633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d

Analysis

max time kernel
45s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15/01/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe
Size

1.3MB
MD5

b975025be071b6e0c3e371a65918ac2f
SHA1

4c9202e37df828c83254ccd6b52abada25e7ad30
SHA256

633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d
SHA512

ea5c4ecb160ce12c4f9cd8a23d8fafde459b7da4bc2a2b74ddb1c526deac89b1a07eaba8c2944bb5778eff7e7f1d17c7bc6e88cc10b15e46feefb432af4b93c1
SSDEEP

24576:zry2uXzmwLXrtgvug9g840scr2Zo7S4CqzWLATBem2eVc3nDIQiMYUjb:zunLKWuFrnr2ZSdCqzLcgfQzYU/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
1504	rundll32.exe
1504	rundll32.exe
1504	rundll32.exe
1504	rundll32.exe
1836	rundll32.exe
1836	rundll32.exe
1836	rundll32.exe
1836	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1084	1164	633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe	27
PID 1164 wrote to memory of 1084	1164	633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe	27
PID 1164 wrote to memory of 1084	1164	633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe	27
PID 1164 wrote to memory of 1084	1164	633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe	27
PID 1084 wrote to memory of 1504	1084	control.exe	28
PID 1084 wrote to memory of 1504	1084	control.exe	28
PID 1084 wrote to memory of 1504	1084	control.exe	28
PID 1084 wrote to memory of 1504	1084	control.exe	28
PID 1084 wrote to memory of 1504	1084	control.exe	28
PID 1084 wrote to memory of 1504	1084	control.exe	28
PID 1084 wrote to memory of 1504	1084	control.exe	28
PID 1504 wrote to memory of 560	1504	rundll32.exe	29
PID 1504 wrote to memory of 560	1504	rundll32.exe	29
PID 1504 wrote to memory of 560	1504	rundll32.exe	29
PID 1504 wrote to memory of 560	1504	rundll32.exe	29
PID 560 wrote to memory of 1836	560	RunDll32.exe	30
PID 560 wrote to memory of 1836	560	RunDll32.exe	30
PID 560 wrote to memory of 1836	560	RunDll32.exe	30
PID 560 wrote to memory of 1836	560	RunDll32.exe	30
PID 560 wrote to memory of 1836	560	RunDll32.exe	30
PID 560 wrote to memory of 1836	560	RunDll32.exe	30
PID 560 wrote to memory of 1836	560	RunDll32.exe	30

C:\Users\Admin\AppData\Local\Temp\633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe
"C:\Users\Admin\AppData\Local\Temp\633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\vHHIZP.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\vHHIZP.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\vHHIZP.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\vHHIZP.cpL",
        5⤵
        Loads dropped DLL
        
        PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vHHIZP.cpL

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
\Users\Admin\AppData\Local\Temp\vHHIzp.cpl

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
\Users\Admin\AppData\Local\Temp\vHHIzp.cpl

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
\Users\Admin\AppData\Local\Temp\vHHIzp.cpl

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
\Users\Admin\AppData\Local\Temp\vHHIzp.cpl

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
\Users\Admin\AppData\Local\Temp\vHHIzp.cpl

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
\Users\Admin\AppData\Local\Temp\vHHIzp.cpl

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
\Users\Admin\AppData\Local\Temp\vHHIzp.cpl

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
\Users\Admin\AppData\Local\Temp\vHHIzp.cpl

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
memory/1164-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1504-71-0x0000000002510000-0x00000000025EE000-memory.dmp

Filesize
888KB

Download
memory/1504-65-0x00000000009A0000-0x0000000000B00000-memory.dmp

Filesize
1.4MB

Download
memory/1504-69-0x0000000000890000-0x0000000000986000-memory.dmp

Filesize
984KB

Download
memory/1504-64-0x00000000009A0000-0x0000000000B00000-memory.dmp

Filesize
1.4MB

Download
memory/1504-68-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1836-81-0x0000000002230000-0x0000000002390000-memory.dmp

Filesize
1.4MB

Download
memory/1836-84-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/1836-87-0x0000000002650000-0x000000000272E000-memory.dmp

Filesize
888KB

Download