cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc

Resubmissions

27/12/2022, 00:41

221227-a15twahc5y 7

27/12/2022, 00:20

221227-amsmdshc3w 7

Analysis

max time kernel
37s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/12/2022, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe
Size

1.7MB
MD5

39fa68973af1c0d337504dc5f5a78c19
SHA1

ef0a813e0667a0fd0bb7f3856a3a43f910fd07b8
SHA256

cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc
SHA512

25c944174c1387c881ed5b01e25f7190519fbdca7a8e51f7f1de87954b7f2aded3bdff65c30294e68b3c1512ce1f38ae7b7d62c030ee214ffcbee08f3398c538
SSDEEP

49152:084cPIOD7j5EfFtmwLWwzshG41qQfMqhyf3hVEtg:6cPIOD7jWfWwLWwz8G4xfMqhyJVEa

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
900	rundll32.exe
900	rundll32.exe
900	rundll32.exe
900	rundll32.exe
1500	rundll32.exe
1500	rundll32.exe
1500	rundll32.exe
1500	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 944	1104	cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe	28
PID 1104 wrote to memory of 944	1104	cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe	28
PID 1104 wrote to memory of 944	1104	cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe	28
PID 1104 wrote to memory of 944	1104	cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe	28
PID 944 wrote to memory of 900	944	control.exe	29
PID 944 wrote to memory of 900	944	control.exe	29
PID 944 wrote to memory of 900	944	control.exe	29
PID 944 wrote to memory of 900	944	control.exe	29
PID 944 wrote to memory of 900	944	control.exe	29
PID 944 wrote to memory of 900	944	control.exe	29
PID 944 wrote to memory of 900	944	control.exe	29
PID 900 wrote to memory of 468	900	rundll32.exe	30
PID 900 wrote to memory of 468	900	rundll32.exe	30
PID 900 wrote to memory of 468	900	rundll32.exe	30
PID 900 wrote to memory of 468	900	rundll32.exe	30
PID 468 wrote to memory of 1500	468	RunDll32.exe	31
PID 468 wrote to memory of 1500	468	RunDll32.exe	31
PID 468 wrote to memory of 1500	468	RunDll32.exe	31
PID 468 wrote to memory of 1500	468	RunDll32.exe	31
PID 468 wrote to memory of 1500	468	RunDll32.exe	31
PID 468 wrote to memory of 1500	468	RunDll32.exe	31
PID 468 wrote to memory of 1500	468	RunDll32.exe	31

C:\Users\Admin\AppData\Local\Temp\cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe
"C:\Users\Admin\AppData\Local\Temp\cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\BV7TV.CPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\BV7TV.CPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\BV7TV.CPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\BV7TV.CPl",
        5⤵
        Loads dropped DLL
        
        PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BV7TV.CPl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
\Users\Admin\AppData\Local\Temp\Bv7tv.cpl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
\Users\Admin\AppData\Local\Temp\Bv7tv.cpl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
\Users\Admin\AppData\Local\Temp\Bv7tv.cpl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
\Users\Admin\AppData\Local\Temp\Bv7tv.cpl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
\Users\Admin\AppData\Local\Temp\Bv7tv.cpl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
\Users\Admin\AppData\Local\Temp\Bv7tv.cpl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
\Users\Admin\AppData\Local\Temp\Bv7tv.cpl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
\Users\Admin\AppData\Local\Temp\Bv7tv.cpl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
memory/900-64-0x0000000001DE0000-0x0000000002A2A000-memory.dmp

Filesize
12.3MB

Download
memory/900-67-0x0000000002A30000-0x0000000002B11000-memory.dmp

Filesize
900KB

Download
memory/900-65-0x0000000073C40000-0x0000000073DF7000-memory.dmp

Filesize
1.7MB

Download
memory/1104-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1500-77-0x0000000001DC0000-0x0000000002A0A000-memory.dmp

Filesize
12.3MB

Download
memory/1500-79-0x0000000002A70000-0x0000000002B51000-memory.dmp

Filesize
900KB

Download