b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e

General

Target

b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe
Size

1.5MB
MD5

2ff4a8ce1e71118052937c2c673b6aaf
SHA1

38c33661632b974003285edc65df1577313999f0
SHA256

b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e
SHA512

b83217325a0a233790212c53b1dfcbece33bea7a8df76fc879260e1616bc04f1ac41ecf5214379a701a214626d350cf69c6e7f4e437f61349f4279a76d157411
SSDEEP

24576:RtuKaWhtDUbBfJXAENZJf4hhyW44byzmWbU/W2VM0UccSzrydM8oBNZBVSr6btN1:2fWhNaBfJXAE3JUyW44bahbU/WK1Ucci

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3940	rundll32.exe
3940	rundll32.exe
4640	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2496	2272	b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe	66
PID 2272 wrote to memory of 2496	2272	b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe	66
PID 2272 wrote to memory of 2496	2272	b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe	66
PID 2496 wrote to memory of 3940	2496	control.exe	68
PID 2496 wrote to memory of 3940	2496	control.exe	68
PID 2496 wrote to memory of 3940	2496	control.exe	68
PID 3940 wrote to memory of 4476	3940	rundll32.exe	69
PID 3940 wrote to memory of 4476	3940	rundll32.exe	69
PID 4476 wrote to memory of 4640	4476	RunDll32.exe	70
PID 4476 wrote to memory of 4640	4476	RunDll32.exe	70
PID 4476 wrote to memory of 4640	4476	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe
"C:\Users\Admin\AppData\Local\Temp\b9639292da78d70e67c97ce1bffe2167c0245a7a03746907826f7077ba032e1e.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\6YU5RMau.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\6YU5RMau.Cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\6YU5RMau.Cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\6YU5RMau.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:4640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6YU5RMau.Cpl

Filesize
1.1MB

MD5
0e9eb7f4e027379eff9d6aeeb2cb5156

SHA1
8973e12d0a193cca69e1389c057be8e73d9a3862

SHA256
d7a17d9cf006b31e8f53108c53e3ecabcd831cc34531a5a01b3bdf8f1a6a8bd6

SHA512
4d9cd2e9c11881c1d9df3c01a1d6385e843e17629ed1a4f27b95067cba83c42496ebc68348569c2e93b4d70f73b679a4af690ed9403caf40e27b99737c099346

Download Submit
\Users\Admin\AppData\Local\Temp\6YU5RMau.cpl

Filesize
1.1MB

MD5
0e9eb7f4e027379eff9d6aeeb2cb5156

SHA1
8973e12d0a193cca69e1389c057be8e73d9a3862

SHA256
d7a17d9cf006b31e8f53108c53e3ecabcd831cc34531a5a01b3bdf8f1a6a8bd6

SHA512
4d9cd2e9c11881c1d9df3c01a1d6385e843e17629ed1a4f27b95067cba83c42496ebc68348569c2e93b4d70f73b679a4af690ed9403caf40e27b99737c099346

Download Submit
\Users\Admin\AppData\Local\Temp\6YU5RMau.cpl

Filesize
1.1MB

MD5
0e9eb7f4e027379eff9d6aeeb2cb5156

SHA1
8973e12d0a193cca69e1389c057be8e73d9a3862

SHA256
d7a17d9cf006b31e8f53108c53e3ecabcd831cc34531a5a01b3bdf8f1a6a8bd6

SHA512
4d9cd2e9c11881c1d9df3c01a1d6385e843e17629ed1a4f27b95067cba83c42496ebc68348569c2e93b4d70f73b679a4af690ed9403caf40e27b99737c099346

Download Submit
\Users\Admin\AppData\Local\Temp\6YU5RMau.cpl

Filesize
1.1MB

MD5
0e9eb7f4e027379eff9d6aeeb2cb5156

SHA1
8973e12d0a193cca69e1389c057be8e73d9a3862

SHA256
d7a17d9cf006b31e8f53108c53e3ecabcd831cc34531a5a01b3bdf8f1a6a8bd6

SHA512
4d9cd2e9c11881c1d9df3c01a1d6385e843e17629ed1a4f27b95067cba83c42496ebc68348569c2e93b4d70f73b679a4af690ed9403caf40e27b99737c099346

Download Submit
memory/3940-134-0x0000000004830000-0x00000000048F5000-memory.dmp

Filesize
788KB

Download
memory/3940-127-0x0000000004600000-0x0000000004721000-memory.dmp

Filesize
1.1MB

Download
memory/3940-132-0x00000000006E0000-0x00000000007BC000-memory.dmp

Filesize
880KB

Download
memory/3940-133-0x0000000004830000-0x00000000048F5000-memory.dmp

Filesize
788KB

Download
memory/3940-128-0x0000000004600000-0x0000000004721000-memory.dmp

Filesize
1.1MB

Download
memory/3940-136-0x0000000004830000-0x00000000048F5000-memory.dmp

Filesize
788KB

Download
memory/3940-137-0x0000000004830000-0x00000000048F5000-memory.dmp

Filesize
788KB

Download
memory/3940-130-0x0000000000D30000-0x0000000000D36000-memory.dmp

Filesize
24KB

Download
memory/4640-139-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4640-141-0x0000000000AD0000-0x0000000000AD6000-memory.dmp

Filesize
24KB

Download
memory/4640-142-0x0000000004C50000-0x0000000004D2C000-memory.dmp

Filesize
880KB

Download
memory/4640-144-0x0000000004970000-0x0000000004A35000-memory.dmp

Filesize
788KB

Download
memory/4640-146-0x0000000004970000-0x0000000004A35000-memory.dmp

Filesize
788KB

Download
memory/4640-147-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4640-148-0x0000000004970000-0x0000000004A35000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing