2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805

General

Target

2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805.exe
Size

1.5MB
MD5

2180de6314fce94a9ebcf8483959b322
SHA1

1fbef557fb3a2d61c05f8e9cc28ac7e67ea34f8a
SHA256

2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805
SHA512

d1161301362d5edfe44092e0d65109944a350714214c9add50954fa2d39b128741721a494811bcda24960228a6e4e9e63f7afc233104c286c89d54fce496312d
SSDEEP

24576:5OtT5xvEebZXz/C7Mtkq3GjABGgqgDHYEr9uW4YuPsDOdqvzHnHXh5F:5OtT/bZj4Mtp3GjAYgd3e3UPF

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4548	rundll32.exe
4548	rundll32.exe
1632	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 404	4300	2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805.exe	66
PID 4300 wrote to memory of 404	4300	2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805.exe	66
PID 4300 wrote to memory of 404	4300	2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805.exe	66
PID 404 wrote to memory of 4548	404	control.exe	68
PID 404 wrote to memory of 4548	404	control.exe	68
PID 404 wrote to memory of 4548	404	control.exe	68
PID 4548 wrote to memory of 2096	4548	rundll32.exe	69
PID 4548 wrote to memory of 2096	4548	rundll32.exe	69
PID 2096 wrote to memory of 1632	2096	RunDll32.exe	70
PID 2096 wrote to memory of 1632	2096	RunDll32.exe	70
PID 2096 wrote to memory of 1632	2096	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805.exe
"C:\Users\Admin\AppData\Local\Temp\2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",
        5⤵
        Loads dropped DLL
        
        PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lL~U.cPL

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
\Users\Admin\AppData\Local\Temp\lL~U.cpl

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
\Users\Admin\AppData\Local\Temp\lL~U.cpl

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
\Users\Admin\AppData\Local\Temp\lL~U.cpl

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
memory/1632-140-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1632-149-0x0000000004B80000-0x0000000004C4F000-memory.dmp

Filesize
828KB

Download
memory/1632-148-0x0000000004B80000-0x0000000004C4F000-memory.dmp

Filesize
828KB

Download
memory/1632-145-0x0000000004B80000-0x0000000004C4F000-memory.dmp

Filesize
828KB

Download
memory/1632-144-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1632-143-0x00000000051E0000-0x00000000052C6000-memory.dmp

Filesize
920KB

Download
memory/1632-142-0x0000000004B60000-0x0000000004B66000-memory.dmp

Filesize
24KB

Download
memory/4548-129-0x0000000004380000-0x00000000044D1000-memory.dmp

Filesize
1.3MB

Download
memory/4548-138-0x0000000004700000-0x00000000047CF000-memory.dmp

Filesize
828KB

Download
memory/4548-137-0x0000000004700000-0x00000000047CF000-memory.dmp

Filesize
828KB

Download
memory/4548-134-0x0000000004700000-0x00000000047CF000-memory.dmp

Filesize
828KB

Download
memory/4548-133-0x0000000004600000-0x00000000046E6000-memory.dmp

Filesize
920KB

Download
memory/4548-131-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/4548-128-0x0000000004380000-0x00000000044D1000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing