633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d

Analysis

max time kernel
50s
max time network
181s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
15/01/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe
Size

1.3MB
MD5

b975025be071b6e0c3e371a65918ac2f
SHA1

4c9202e37df828c83254ccd6b52abada25e7ad30
SHA256

633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d
SHA512

ea5c4ecb160ce12c4f9cd8a23d8fafde459b7da4bc2a2b74ddb1c526deac89b1a07eaba8c2944bb5778eff7e7f1d17c7bc6e88cc10b15e46feefb432af4b93c1
SSDEEP

24576:zry2uXzmwLXrtgvug9g840scr2Zo7S4CqzWLATBem2eVc3nDIQiMYUjb:zunLKWuFrnr2ZSdCqzLcgfQzYU/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4444	rundll32.exe
3968	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 3548	2484	633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe	66
PID 2484 wrote to memory of 3548	2484	633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe	66
PID 2484 wrote to memory of 3548	2484	633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe	66
PID 3548 wrote to memory of 4444	3548	control.exe	68
PID 3548 wrote to memory of 4444	3548	control.exe	68
PID 3548 wrote to memory of 4444	3548	control.exe	68
PID 4444 wrote to memory of 3196	4444	rundll32.exe	69
PID 4444 wrote to memory of 3196	4444	rundll32.exe	69
PID 3196 wrote to memory of 3968	3196	RunDll32.exe	70
PID 3196 wrote to memory of 3968	3196	RunDll32.exe	70
PID 3196 wrote to memory of 3968	3196	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe
"C:\Users\Admin\AppData\Local\Temp\633bdfac10a5794378a64f0f57a48f4eeed00b699d93fe5b0ac7e2718a2c083d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\vHHIZP.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\vHHIZP.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\vHHIZP.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\vHHIZP.cpL",
        5⤵
        Loads dropped DLL
        
        PID:3968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vHHIZP.cpL

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
\Users\Admin\AppData\Local\Temp\vHHIzp.cpl

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
\Users\Admin\AppData\Local\Temp\vHHIzp.cpl

Filesize
1.4MB

MD5
6ce52af7bed44ec6d0af97056fd21463

SHA1
ea351487d97adedc5488a342bdca36d315b14381

SHA256
ff2e2127dd0d21ed725a7e8d73ee49b945a2e21735b6ba0f6322d2b295c31922

SHA512
ddac41572cb3188fb98eedc00e4b8d324f18a053075aec5aca58994404bb1d756f56ab22712a957c13dc5831f3aed5f12bf7ae806e231b33b6a1a97c0b9b3745

Download Submit
memory/2484-155-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-154-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-122-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-123-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-125-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-126-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-128-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-129-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-130-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-131-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-132-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-133-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-134-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-135-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-136-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-138-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-137-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-139-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-140-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-141-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-142-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-143-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-144-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-145-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-146-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-147-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-148-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-149-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-150-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-151-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-152-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-153-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-157-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-120-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-121-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-156-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-171-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-159-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-160-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-162-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-161-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-163-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-164-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-165-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-166-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-167-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-168-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-169-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-170-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-158-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-173-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-172-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-174-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-175-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-176-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-177-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-178-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-180-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-179-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-181-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-182-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-183-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-184-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/2484-185-0x0000000077D90000-0x0000000077F1E000-memory.dmp

Filesize
1.6MB

Download
memory/3968-341-0x0000000005110000-0x0000000005116000-memory.dmp

Filesize
24KB

Download
memory/4444-281-0x0000000002FA0000-0x00000000030EA000-memory.dmp

Filesize
1.3MB

Download
memory/4444-342-0x0000000002FA0000-0x00000000030EA000-memory.dmp

Filesize
1.3MB

Download