2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-03-2023 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.5MB
MD5

2180de6314fce94a9ebcf8483959b322
SHA1

1fbef557fb3a2d61c05f8e9cc28ac7e67ea34f8a
SHA256

2fc4d0a9297bb0408dfb59f2e9c1378f7650bdc4dda664e1c78e34c496684805
SHA512

d1161301362d5edfe44092e0d65109944a350714214c9add50954fa2d39b128741721a494811bcda24960228a6e4e9e63f7afc233104c286c89d54fce496312d
SSDEEP

24576:5OtT5xvEebZXz/C7Mtkq3GjABGgqgDHYEr9uW4YuPsDOdqvzHnHXh5F:5OtT/bZj4Mtp3GjAYgd3e3UPF

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
328	rundll32.exe
328	rundll32.exe
328	rundll32.exe
328	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1940	1064	tmp.exe	27
PID 1064 wrote to memory of 1940	1064	tmp.exe	27
PID 1064 wrote to memory of 1940	1064	tmp.exe	27
PID 1064 wrote to memory of 1940	1064	tmp.exe	27
PID 1940 wrote to memory of 328	1940	control.exe	28
PID 1940 wrote to memory of 328	1940	control.exe	28
PID 1940 wrote to memory of 328	1940	control.exe	28
PID 1940 wrote to memory of 328	1940	control.exe	28
PID 1940 wrote to memory of 328	1940	control.exe	28
PID 1940 wrote to memory of 328	1940	control.exe	28
PID 1940 wrote to memory of 328	1940	control.exe	28
PID 328 wrote to memory of 1216	328	rundll32.exe	29
PID 328 wrote to memory of 1216	328	rundll32.exe	29
PID 328 wrote to memory of 1216	328	rundll32.exe	29
PID 328 wrote to memory of 1216	328	rundll32.exe	29
PID 1216 wrote to memory of 640	1216	RunDll32.exe	30
PID 1216 wrote to memory of 640	1216	RunDll32.exe	30
PID 1216 wrote to memory of 640	1216	RunDll32.exe	30
PID 1216 wrote to memory of 640	1216	RunDll32.exe	30
PID 1216 wrote to memory of 640	1216	RunDll32.exe	30
PID 1216 wrote to memory of 640	1216	RunDll32.exe	30
PID 1216 wrote to memory of 640	1216	RunDll32.exe	30

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:328
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1216
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\lL~U.cPL",
        5⤵
        Loads dropped DLL
        
        PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lL~U.cPL

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
\Users\Admin\AppData\Local\Temp\lL~U.cpl

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
\Users\Admin\AppData\Local\Temp\lL~U.cpl

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
\Users\Admin\AppData\Local\Temp\lL~U.cpl

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
\Users\Admin\AppData\Local\Temp\lL~U.cpl

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
\Users\Admin\AppData\Local\Temp\lL~U.cpl

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
\Users\Admin\AppData\Local\Temp\lL~U.cpl

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
\Users\Admin\AppData\Local\Temp\lL~U.cpl

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
\Users\Admin\AppData\Local\Temp\lL~U.cpl

Filesize
1.3MB

MD5
cf47aab02e9b37dfdbb63bee771e0370

SHA1
e21792f126339ce2c489625c7257efde247b23de

SHA256
39da3b85aee28bda8901e56346dc1d07e1a34610a3825c58a8edcee8a05f0150

SHA512
d981befd4934fa6f0c8e49378ef8ffecb57d1c2d950f69cc59a6d958aaaf7ed23df215853d86a0fd92748bfbaf4752d2f5d04430e870591b3ec43e4a1da55ce4

Download Submit
memory/328-68-0x0000000000DA0000-0x0000000000E6F000-memory.dmp

Filesize
828KB

Download
memory/328-71-0x0000000000DA0000-0x0000000000E6F000-memory.dmp

Filesize
828KB

Download
memory/328-72-0x0000000000DA0000-0x0000000000E6F000-memory.dmp

Filesize
828KB

Download
memory/328-67-0x0000000002730000-0x0000000002816000-memory.dmp

Filesize
920KB

Download
memory/328-65-0x0000000000110000-0x0000000000116000-memory.dmp

Filesize
24KB

Download
memory/328-63-0x0000000002290000-0x00000000023E1000-memory.dmp

Filesize
1.3MB

Download
memory/328-62-0x0000000002290000-0x00000000023E1000-memory.dmp

Filesize
1.3MB

Download
memory/640-80-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/640-83-0x0000000000D30000-0x0000000000DFF000-memory.dmp

Filesize
828KB

Download
memory/640-86-0x0000000000D30000-0x0000000000DFF000-memory.dmp

Filesize
828KB

Download
memory/640-87-0x0000000000D30000-0x0000000000DFF000-memory.dmp

Filesize
828KB

Download