10be6b582c68d544cefbca99d00034d6be5d7956d73f010f8680b4cb2a86ecac

General

Target

10be6b582c68d544cefbca99d00034d6be5d7956d73f010f8680b4cb2a86ecac.exe
Size

1.4MB
MD5

2d9d1e69a757d1ced1b231693f94b074
SHA1

8cd17669122bb3374324f02592e4705c53b86db6
SHA256

10be6b582c68d544cefbca99d00034d6be5d7956d73f010f8680b4cb2a86ecac
SHA512

1553e5b03b84a96584e6ed899d8155e525116062fe25920459d34d45758e0ba2b7d2d54bb05c63864765657656e5305c6794debb647720d7bfa81c59929876c1
SSDEEP

24576:gJr8tE+gHqwTRzTDQtg3cFqDWoS96FLDPvusPGKGa5Rfp4VlW0k:gJ4Nw9XstgMFtrEF/tPGKH1p3

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
5096	rundll32.exe
4664	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	10be6b582c68d544cefbca99d00034d6be5d7956d73f010f8680b4cb2a86ecac.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2908	2456	10be6b582c68d544cefbca99d00034d6be5d7956d73f010f8680b4cb2a86ecac.exe	66
PID 2456 wrote to memory of 2908	2456	10be6b582c68d544cefbca99d00034d6be5d7956d73f010f8680b4cb2a86ecac.exe	66
PID 2456 wrote to memory of 2908	2456	10be6b582c68d544cefbca99d00034d6be5d7956d73f010f8680b4cb2a86ecac.exe	66
PID 2908 wrote to memory of 5096	2908	control.exe	68
PID 2908 wrote to memory of 5096	2908	control.exe	68
PID 2908 wrote to memory of 5096	2908	control.exe	68
PID 5096 wrote to memory of 3008	5096	rundll32.exe	69
PID 5096 wrote to memory of 3008	5096	rundll32.exe	69
PID 3008 wrote to memory of 4664	3008	RunDll32.exe	70
PID 3008 wrote to memory of 4664	3008	RunDll32.exe	70
PID 3008 wrote to memory of 4664	3008	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\10be6b582c68d544cefbca99d00034d6be5d7956d73f010f8680b4cb2a86ecac.exe
"C:\Users\Admin\AppData\Local\Temp\10be6b582c68d544cefbca99d00034d6be5d7956d73f010f8680b4cb2a86ecac.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\FuFHHIiP.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\FuFHHIiP.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\FuFHHIiP.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\FuFHHIiP.cPl",
        5⤵
        Loads dropped DLL
        
        PID:4664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FuFHHIiP.cPl

Filesize
1.2MB

MD5
2e3c642c750c038b6dd4f74a24746f4d

SHA1
d563d047bfbb94589c09838cc9012318b1659e61

SHA256
afc923ebdba5a265d288dae7d88dfb88109a3318b98e9d7f8982a8488fd081cb

SHA512
6982daaef9431a524d48cc8a3573b480da769e2af0d4747ba1232c78b08b64580a68c5f1c7c69be242815946354fd2495329eb7ee0f93bd985edb3354352a783

Download Submit
\Users\Admin\AppData\Local\Temp\fufHHIiP.cpl

Filesize
1.2MB

MD5
2e3c642c750c038b6dd4f74a24746f4d

SHA1
d563d047bfbb94589c09838cc9012318b1659e61

SHA256
afc923ebdba5a265d288dae7d88dfb88109a3318b98e9d7f8982a8488fd081cb

SHA512
6982daaef9431a524d48cc8a3573b480da769e2af0d4747ba1232c78b08b64580a68c5f1c7c69be242815946354fd2495329eb7ee0f93bd985edb3354352a783

Download Submit
\Users\Admin\AppData\Local\Temp\fufHHIiP.cpl

Filesize
1.2MB

MD5
2e3c642c750c038b6dd4f74a24746f4d

SHA1
d563d047bfbb94589c09838cc9012318b1659e61

SHA256
afc923ebdba5a265d288dae7d88dfb88109a3318b98e9d7f8982a8488fd081cb

SHA512
6982daaef9431a524d48cc8a3573b480da769e2af0d4747ba1232c78b08b64580a68c5f1c7c69be242815946354fd2495329eb7ee0f93bd985edb3354352a783

Download Submit
memory/4664-149-0x0000000004AA0000-0x0000000004B75000-memory.dmp

Filesize
852KB

Download
memory/4664-148-0x0000000004AA0000-0x0000000004B75000-memory.dmp

Filesize
852KB

Download
memory/4664-146-0x0000000004AA0000-0x0000000004B75000-memory.dmp

Filesize
852KB

Download
memory/4664-144-0x0000000005100000-0x00000000051ED000-memory.dmp

Filesize
948KB

Download
memory/4664-141-0x0000000003060000-0x0000000003066000-memory.dmp

Filesize
24KB

Download
memory/5096-130-0x0000000002BB0000-0x0000000002BB6000-memory.dmp

Filesize
24KB

Download
memory/5096-137-0x0000000004D70000-0x0000000004E45000-memory.dmp

Filesize
852KB

Download
memory/5096-136-0x0000000004D70000-0x0000000004E45000-memory.dmp

Filesize
852KB

Download
memory/5096-134-0x0000000004D70000-0x0000000004E45000-memory.dmp

Filesize
852KB

Download
memory/5096-133-0x0000000004D70000-0x0000000004E45000-memory.dmp

Filesize
852KB

Download
memory/5096-132-0x0000000004C80000-0x0000000004D6D000-memory.dmp

Filesize
948KB

Download
memory/5096-128-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing