a4e1ed5bba8f3a3003bad7b4df606ec89025bbf4ddae91f9db43377a2020c531

Analysis

max time kernel
146s
max time network
186s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
10/02/2023, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4e1ed5bba8f3a3003bad7b4df606ec89025bbf4ddae91f9db43377a2020c531.exe
Size

1.3MB
MD5

1ba03acdf21ebb64903722bc6554b53e
SHA1

0bce5884c123fff791198b8223b285005cd0ef41
SHA256

a4e1ed5bba8f3a3003bad7b4df606ec89025bbf4ddae91f9db43377a2020c531
SHA512

1d09de3b82991fc36a56e67662183266cec3461d0d97bee613b19f5fc9f8760b985a4e4ea088bd4c23dbc66acef60a6154f1d2a5557488190cc075c5275ec26b
SSDEEP

24576:dOuz3GIV6EGnxoFofftAH+NZne67hEVVqKvU2JEvlAMOOSx02GH:suz3GDnxoF+tAHg9hhEVVqghivliby2s

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4520	rundll32.exe
4244	rundll32.exe
4244	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	a4e1ed5bba8f3a3003bad7b4df606ec89025bbf4ddae91f9db43377a2020c531.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 4568	2552	a4e1ed5bba8f3a3003bad7b4df606ec89025bbf4ddae91f9db43377a2020c531.exe	66
PID 2552 wrote to memory of 4568	2552	a4e1ed5bba8f3a3003bad7b4df606ec89025bbf4ddae91f9db43377a2020c531.exe	66
PID 2552 wrote to memory of 4568	2552	a4e1ed5bba8f3a3003bad7b4df606ec89025bbf4ddae91f9db43377a2020c531.exe	66
PID 4568 wrote to memory of 4520	4568	control.exe	68
PID 4568 wrote to memory of 4520	4568	control.exe	68
PID 4568 wrote to memory of 4520	4568	control.exe	68
PID 4520 wrote to memory of 4748	4520	rundll32.exe	69
PID 4520 wrote to memory of 4748	4520	rundll32.exe	69
PID 4748 wrote to memory of 4244	4748	RunDll32.exe	70
PID 4748 wrote to memory of 4244	4748	RunDll32.exe	70
PID 4748 wrote to memory of 4244	4748	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\a4e1ed5bba8f3a3003bad7b4df606ec89025bbf4ddae91f9db43377a2020c531.exe
"C:\Users\Admin\AppData\Local\Temp\a4e1ed5bba8f3a3003bad7b4df606ec89025bbf4ddae91f9db43377a2020c531.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WRYaTC.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WRYaTC.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WRYaTC.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\WRYaTC.cPl",
        5⤵
        Loads dropped DLL
        
        PID:4244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WRYaTC.cPl

Filesize
1.4MB

MD5
2185799478f35bffc0f98998ddc0fca3

SHA1
155f59623c25b440f5eb177ca942c3d7ffbf6243

SHA256
a7d46696fad37b28078ef521626b11c05c614d3239f1d7a49a21cac7d35a8899

SHA512
ac5887ce496e069897495b7ccf873345524a0768ab39400618f268979b1e0706bd1c81a5381db7c2f15d545b4173a9668f3c1253e452e2cab3ae9bab1bfbd0c8

Download Submit
\Users\Admin\AppData\Local\Temp\WRYaTC.cpl

Filesize
1.4MB

MD5
2185799478f35bffc0f98998ddc0fca3

SHA1
155f59623c25b440f5eb177ca942c3d7ffbf6243

SHA256
a7d46696fad37b28078ef521626b11c05c614d3239f1d7a49a21cac7d35a8899

SHA512
ac5887ce496e069897495b7ccf873345524a0768ab39400618f268979b1e0706bd1c81a5381db7c2f15d545b4173a9668f3c1253e452e2cab3ae9bab1bfbd0c8

Download Submit
\Users\Admin\AppData\Local\Temp\WRYaTC.cpl

Filesize
1.4MB

MD5
2185799478f35bffc0f98998ddc0fca3

SHA1
155f59623c25b440f5eb177ca942c3d7ffbf6243

SHA256
a7d46696fad37b28078ef521626b11c05c614d3239f1d7a49a21cac7d35a8899

SHA512
ac5887ce496e069897495b7ccf873345524a0768ab39400618f268979b1e0706bd1c81a5381db7c2f15d545b4173a9668f3c1253e452e2cab3ae9bab1bfbd0c8

Download Submit
\Users\Admin\AppData\Local\Temp\WRYaTC.cpl

Filesize
1.4MB

MD5
2185799478f35bffc0f98998ddc0fca3

SHA1
155f59623c25b440f5eb177ca942c3d7ffbf6243

SHA256
a7d46696fad37b28078ef521626b11c05c614d3239f1d7a49a21cac7d35a8899

SHA512
ac5887ce496e069897495b7ccf873345524a0768ab39400618f268979b1e0706bd1c81a5381db7c2f15d545b4173a9668f3c1253e452e2cab3ae9bab1bfbd0c8

Download Submit
memory/2552-155-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-163-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-123-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-125-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-126-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-128-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-157-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-130-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-131-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-159-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-133-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-134-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-135-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-136-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-137-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-138-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-139-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-140-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-141-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-142-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-143-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-144-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-145-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-146-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-147-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-148-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-149-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-150-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-151-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-152-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-153-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-154-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-121-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-156-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-129-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-122-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-132-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-160-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-161-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-162-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-158-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-164-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-165-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-166-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-167-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-168-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-169-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-170-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-171-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-172-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-173-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-174-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-175-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-176-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-177-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-178-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-179-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-180-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-181-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-182-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-183-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-184-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-185-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/2552-120-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4244-345-0x0000000002260000-0x0000000002266000-memory.dmp

Filesize
24KB

Download
memory/4520-281-0x0000000004D00000-0x0000000004D06000-memory.dmp

Filesize
24KB

Download