9f89e48d4f5253c62ab13b35e00958bef016150dac7941185d19f1d0103aa5f9

Analysis

max time kernel
145s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26/12/2022, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f89e48d4f5253c62ab13b35e00958bef016150dac7941185d19f1d0103aa5f9.exe
Size

1.8MB
MD5

a34e739ad6600deb3da7f079ff92ba01
SHA1

fff1688ff004705f313cb6d825a766359f1da55d
SHA256

9f89e48d4f5253c62ab13b35e00958bef016150dac7941185d19f1d0103aa5f9
SHA512

50915a31d1c9b91e72ac08ce7677bff04954a0b689c68386ac339e7cfa5d37d3c82fffa592143f4342823736ffc4c80b64a0f5e5c269fbe6fce3ceb99dcef507
SSDEEP

49152:mSpKv8jwpX9rIMpG9sIgaPYpksP88yo485WwFXnM1ggX:mSyewE/9skPWO8yd1w1glX

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4296	rundll32.exe
3764	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	9f89e48d4f5253c62ab13b35e00958bef016150dac7941185d19f1d0103aa5f9.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 4556	4328	9f89e48d4f5253c62ab13b35e00958bef016150dac7941185d19f1d0103aa5f9.exe	66
PID 4328 wrote to memory of 4556	4328	9f89e48d4f5253c62ab13b35e00958bef016150dac7941185d19f1d0103aa5f9.exe	66
PID 4328 wrote to memory of 4556	4328	9f89e48d4f5253c62ab13b35e00958bef016150dac7941185d19f1d0103aa5f9.exe	66
PID 4556 wrote to memory of 4296	4556	control.exe	68
PID 4556 wrote to memory of 4296	4556	control.exe	68
PID 4556 wrote to memory of 4296	4556	control.exe	68
PID 4296 wrote to memory of 3060	4296	rundll32.exe	69
PID 4296 wrote to memory of 3060	4296	rundll32.exe	69
PID 3060 wrote to memory of 3764	3060	RunDll32.exe	70
PID 3060 wrote to memory of 3764	3060	RunDll32.exe	70
PID 3060 wrote to memory of 3764	3060	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\9f89e48d4f5253c62ab13b35e00958bef016150dac7941185d19f1d0103aa5f9.exe
"C:\Users\Admin\AppData\Local\Temp\9f89e48d4f5253c62ab13b35e00958bef016150dac7941185d19f1d0103aa5f9.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\AOtF.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\AOtF.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\AOtF.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\AOtF.CpL",
        5⤵
        Loads dropped DLL
        
        PID:3764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AOtF.CpL

Filesize
1.4MB

MD5
db40c2e3ac8405f783c8c40f278fc848

SHA1
e4d905a540ca1d303689b71b011e1c118f9bbf7c

SHA256
247dc7d9288e8b45fb83f16564b188ed4de1f68b0c84f7f6caf94f790a8a9515

SHA512
2d27ec6f5340125929f444785739125aebd3dd8c6acb81297dbb5cfafdc3e522eeedc14026255f17b16fc9fa59967cb5eb0c6af83945dc36bb6ce3e81b0f27e4

Download Submit
\Users\Admin\AppData\Local\Temp\AOtf.cpl

Filesize
1.4MB

MD5
db40c2e3ac8405f783c8c40f278fc848

SHA1
e4d905a540ca1d303689b71b011e1c118f9bbf7c

SHA256
247dc7d9288e8b45fb83f16564b188ed4de1f68b0c84f7f6caf94f790a8a9515

SHA512
2d27ec6f5340125929f444785739125aebd3dd8c6acb81297dbb5cfafdc3e522eeedc14026255f17b16fc9fa59967cb5eb0c6af83945dc36bb6ce3e81b0f27e4

Download Submit
\Users\Admin\AppData\Local\Temp\AOtf.cpl

Filesize
1.4MB

MD5
db40c2e3ac8405f783c8c40f278fc848

SHA1
e4d905a540ca1d303689b71b011e1c118f9bbf7c

SHA256
247dc7d9288e8b45fb83f16564b188ed4de1f68b0c84f7f6caf94f790a8a9515

SHA512
2d27ec6f5340125929f444785739125aebd3dd8c6acb81297dbb5cfafdc3e522eeedc14026255f17b16fc9fa59967cb5eb0c6af83945dc36bb6ce3e81b0f27e4

Download Submit
memory/3764-326-0x0000000004670000-0x00000000047CF000-memory.dmp

Filesize
1.4MB

Download
memory/4296-271-0x0000000004CA0000-0x0000000004DFF000-memory.dmp

Filesize
1.4MB

Download
memory/4296-272-0x0000000072610000-0x0000000072775000-memory.dmp

Filesize
1.4MB

Download
memory/4296-325-0x0000000072610000-0x0000000072775000-memory.dmp

Filesize
1.4MB

Download
memory/4328-155-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-165-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-125-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-126-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-127-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-128-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-129-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-130-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-131-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-132-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-133-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-134-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-135-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-136-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-137-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-138-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-139-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-140-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-141-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-143-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-144-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-146-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-148-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-149-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-151-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-153-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-123-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-158-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-159-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-161-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-160-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-163-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-164-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-124-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-166-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-168-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-169-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-167-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-170-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-162-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-157-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-156-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-154-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-152-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-150-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-147-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-145-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-142-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-171-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-172-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-173-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-174-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-175-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-176-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-177-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-122-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-121-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-120-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-119-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-118-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-178-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-179-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-180-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4556-182-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download