.exe
File created	C:\Windows\SysWOW64\zzz.zip	rundll32.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows MailX\1.0.0.0\winhts.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows MailX\first.run	rundll32.exe
File opened for modification	C:\Program Files (x86)\zserv\zprog.dat	rundll32.exe
File created	C:\Program Files (x86)\Windows MailX\taskconfig.ini	rundll32.exe
File created	C:\Program Files (x86)\Windows MailX\1.0.0.0\7z.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows MailX\1.0.0.0\7z.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows MailX\1.0.0.0\zcurl.exe	rundll32.exe
File created	C:\Program Files (x86)\zserv\zserv.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows MailX\1.0.0.0\diskperfa.dat	winhts.exe
File opened for modification	C:\Program Files (x86)\Windows MailX\taskconfig.ini	rundll32.exe
File created	C:\Program Files (x86)\zserv\zprog.dat	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows MailX\Launcher.ini	mailx.exe
File created	C:\Program Files (x86)\zserv\first.run	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows MailX\taskconfig.ini	diskperfa.dat
File created	C:\Program Files (x86)\Windows MailX\Launcher.ini	rundll32.exe
File created	C:\Program Files (x86)\Windows MailX\1.0.0.0\config.ini	rundll32.exe
File created	C:\Program Files (x86)\Windows MailX\mailx.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows MailX\1.0.0.0\diskperfa.dat	winhts.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	mailx.exe
2676	mailx.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1924	2204	rundll32.exe	28
PID 2204 wrote to memory of 1924	2204	rundll32.exe	28
PID 2204 wrote to memory of 1924	2204	rundll32.exe	28
PID 2204 wrote to memory of 1924	2204	rundll32.exe	28
PID 2204 wrote to memory of 1924	2204	rundll32.exe	28
PID 2204 wrote to memory of 1924	2204	rundll32.exe	28
PID 2204 wrote to memory of 1924	2204	rundll32.exe	28
PID 1924 wrote to memory of 2676	1924	rundll32.exe	29
PID 1924 wrote to memory of 2676	1924	rundll32.exe	29
PID 1924 wrote to memory of 2676	1924	rundll32.exe	29
PID 1924 wrote to memory of 2676	1924	rundll32.exe	29
PID 2676 wrote to memory of 2712	2676	mailx.exe	30
PID 2676 wrote to memory of 2712	2676	mailx.exe	30
PID 2676 wrote to memory of 2712	2676	mailx.exe	30
PID 2676 wrote to memory of 2712	2676	mailx.exe	30
PID 2712 wrote to memory of 2700	2712	winhts.exe	32
PID 2712 wrote to memory of 2700	2712	winhts.exe	32
PID 2712 wrote to memory of 2700	2712	winhts.exe	32
PID 2712 wrote to memory of 2700	2712	winhts.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e56af0fe01834fd6c75200ddd87d4f6ef7e1d32a97d6f329bf2dbd25410c65dd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e56af0fe01834fd6c75200ddd87d4f6ef7e1d32a97d6f329bf2dbd25410c65dd.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Program Files (x86)\Windows MailX\mailx.exe
    "C:\Program Files (x86)\Windows MailX\mailx.exe" C:\Users\Admin\AppData\Local\Temp\e56af0fe01834fd6c75200ddd87d4f6ef7e1d32a97d6f329bf2dbd25410c65dd.dll,#1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Program Files (x86)\Windows MailX\1.0.0.0\winhts.exe
      "C:\Program Files (x86)\Windows MailX\1.0.0.0\winhts.exe" C:\Users\Admin\AppData\Local\Temp\e56af0fe01834fd6c75200ddd87d4f6ef7e1d32a97d6f329bf2dbd25410c65dd.dll,#1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Program Files (x86)\Windows MailX\1.0.0.0\diskperfa.dat
        
        diskperfa.dat hidden
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows MailX\1.0.0.0\winhts.exe

Filesize
1.7MB

MD5
e21750740f1dfe2e86d29d7cf712131d

SHA1
5a740c50146b1e2d7e72d2fe1f5854d94499d9c6

SHA256
49f95cfb92a782b99b9c5b20a86b2363faa739124a89791a56c116729fb2a1e8

SHA512
bf9ebff7b071c1ec2dce48381e14f4444aab8f57243ac229c9e411d6f8a110cf697c19b367ab62c694cfb201341e05ee052ba7b2ea7b98801a660e4e1b3ca5d5

Download Submit
C:\Program Files (x86)\Windows MailX\Launcher.ini

Filesize
59B

MD5
8f8adb8d3b4c2eafdfd7645883edc37e

SHA1
32a1bbdcd3f5a3bbc835497853637d2388ab24c4

SHA256
d4e5f7cd4e83d38ca21d1190b2f122c6ee37b6289156fefdd2bb260a6b15b87e

SHA512
140e50df9b67d90fba7d331ed3312db0031dd63e75ec6b7ad35f0025918821d933104dbd3fdb3bfb0c3bf060fd502ab87d0d8395e14bde61d35c6fd78f4a32ba

Download Submit
C:\Program Files (x86)\Windows MailX\taskconfig.ini

Filesize
133B

MD5
6864b0f821ed8fe3483691578a020dcd

SHA1
b29eaf6f7af0f3e420960bc9e9783a4ec4847902

SHA256
73f1cf3481cbba9c8fee6b19341d764f7632248023149738149742a3edea39fc

SHA512
26f77de497520d13e0e149be3f36b77c988ef10cb47246bae84c1e5eff384a2f73e00e296e7af5fed44d85df102bca3c98b3a5f13f7d6607405fcab6993203af

Download Submit
\Program Files (x86)\Windows MailX\mailx.exe

Filesize
1.7MB

MD5
e267d004a2c3d488badfe2348c2e2173

SHA1
1b408c0053ec4df64300c20b836a3541946d0343

SHA256
8edcc688c1159cbd13b5fb12a00f3781c403dbf54b0f91c204ec6e644cb9be12

SHA512
743ffc837399112c7304235e3dd4c8cb5e49cce2420f11f1e1e0fb42610168d1f13436c52650920da69c4e01d750c99a8cfeee15d005d611e87ac94ccc625643

Download Submit

Analysis

Sharing