6e8ebd107749e6b0c8e89f2f91929ec54795991fbbb01233642bdace7dc28f4d

General

Target

6e8ebd107749e6b0c8e89f2f91929ec54795991fbbb01233642bdace7dc28f4d.exe
Size

1.3MB
MD5

07db54085b6693683aae67b3f39cc0d4
SHA1

e732357df8292d65675afc6be1d6423554519c47
SHA256

6e8ebd107749e6b0c8e89f2f91929ec54795991fbbb01233642bdace7dc28f4d
SHA512

39d12b622e3aa4f18745289ca9299cae66036095e5452990ad719b7c5ca5e0ba748ccc14c89d28755b51656f945ec3ebe820959d79deb44e1224e62d98829211
SSDEEP

24576:gJr8tE+gHqOGCrqvOZJVxl9Zn0hxtejdKSN2Gow53tnQMeQlpglrBAV0NJ8:gJ4NOG8qvOZJzFwxtejd32lutnQ1Qrgi

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3264	rundll32.exe
4668	rundll32.exe
4668	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	6e8ebd107749e6b0c8e89f2f91929ec54795991fbbb01233642bdace7dc28f4d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2836	2236	6e8ebd107749e6b0c8e89f2f91929ec54795991fbbb01233642bdace7dc28f4d.exe	66
PID 2236 wrote to memory of 2836	2236	6e8ebd107749e6b0c8e89f2f91929ec54795991fbbb01233642bdace7dc28f4d.exe	66
PID 2236 wrote to memory of 2836	2236	6e8ebd107749e6b0c8e89f2f91929ec54795991fbbb01233642bdace7dc28f4d.exe	66
PID 2836 wrote to memory of 3264	2836	control.exe	68
PID 2836 wrote to memory of 3264	2836	control.exe	68
PID 2836 wrote to memory of 3264	2836	control.exe	68
PID 3264 wrote to memory of 1648	3264	rundll32.exe	69
PID 3264 wrote to memory of 1648	3264	rundll32.exe	69
PID 1648 wrote to memory of 4668	1648	RunDll32.exe	70
PID 1648 wrote to memory of 4668	1648	RunDll32.exe	70
PID 1648 wrote to memory of 4668	1648	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\6e8ebd107749e6b0c8e89f2f91929ec54795991fbbb01233642bdace7dc28f4d.exe
"C:\Users\Admin\AppData\Local\Temp\6e8ebd107749e6b0c8e89f2f91929ec54795991fbbb01233642bdace7dc28f4d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\EFnIA.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EFnIA.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EFnIA.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\EFnIA.cPl",
        5⤵
        Loads dropped DLL
        
        PID:4668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EFnIA.cPl

Filesize
1.2MB

MD5
83dd2b719126b7898064e609aedc66a0

SHA1
f1707e6d477156de81439d537ef119351942806c

SHA256
d63edcc9008fedcd15ad053ada2ee95f8ead15f6be8e7a3682e19678bab1de95

SHA512
f853a8bb2294c8d3084c45da06008d759ff29f0ddb7a95619c79daca1df908fbf84e4df939b7016ba24cc49e8f8155f77edb7af330cc47191d2d58738dcbdacb

Download Submit
\Users\Admin\AppData\Local\Temp\efniA.cpl

Filesize
1.2MB

MD5
83dd2b719126b7898064e609aedc66a0

SHA1
f1707e6d477156de81439d537ef119351942806c

SHA256
d63edcc9008fedcd15ad053ada2ee95f8ead15f6be8e7a3682e19678bab1de95

SHA512
f853a8bb2294c8d3084c45da06008d759ff29f0ddb7a95619c79daca1df908fbf84e4df939b7016ba24cc49e8f8155f77edb7af330cc47191d2d58738dcbdacb

Download Submit
\Users\Admin\AppData\Local\Temp\efniA.cpl

Filesize
1.2MB

MD5
83dd2b719126b7898064e609aedc66a0

SHA1
f1707e6d477156de81439d537ef119351942806c

SHA256
d63edcc9008fedcd15ad053ada2ee95f8ead15f6be8e7a3682e19678bab1de95

SHA512
f853a8bb2294c8d3084c45da06008d759ff29f0ddb7a95619c79daca1df908fbf84e4df939b7016ba24cc49e8f8155f77edb7af330cc47191d2d58738dcbdacb

Download Submit
\Users\Admin\AppData\Local\Temp\efniA.cpl

Filesize
1.2MB

MD5
83dd2b719126b7898064e609aedc66a0

SHA1
f1707e6d477156de81439d537ef119351942806c

SHA256
d63edcc9008fedcd15ad053ada2ee95f8ead15f6be8e7a3682e19678bab1de95

SHA512
f853a8bb2294c8d3084c45da06008d759ff29f0ddb7a95619c79daca1df908fbf84e4df939b7016ba24cc49e8f8155f77edb7af330cc47191d2d58738dcbdacb

Download Submit
memory/3264-134-0x0000000004CF0000-0x0000000004DD0000-memory.dmp

Filesize
896KB

Download
memory/3264-135-0x0000000004DD0000-0x0000000004E98000-memory.dmp

Filesize
800KB

Download
memory/3264-138-0x0000000004DD0000-0x0000000004E98000-memory.dmp

Filesize
800KB

Download
memory/3264-139-0x0000000004DD0000-0x0000000004E98000-memory.dmp

Filesize
800KB

Download
memory/3264-130-0x0000000000C70000-0x0000000000C76000-memory.dmp

Filesize
24KB

Download
memory/3264-128-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/4668-143-0x0000000001180000-0x00000000012AA000-memory.dmp

Filesize
1.2MB

Download
memory/4668-142-0x0000000001180000-0x00000000012AA000-memory.dmp

Filesize
1.2MB

Download
memory/4668-145-0x00000000008C0000-0x00000000008C6000-memory.dmp

Filesize
24KB

Download
memory/4668-148-0x00000000049B0000-0x0000000004A90000-memory.dmp

Filesize
896KB

Download
memory/4668-149-0x0000000004A90000-0x0000000004B58000-memory.dmp

Filesize
800KB

Download
memory/4668-152-0x0000000004A90000-0x0000000004B58000-memory.dmp

Filesize
800KB

Download
memory/4668-153-0x0000000001180000-0x00000000012AA000-memory.dmp

Filesize
1.2MB

Download
memory/4668-154-0x0000000004A90000-0x0000000004B58000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing