1b5c3570179ff1f4a6b1f901af174d27cabea3369ecabbdfc7fa82e2b4ff0c4a

General

Target

1b5c3570179ff1f4a6b1f901af174d27cabea3369ecabbdfc7fa82e2b4ff0c4a.exe
Size

1.4MB
MD5

73badbc6389af650ff8cde9a0fad6aad
SHA1

f9e1bca34abfd72e69cecbf5a8a43bab408653dd
SHA256

1b5c3570179ff1f4a6b1f901af174d27cabea3369ecabbdfc7fa82e2b4ff0c4a
SHA512

3b8ebbb49a6cb0db44206d1d77e19b48056446f82ba7de23555410e2fcabdc9d4e9c8caf2b9f2d3d2056809a0f3946ea8499747f4c6d59b44177b46fdeec32c6
SSDEEP

24576:O208/RKHuEBSnwtE/0DIjvvUe9Vt5UKpi8KZftcaIH:908/RY9tg0wFv5rpivftcaIH

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4984	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	1b5c3570179ff1f4a6b1f901af174d27cabea3369ecabbdfc7fa82e2b4ff0c4a.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 4164	4324	1b5c3570179ff1f4a6b1f901af174d27cabea3369ecabbdfc7fa82e2b4ff0c4a.exe	66
PID 4324 wrote to memory of 4164	4324	1b5c3570179ff1f4a6b1f901af174d27cabea3369ecabbdfc7fa82e2b4ff0c4a.exe	66
PID 4324 wrote to memory of 4164	4324	1b5c3570179ff1f4a6b1f901af174d27cabea3369ecabbdfc7fa82e2b4ff0c4a.exe	66
PID 4164 wrote to memory of 4984	4164	control.exe	68
PID 4164 wrote to memory of 4984	4164	control.exe	68
PID 4164 wrote to memory of 4984	4164	control.exe	68
PID 4984 wrote to memory of 4392	4984	rundll32.exe	69
PID 4984 wrote to memory of 4392	4984	rundll32.exe	69
PID 4392 wrote to memory of 3996	4392	RunDll32.exe	70
PID 4392 wrote to memory of 3996	4392	RunDll32.exe	70
PID 4392 wrote to memory of 3996	4392	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\1b5c3570179ff1f4a6b1f901af174d27cabea3369ecabbdfc7fa82e2b4ff0c4a.exe
"C:\Users\Admin\AppData\Local\Temp\1b5c3570179ff1f4a6b1f901af174d27cabea3369ecabbdfc7fa82e2b4ff0c4a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PV7_uYQ.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PV7_uYQ.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PV7_uYQ.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\PV7_uYQ.cpl",
        5⤵
        Loads dropped DLL
        
        PID:3996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PV7_uYQ.cpl

Filesize
1.1MB

MD5
bd133bc2510f8b7a1e097170d6de7a92

SHA1
148c3af15dc3a0caf336b71970b055413c648822

SHA256
617ed16f7160be9c2eb50976292870450f1c0840fd7280d9a4d8bde2fa395870

SHA512
8cdc2c1209f7991972fc4f0a13c57ea9e91e04b2bef1167b38d07f323b47136414db6a3eed2ffb7dc8291eac05eaff9080b90ac013123b440a0b1dbd597bedec

Download Submit
\Users\Admin\AppData\Local\Temp\pV7_uYq.cpl

Filesize
1.1MB

MD5
bd133bc2510f8b7a1e097170d6de7a92

SHA1
148c3af15dc3a0caf336b71970b055413c648822

SHA256
617ed16f7160be9c2eb50976292870450f1c0840fd7280d9a4d8bde2fa395870

SHA512
8cdc2c1209f7991972fc4f0a13c57ea9e91e04b2bef1167b38d07f323b47136414db6a3eed2ffb7dc8291eac05eaff9080b90ac013123b440a0b1dbd597bedec

Download Submit
\Users\Admin\AppData\Local\Temp\pV7_uYq.cpl

Filesize
1.1MB

MD5
bd133bc2510f8b7a1e097170d6de7a92

SHA1
148c3af15dc3a0caf336b71970b055413c648822

SHA256
617ed16f7160be9c2eb50976292870450f1c0840fd7280d9a4d8bde2fa395870

SHA512
8cdc2c1209f7991972fc4f0a13c57ea9e91e04b2bef1167b38d07f323b47136414db6a3eed2ffb7dc8291eac05eaff9080b90ac013123b440a0b1dbd597bedec

Download Submit
\Users\Admin\AppData\Local\Temp\pV7_uYq.cpl

Filesize
1.1MB

MD5
bd133bc2510f8b7a1e097170d6de7a92

SHA1
148c3af15dc3a0caf336b71970b055413c648822

SHA256
617ed16f7160be9c2eb50976292870450f1c0840fd7280d9a4d8bde2fa395870

SHA512
8cdc2c1209f7991972fc4f0a13c57ea9e91e04b2bef1167b38d07f323b47136414db6a3eed2ffb7dc8291eac05eaff9080b90ac013123b440a0b1dbd597bedec

Download Submit
memory/3996-146-0x0000000004A90000-0x0000000004B59000-memory.dmp

Filesize
804KB

Download
memory/3996-145-0x0000000004A90000-0x0000000004B59000-memory.dmp

Filesize
804KB

Download
memory/3996-143-0x0000000004A90000-0x0000000004B59000-memory.dmp

Filesize
804KB

Download
memory/3996-141-0x00000000049A0000-0x0000000004A7E000-memory.dmp

Filesize
888KB

Download
memory/3996-140-0x0000000004880000-0x0000000004886000-memory.dmp

Filesize
24KB

Download
memory/3996-138-0x0000000004610000-0x0000000004734000-memory.dmp

Filesize
1.1MB

Download
memory/3996-137-0x0000000004610000-0x0000000004734000-memory.dmp

Filesize
1.1MB

Download
memory/4984-129-0x0000000004C00000-0x0000000004CDE000-memory.dmp

Filesize
888KB

Download
memory/4984-134-0x0000000004CE0000-0x0000000004DA9000-memory.dmp

Filesize
804KB

Download
memory/4984-133-0x0000000004CE0000-0x0000000004DA9000-memory.dmp

Filesize
804KB

Download
memory/4984-131-0x0000000004CE0000-0x0000000004DA9000-memory.dmp

Filesize
804KB

Download
memory/4984-130-0x0000000004CE0000-0x0000000004DA9000-memory.dmp

Filesize
804KB

Download
memory/4984-128-0x0000000002B90000-0x0000000002B96000-memory.dmp

Filesize
24KB

Download
memory/4984-126-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing