49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95

Analysis

max time kernel
67s
max time network
52s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15/10/2022, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe
Size

1.6MB
MD5

afd2636bba2c7ad94c6482d5d1a12898
SHA1

ccfa7daabdac6cb08586c88f191e4848d5402022
SHA256

49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95
SHA512

82f4c7d5f088e4afc3f96eef65264d972958d350eb3dfe9218fe73cad04e551e704cb8e39c85065790edd73684aa5a67f9f8a85d6c4517b9d747133defc5e183
SSDEEP

24576:b062cSEk8zNlL2BKjxevlMEUti+9RhtJnZwPybWoqq9aoegvO9SrJtwVeoB6a9it:A6Paqle9UVBtvwP0WotegS2twV35XLY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3452	rundll32.exe
2448	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 4844	1680	49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe	66
PID 1680 wrote to memory of 4844	1680	49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe	66
PID 1680 wrote to memory of 4844	1680	49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe	66
PID 4844 wrote to memory of 3452	4844	control.exe	68
PID 4844 wrote to memory of 3452	4844	control.exe	68
PID 4844 wrote to memory of 3452	4844	control.exe	68
PID 3452 wrote to memory of 448	3452	rundll32.exe	69
PID 3452 wrote to memory of 448	3452	rundll32.exe	69
PID 448 wrote to memory of 2448	448	RunDll32.exe	70
PID 448 wrote to memory of 2448	448	RunDll32.exe	70
PID 448 wrote to memory of 2448	448	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe
"C:\Users\Admin\AppData\Local\Temp\49672e9c05504b10aecc7ff07d4b42500c9a3a94a5a5c91c1ae955e7d8612d95.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\Z20N0uPl.CPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Z20N0uPl.CPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Z20N0uPl.CPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\Z20N0uPl.CPl",
        5⤵
        Loads dropped DLL
        
        PID:2448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Z20N0uPl.CPl

Filesize
1.6MB

MD5
4a0513513c389ccd8729f701217f114b

SHA1
9e50e6290a50b99563749ad61447d31430240c00

SHA256
5dabeb9c86c38eea1abfd5dc80c44fa2d70e5cfe7154d82baaf628a95ef38a7a

SHA512
10362e354a0eecd6494d26c07a784672b4548078fed86eb4bd69e65b82d4acef80ac73096a8494ae04397894ea2f432f76779102de92f943787998a3764dda88

Download Submit
\Users\Admin\AppData\Local\Temp\Z20N0upl.cpl

Filesize
1.6MB

MD5
4a0513513c389ccd8729f701217f114b

SHA1
9e50e6290a50b99563749ad61447d31430240c00

SHA256
5dabeb9c86c38eea1abfd5dc80c44fa2d70e5cfe7154d82baaf628a95ef38a7a

SHA512
10362e354a0eecd6494d26c07a784672b4548078fed86eb4bd69e65b82d4acef80ac73096a8494ae04397894ea2f432f76779102de92f943787998a3764dda88

Download Submit
\Users\Admin\AppData\Local\Temp\Z20N0upl.cpl

Filesize
1.6MB

MD5
4a0513513c389ccd8729f701217f114b

SHA1
9e50e6290a50b99563749ad61447d31430240c00

SHA256
5dabeb9c86c38eea1abfd5dc80c44fa2d70e5cfe7154d82baaf628a95ef38a7a

SHA512
10362e354a0eecd6494d26c07a784672b4548078fed86eb4bd69e65b82d4acef80ac73096a8494ae04397894ea2f432f76779102de92f943787998a3764dda88

Download Submit
memory/1680-157-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-160-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-123-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-125-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-126-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-128-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-129-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-130-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-131-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-161-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-133-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-135-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-134-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-136-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-137-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-139-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-138-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-140-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-142-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-141-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-144-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-143-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-145-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-146-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-147-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-148-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-149-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-151-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-152-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-153-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-154-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-150-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-155-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-156-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-121-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-158-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-122-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-159-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-132-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-162-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-163-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-164-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-165-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-166-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-167-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-168-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-169-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-170-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-171-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-172-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-173-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-174-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-175-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-176-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-177-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-178-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-179-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-180-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-181-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-182-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-183-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-184-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-185-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/1680-120-0x0000000077390000-0x000000007751E000-memory.dmp

Filesize
1.6MB

Download
memory/2448-341-0x0000000004DA0000-0x0000000004EAA000-memory.dmp

Filesize
1.0MB

Download
memory/2448-342-0x0000000004FC0000-0x00000000050CB000-memory.dmp

Filesize
1.0MB

Download
memory/2448-351-0x0000000004FC0000-0x00000000050CB000-memory.dmp

Filesize
1.0MB

Download
memory/3452-281-0x0000000005460000-0x000000000556A000-memory.dmp

Filesize
1.0MB

Download
memory/3452-282-0x0000000005680000-0x000000000578B000-memory.dmp

Filesize
1.0MB

Download
memory/3452-352-0x0000000005680000-0x000000000578B000-memory.dmp

Filesize
1.0MB

Download