c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8

General

Target

c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe
Size

205KB
MD5

03391529051474aa9bddad0823cfed50
SHA1

cb4c154ace7a7b787a296f49f219d79e5b53a703
SHA256

c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8
SHA512

6ba1396e49adf0eabdf2f530b92c465e51e1fb01a4550ef37f2bad99a57bf2419837ba4fce7f1d4a94d0f33a99636bfe336d76e9f8d514a1a3c3dae46b943180
SSDEEP

3072:0IXqry+d3DxQcv7zhWPk65Ui8BhmqjNj8DCUNUO42YwHdKpUUzE0mu87dw:dQCcv7Mk6bgL5jMCeU3dRCUI0mu8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2104	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2104	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe
2104	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe
2764	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2104	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2764	2104	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe	30
PID 2104 wrote to memory of 2764	2104	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe	30
PID 2104 wrote to memory of 2764	2104	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe	30
PID 2104 wrote to memory of 2764	2104	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe	30
PID 2104 wrote to memory of 2764	2104	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe	30
PID 2104 wrote to memory of 2764	2104	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe	30
PID 2104 wrote to memory of 2764	2104	c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe	30

C:\Users\Admin\AppData\Local\Temp\c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe
"C:\Users\Admin\AppData\Local\Temp\c13ac350be57db0d0d42d017c5c2e20177c12c8f214225f7f0fa441fa8b3aad8N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
\Windows\SysWOW64\sshnas21.dll

Filesize
168KB

MD5
0b62e0a8526991fad4b3fe5aceaedf1f

SHA1
19120b4fb5a27a6f332c56502dc2af7b429aa810

SHA256
29bdb931756bc54b99f0c1dd2c1f602ac9531f43796210b0976506d137e44170

SHA512
df974e8c21d329f88196e6ad0ae2953fa1e20ad9e36b2c8fe53f4130519ed63fbe2fc5e11646902293eb4fae5b5bb1248575d6203288cf3700d2fdadddaa6b0e

Download Submit
memory/2104-1-0x0000000000370000-0x0000000000395000-memory.dmp

Filesize
148KB

Download
memory/2104-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2104-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2104-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2104-10-0x00000000750C0000-0x00000000750CF000-memory.dmp

Filesize
60KB

Download
memory/2764-21-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-28-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-22-0x0000000074F90000-0x0000000074F9F000-memory.dmp

Filesize
60KB

Download
memory/2764-19-0x00000000001D0000-0x00000000001E3000-memory.dmp

Filesize
76KB

Download
memory/2764-23-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-24-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-26-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-20-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-30-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-32-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-34-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-36-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-38-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-40-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2764-42-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads