1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96

General

Target

1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe
Size

205KB
MD5

f4b030d8f06fcdeab6dbc5a8d90ea949
SHA1

c433438398b9dc5644dc5244255b592098069d8e
SHA256

1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96
SHA512

7de46b5fa25dac43206df4b468cb3773828e46d3c38945d0eae49735812ac8e4974d53093f59333cd7f4d689887bf105df0a53d0c76a80b131a77b0137de2702
SSDEEP

3072:0IXqry+d3DxQcv7zhWPk65Ui8BhmqjNj8DCUNUO42YwHdKpUUzE0mu87Gw:dQCcv7Mk6bgL5jMCeU3dRCUI0mu8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1580	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1580	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe
1580	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1580	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1232	1580	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe	28
PID 1580 wrote to memory of 1232	1580	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe	28
PID 1580 wrote to memory of 1232	1580	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe	28
PID 1580 wrote to memory of 1232	1580	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe	28
PID 1580 wrote to memory of 1232	1580	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe	28
PID 1580 wrote to memory of 1232	1580	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe	28
PID 1580 wrote to memory of 1232	1580	1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe	28

C:\Users\Admin\AppData\Local\Temp\1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe
"C:\Users\Admin\AppData\Local\Temp\1cf620b5f6a51170f40e8ecf35dfc70b643a170140a3f87c0a79fb946d6ace96.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
5561492e551cda26b5fdf17b5faecb4e

SHA1
ad0e6164209356188cf3b95a16054ca886833ce5

SHA256
0cd32a6cc630577699fea8629e02d32508a5dafd93d5337ced72aefbf129fe7c

SHA512
3c8bf9d10371e75b3ca308e97b70be246c3a60c99d99847e0472ed9c88b1fdc19108a306b3fa3cdd45bddbae2f9c5cdaad0bfa4d41903866588f35b78cabbb61

Download Submit
memory/1232-24-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-23-0x0000000074780000-0x000000007478F000-memory.dmp

Filesize
60KB

Download
memory/1232-48-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-46-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-44-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-20-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-19-0x00000000002E0000-0x00000000002F3000-memory.dmp

Filesize
76KB

Download
memory/1232-28-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-26-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-22-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-42-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-40-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-21-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-30-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-32-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-34-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-36-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1232-38-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1580-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1580-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1580-1-0x0000000000370000-0x0000000000395000-memory.dmp

Filesize
148KB

Download
memory/1580-10-0x0000000074A80000-0x0000000074A8F000-memory.dmp

Filesize
60KB

Download
memory/1580-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads