f5e662e15d387e7075000ec289bb29b40223e6ce73a887b5672e87e540606100

Analysis

max time kernel
144s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18/09/2022, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5e662e15d387e7075000ec289bb29b40223e6ce73a887b5672e87e540606100.exe
Size

1.8MB
MD5

ad9a794fbe736a06f218901c6d4fb2d7
SHA1

e2def1777d0bc416564124526c74408b73bec576
SHA256

f5e662e15d387e7075000ec289bb29b40223e6ce73a887b5672e87e540606100
SHA512

2e311a7bb74176474435e762c96df3a1a920136726a873dad9741e5e70e6d4a5a06e2604d8db0df3031cf4672716dbc37e227227ed9f424566eda35e2d435095
SSDEEP

49152:4unQlj/NXedYPLKRIPx00ILQzew5sB5X2Rri+oj6NmO34G:4KgjYdcgIJxzj+GRRojHK

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4388	rundll32.exe
4388	rundll32.exe
4080	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	f5e662e15d387e7075000ec289bb29b40223e6ce73a887b5672e87e540606100.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4796	2808	f5e662e15d387e7075000ec289bb29b40223e6ce73a887b5672e87e540606100.exe	66
PID 2808 wrote to memory of 4796	2808	f5e662e15d387e7075000ec289bb29b40223e6ce73a887b5672e87e540606100.exe	66
PID 2808 wrote to memory of 4796	2808	f5e662e15d387e7075000ec289bb29b40223e6ce73a887b5672e87e540606100.exe	66
PID 4796 wrote to memory of 4388	4796	control.exe	68
PID 4796 wrote to memory of 4388	4796	control.exe	68
PID 4796 wrote to memory of 4388	4796	control.exe	68
PID 4388 wrote to memory of 1408	4388	rundll32.exe	69
PID 4388 wrote to memory of 1408	4388	rundll32.exe	69
PID 1408 wrote to memory of 4080	1408	RunDll32.exe	70
PID 1408 wrote to memory of 4080	1408	RunDll32.exe	70
PID 1408 wrote to memory of 4080	1408	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\f5e662e15d387e7075000ec289bb29b40223e6ce73a887b5672e87e540606100.exe
"C:\Users\Admin\AppData\Local\Temp\f5e662e15d387e7075000ec289bb29b40223e6ce73a887b5672e87e540606100.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\BoFogA.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\BoFogA.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\BoFogA.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\BoFogA.cPl",
        5⤵
        Loads dropped DLL
        
        PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BoFogA.cPl

Filesize
2.3MB

MD5
d1ab0f7e59cc0ec671c1fbb29e01ee0c

SHA1
70e99fa7b894a8882d795d1758b952e8c2099d6c

SHA256
ba4315e434740fa217d1f6e0103caf9e3f78dc9c2ad8047619603a14d3fec369

SHA512
fdba930e08c3e6e7bf3147654a449f97ae4a41d256cba84d561acf2028b0d37b28de0ae70f38aa25b29fc873e1701eac8813070842a9f1a175dabaa96bfff23a

Download Submit
\Users\Admin\AppData\Local\Temp\BoFogA.cpl

Filesize
2.3MB

MD5
d1ab0f7e59cc0ec671c1fbb29e01ee0c

SHA1
70e99fa7b894a8882d795d1758b952e8c2099d6c

SHA256
ba4315e434740fa217d1f6e0103caf9e3f78dc9c2ad8047619603a14d3fec369

SHA512
fdba930e08c3e6e7bf3147654a449f97ae4a41d256cba84d561acf2028b0d37b28de0ae70f38aa25b29fc873e1701eac8813070842a9f1a175dabaa96bfff23a

Download Submit
\Users\Admin\AppData\Local\Temp\BoFogA.cpl

Filesize
2.3MB

MD5
d1ab0f7e59cc0ec671c1fbb29e01ee0c

SHA1
70e99fa7b894a8882d795d1758b952e8c2099d6c

SHA256
ba4315e434740fa217d1f6e0103caf9e3f78dc9c2ad8047619603a14d3fec369

SHA512
fdba930e08c3e6e7bf3147654a449f97ae4a41d256cba84d561acf2028b0d37b28de0ae70f38aa25b29fc873e1701eac8813070842a9f1a175dabaa96bfff23a

Download Submit
\Users\Admin\AppData\Local\Temp\BoFogA.cpl

Filesize
2.3MB

MD5
d1ab0f7e59cc0ec671c1fbb29e01ee0c

SHA1
70e99fa7b894a8882d795d1758b952e8c2099d6c

SHA256
ba4315e434740fa217d1f6e0103caf9e3f78dc9c2ad8047619603a14d3fec369

SHA512
fdba930e08c3e6e7bf3147654a449f97ae4a41d256cba84d561acf2028b0d37b28de0ae70f38aa25b29fc873e1701eac8813070842a9f1a175dabaa96bfff23a

Download Submit
memory/2808-151-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-155-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-117-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-120-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-121-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-123-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-124-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-125-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-126-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-157-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-128-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-129-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-130-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-131-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-132-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-133-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-134-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-135-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-136-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-137-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-138-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-139-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-140-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-141-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-142-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-143-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-144-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-145-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-146-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-147-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-148-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-149-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-150-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-116-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-152-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-153-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-118-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-154-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-127-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-156-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-158-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-159-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-160-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-161-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-162-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-163-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-164-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-166-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-165-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-167-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-168-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-169-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-170-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-171-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-172-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-173-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-174-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-175-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-176-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-177-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-178-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-179-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-180-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/2808-115-0x0000000077960000-0x0000000077AEE000-memory.dmp

Filesize
1.6MB

Download
memory/4080-342-0x00000000051A0000-0x0000000005327000-memory.dmp

Filesize
1.5MB

Download
memory/4080-343-0x0000000005460000-0x000000000558E000-memory.dmp

Filesize
1.2MB

Download
memory/4080-359-0x0000000005460000-0x000000000558E000-memory.dmp

Filesize
1.2MB

Download
memory/4388-279-0x0000000004CD0000-0x0000000004E57000-memory.dmp

Filesize
1.5MB

Download
memory/4388-280-0x0000000004E60000-0x0000000004F8E000-memory.dmp

Filesize
1.2MB

Download
memory/4388-360-0x0000000004E60000-0x0000000004F8E000-memory.dmp

Filesize
1.2MB

Download