c80153238ce4716003d43ceb2ef4f0574f6317c4a0be03533bb4ca9d481f2fae

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
20-12-2022 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c80153238ce4716003d43ceb2ef4f0574f6317c4a0be03533bb4ca9d481f2fae.exe
Size

2.4MB
MD5

965be7a7213eb9b166dec17d781dabb9
SHA1

82cd97a135c3b08c8ce7a5f0d86c01fa59d57027
SHA256

c80153238ce4716003d43ceb2ef4f0574f6317c4a0be03533bb4ca9d481f2fae
SHA512

8857e79023cb129ce7b4ba103a05477f9162422b12a83cff0a88e03843af94dcac2aa53ee323c3df4288705501f3d05c4c1af712f3ce25c0752d3bcab7a1d2d0
SSDEEP

49152:TlBfJXAEGsLbWwDPNCo59RktzPHmwZ713bVGPeckQjIaci:TlBfKEfLbWSE8vktzPGEJxGPeck6

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1044	rundll32.exe
1044	rundll32.exe
1044	rundll32.exe
1044	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1096	1240	c80153238ce4716003d43ceb2ef4f0574f6317c4a0be03533bb4ca9d481f2fae.exe	28
PID 1240 wrote to memory of 1096	1240	c80153238ce4716003d43ceb2ef4f0574f6317c4a0be03533bb4ca9d481f2fae.exe	28
PID 1240 wrote to memory of 1096	1240	c80153238ce4716003d43ceb2ef4f0574f6317c4a0be03533bb4ca9d481f2fae.exe	28
PID 1240 wrote to memory of 1096	1240	c80153238ce4716003d43ceb2ef4f0574f6317c4a0be03533bb4ca9d481f2fae.exe	28
PID 1096 wrote to memory of 1988	1096	control.exe	29
PID 1096 wrote to memory of 1988	1096	control.exe	29
PID 1096 wrote to memory of 1988	1096	control.exe	29
PID 1096 wrote to memory of 1988	1096	control.exe	29
PID 1096 wrote to memory of 1988	1096	control.exe	29
PID 1096 wrote to memory of 1988	1096	control.exe	29
PID 1096 wrote to memory of 1988	1096	control.exe	29
PID 1988 wrote to memory of 672	1988	rundll32.exe	30
PID 1988 wrote to memory of 672	1988	rundll32.exe	30
PID 1988 wrote to memory of 672	1988	rundll32.exe	30
PID 1988 wrote to memory of 672	1988	rundll32.exe	30
PID 672 wrote to memory of 1044	672	RunDll32.exe	31
PID 672 wrote to memory of 1044	672	RunDll32.exe	31
PID 672 wrote to memory of 1044	672	RunDll32.exe	31
PID 672 wrote to memory of 1044	672	RunDll32.exe	31
PID 672 wrote to memory of 1044	672	RunDll32.exe	31
PID 672 wrote to memory of 1044	672	RunDll32.exe	31
PID 672 wrote to memory of 1044	672	RunDll32.exe	31

C:\Users\Admin\AppData\Local\Temp\c80153238ce4716003d43ceb2ef4f0574f6317c4a0be03533bb4ca9d481f2fae.exe
"C:\Users\Admin\AppData\Local\Temp\c80153238ce4716003d43ceb2ef4f0574f6317c4a0be03533bb4ca9d481f2fae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\mTWDCX1Y.CPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\mTWDCX1Y.CPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\mTWDCX1Y.CPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:672
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\mTWDCX1Y.CPl",
        5⤵
        Loads dropped DLL
        
        PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mTWDCX1Y.CPl

Filesize
2.3MB

MD5
321de08472db15ac359569ed39047a1a

SHA1
97fb13554c8f0cd3bc0d646abb796b8db87ceee2

SHA256
74fe6b31eb6294790b52ad5f0b116453256cdc07a40582af3b7ca689333453e7

SHA512
e084b61b958fbfb97cea7720fea64430d9563978862a6600131f958b4a78536a6319dcf9025bc5f847ab89d7e2bda7c1af6760d61c12ccce8a377aa3707c0877

Download Submit
\Users\Admin\AppData\Local\Temp\mTwdCX1y.cpl

Filesize
2.3MB

MD5
321de08472db15ac359569ed39047a1a

SHA1
97fb13554c8f0cd3bc0d646abb796b8db87ceee2

SHA256
74fe6b31eb6294790b52ad5f0b116453256cdc07a40582af3b7ca689333453e7

SHA512
e084b61b958fbfb97cea7720fea64430d9563978862a6600131f958b4a78536a6319dcf9025bc5f847ab89d7e2bda7c1af6760d61c12ccce8a377aa3707c0877

Download Submit
\Users\Admin\AppData\Local\Temp\mTwdCX1y.cpl

Filesize
2.3MB

MD5
321de08472db15ac359569ed39047a1a

SHA1
97fb13554c8f0cd3bc0d646abb796b8db87ceee2

SHA256
74fe6b31eb6294790b52ad5f0b116453256cdc07a40582af3b7ca689333453e7

SHA512
e084b61b958fbfb97cea7720fea64430d9563978862a6600131f958b4a78536a6319dcf9025bc5f847ab89d7e2bda7c1af6760d61c12ccce8a377aa3707c0877

Download Submit
\Users\Admin\AppData\Local\Temp\mTwdCX1y.cpl

Filesize
2.3MB

MD5
321de08472db15ac359569ed39047a1a

SHA1
97fb13554c8f0cd3bc0d646abb796b8db87ceee2

SHA256
74fe6b31eb6294790b52ad5f0b116453256cdc07a40582af3b7ca689333453e7

SHA512
e084b61b958fbfb97cea7720fea64430d9563978862a6600131f958b4a78536a6319dcf9025bc5f847ab89d7e2bda7c1af6760d61c12ccce8a377aa3707c0877

Download Submit
\Users\Admin\AppData\Local\Temp\mTwdCX1y.cpl

Filesize
2.3MB

MD5
321de08472db15ac359569ed39047a1a

SHA1
97fb13554c8f0cd3bc0d646abb796b8db87ceee2

SHA256
74fe6b31eb6294790b52ad5f0b116453256cdc07a40582af3b7ca689333453e7

SHA512
e084b61b958fbfb97cea7720fea64430d9563978862a6600131f958b4a78536a6319dcf9025bc5f847ab89d7e2bda7c1af6760d61c12ccce8a377aa3707c0877

Download Submit
\Users\Admin\AppData\Local\Temp\mTwdCX1y.cpl

Filesize
2.3MB

MD5
321de08472db15ac359569ed39047a1a

SHA1
97fb13554c8f0cd3bc0d646abb796b8db87ceee2

SHA256
74fe6b31eb6294790b52ad5f0b116453256cdc07a40582af3b7ca689333453e7

SHA512
e084b61b958fbfb97cea7720fea64430d9563978862a6600131f958b4a78536a6319dcf9025bc5f847ab89d7e2bda7c1af6760d61c12ccce8a377aa3707c0877

Download Submit
\Users\Admin\AppData\Local\Temp\mTwdCX1y.cpl

Filesize
2.3MB

MD5
321de08472db15ac359569ed39047a1a

SHA1
97fb13554c8f0cd3bc0d646abb796b8db87ceee2

SHA256
74fe6b31eb6294790b52ad5f0b116453256cdc07a40582af3b7ca689333453e7

SHA512
e084b61b958fbfb97cea7720fea64430d9563978862a6600131f958b4a78536a6319dcf9025bc5f847ab89d7e2bda7c1af6760d61c12ccce8a377aa3707c0877

Download Submit
\Users\Admin\AppData\Local\Temp\mTwdCX1y.cpl

Filesize
2.3MB

MD5
321de08472db15ac359569ed39047a1a

SHA1
97fb13554c8f0cd3bc0d646abb796b8db87ceee2

SHA256
74fe6b31eb6294790b52ad5f0b116453256cdc07a40582af3b7ca689333453e7

SHA512
e084b61b958fbfb97cea7720fea64430d9563978862a6600131f958b4a78536a6319dcf9025bc5f847ab89d7e2bda7c1af6760d61c12ccce8a377aa3707c0877

Download Submit
\Users\Admin\AppData\Local\Temp\mTwdCX1y.cpl

Filesize
2.3MB

MD5
321de08472db15ac359569ed39047a1a

SHA1
97fb13554c8f0cd3bc0d646abb796b8db87ceee2

SHA256
74fe6b31eb6294790b52ad5f0b116453256cdc07a40582af3b7ca689333453e7

SHA512
e084b61b958fbfb97cea7720fea64430d9563978862a6600131f958b4a78536a6319dcf9025bc5f847ab89d7e2bda7c1af6760d61c12ccce8a377aa3707c0877

Download Submit
memory/672-70-0x0000000000000000-mapping.dmp

Download
memory/1044-78-0x0000000001E10000-0x0000000002A5A000-memory.dmp

Filesize
12.3MB

Download
memory/1044-83-0x0000000002440000-0x0000000002507000-memory.dmp

Filesize
796KB

Download
memory/1044-80-0x0000000000910000-0x00000000009ED000-memory.dmp

Filesize
884KB

Download
memory/1044-79-0x0000000001E10000-0x0000000002A5A000-memory.dmp

Filesize
12.3MB

Download
memory/1044-71-0x0000000000000000-mapping.dmp

Download
memory/1096-55-0x0000000000000000-mapping.dmp

Download
memory/1240-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1988-57-0x0000000000000000-mapping.dmp

Download
memory/1988-65-0x0000000002080000-0x0000000002CCA000-memory.dmp

Filesize
12.3MB

Download
memory/1988-67-0x0000000002CBB000-0x0000000002D75000-memory.dmp

Filesize
744KB

Download
memory/1988-69-0x0000000002CB0000-0x0000000002D77000-memory.dmp

Filesize
796KB

Download
memory/1988-66-0x0000000001EA0000-0x0000000001F7D000-memory.dmp

Filesize
884KB

Download