48384b146626c1bd60bc7b88d5dfadcc59f3aed2f2042f7e455d7bde850a3f1f

General

Target

48384b146626c1bd60bc7b88d5dfadcc59f3aed2f2042f7e455d7bde850a3f1f.exe
Size

1.5MB
MD5

67a08d419cfe9fb6dde560b64eb70e10
SHA1

b9062ff2cd2a5e115c498620d2d114893fb8f497
SHA256

48384b146626c1bd60bc7b88d5dfadcc59f3aed2f2042f7e455d7bde850a3f1f
SHA512

a0ce3602a34472207ac020db72cc60a2c9df7c678e15b01c1230b25ff4439c250fbe0b4e5645746a58c97b477ed7167532039213e062375a8a465828c815bf37
SSDEEP

24576:elMiZMVn1db5AnUZLPLs2RPljK/X6lhfO/Ag5MKxpl38lo2k5mZpYQ+MedyFQh:5FPLs2RPxwX6lhOzZf392k5mHVA

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2632	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	48384b146626c1bd60bc7b88d5dfadcc59f3aed2f2042f7e455d7bde850a3f1f.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 4184	2896	48384b146626c1bd60bc7b88d5dfadcc59f3aed2f2042f7e455d7bde850a3f1f.exe	66
PID 2896 wrote to memory of 4184	2896	48384b146626c1bd60bc7b88d5dfadcc59f3aed2f2042f7e455d7bde850a3f1f.exe	66
PID 2896 wrote to memory of 4184	2896	48384b146626c1bd60bc7b88d5dfadcc59f3aed2f2042f7e455d7bde850a3f1f.exe	66
PID 4184 wrote to memory of 2632	4184	control.exe	68
PID 4184 wrote to memory of 2632	4184	control.exe	68
PID 4184 wrote to memory of 2632	4184	control.exe	68
PID 2632 wrote to memory of 4008	2632	rundll32.exe	69
PID 2632 wrote to memory of 4008	2632	rundll32.exe	69
PID 4008 wrote to memory of 4628	4008	RunDll32.exe	70
PID 4008 wrote to memory of 4628	4008	RunDll32.exe	70
PID 4008 wrote to memory of 4628	4008	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\48384b146626c1bd60bc7b88d5dfadcc59f3aed2f2042f7e455d7bde850a3f1f.exe
"C:\Users\Admin\AppData\Local\Temp\48384b146626c1bd60bc7b88d5dfadcc59f3aed2f2042f7e455d7bde850a3f1f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\09hLG.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\09hLG.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\09hLG.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\09hLG.CpL",
        5⤵
        Loads dropped DLL
        
        PID:4628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\09hLG.CpL

Filesize
1.1MB

MD5
6c3695a41502284045c1ae3d727b6cd2

SHA1
ce12fe94d796dbaf704eeaf80d078bf301a32c4a

SHA256
d4acd7e7f39076e1f5edc7e01a8b36d87a92a006ce28c5573372731ade467525

SHA512
e7aefa3bca97ee508e868df99d311c0a2408d412e9788f3edd3a4037134260b81fe1ba0354af8f50a5af9e939f0efb52c09ec8d72f399078a15d4e8dbe72b56b

Download Submit
\Users\Admin\AppData\Local\Temp\09hlg.cpl

Filesize
1.1MB

MD5
6c3695a41502284045c1ae3d727b6cd2

SHA1
ce12fe94d796dbaf704eeaf80d078bf301a32c4a

SHA256
d4acd7e7f39076e1f5edc7e01a8b36d87a92a006ce28c5573372731ade467525

SHA512
e7aefa3bca97ee508e868df99d311c0a2408d412e9788f3edd3a4037134260b81fe1ba0354af8f50a5af9e939f0efb52c09ec8d72f399078a15d4e8dbe72b56b

Download Submit
\Users\Admin\AppData\Local\Temp\09hlg.cpl

Filesize
1.1MB

MD5
6c3695a41502284045c1ae3d727b6cd2

SHA1
ce12fe94d796dbaf704eeaf80d078bf301a32c4a

SHA256
d4acd7e7f39076e1f5edc7e01a8b36d87a92a006ce28c5573372731ade467525

SHA512
e7aefa3bca97ee508e868df99d311c0a2408d412e9788f3edd3a4037134260b81fe1ba0354af8f50a5af9e939f0efb52c09ec8d72f399078a15d4e8dbe72b56b

Download Submit
\Users\Admin\AppData\Local\Temp\09hlg.cpl

Filesize
1.1MB

MD5
6c3695a41502284045c1ae3d727b6cd2

SHA1
ce12fe94d796dbaf704eeaf80d078bf301a32c4a

SHA256
d4acd7e7f39076e1f5edc7e01a8b36d87a92a006ce28c5573372731ade467525

SHA512
e7aefa3bca97ee508e868df99d311c0a2408d412e9788f3edd3a4037134260b81fe1ba0354af8f50a5af9e939f0efb52c09ec8d72f399078a15d4e8dbe72b56b

Download Submit
memory/2632-133-0x0000000004D90000-0x0000000004E68000-memory.dmp

Filesize
864KB

Download
memory/2632-134-0x0000000004E70000-0x0000000004F34000-memory.dmp

Filesize
784KB

Download
memory/2632-137-0x0000000004E70000-0x0000000004F34000-memory.dmp

Filesize
784KB

Download
memory/2632-138-0x0000000004E70000-0x0000000004F34000-memory.dmp

Filesize
784KB

Download
memory/2632-130-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

Filesize
24KB

Download
memory/2632-128-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4628-142-0x0000000000F50000-0x0000000001065000-memory.dmp

Filesize
1.1MB

Download
memory/4628-141-0x0000000000F50000-0x0000000001065000-memory.dmp

Filesize
1.1MB

Download
memory/4628-144-0x0000000000580000-0x0000000000586000-memory.dmp

Filesize
24KB

Download
memory/4628-146-0x0000000000F50000-0x0000000001065000-memory.dmp

Filesize
1.1MB

Download
memory/4628-147-0x0000000001070000-0x0000000001148000-memory.dmp

Filesize
864KB

Download
memory/4628-148-0x0000000004800000-0x00000000048C4000-memory.dmp

Filesize
784KB

Download
memory/4628-151-0x0000000004800000-0x00000000048C4000-memory.dmp

Filesize
784KB

Download
memory/4628-152-0x0000000004800000-0x00000000048C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing