e929e7f7494bc002d7a4dba9f24e49c4789b0c09dc5e5cf816c36328430b783d

Analysis

max time kernel
138s
max time network
142s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
19/03/2023, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e929e7f7494bc002d7a4dba9f24e49c4789b0c09dc5e5cf816c36328430b783d.exe
Size

1.7MB
MD5

9d5a3fbab9179a2361620921d733f799
SHA1

7720723822c1ed809e0921b8996a28c4ac98dc85
SHA256

e929e7f7494bc002d7a4dba9f24e49c4789b0c09dc5e5cf816c36328430b783d
SHA512

57fdcf8a33ef7568bf80e64ee25b3d19859cf3edc4b9a66026f6a6534a525b9828d386b00b78de1b8d1c8f7e883d2be97b9f232ca94888c592ce85655c3fff4c
SSDEEP

49152:dNsWhFZBfJXAE43ee/ovoDxWv4sAfSw0rC8+IrSThBo2:TsWhFZBfKELVvMaFy8QC2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3612	rundll32.exe
4164	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	e929e7f7494bc002d7a4dba9f24e49c4789b0c09dc5e5cf816c36328430b783d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 4968	2900	e929e7f7494bc002d7a4dba9f24e49c4789b0c09dc5e5cf816c36328430b783d.exe	66
PID 2900 wrote to memory of 4968	2900	e929e7f7494bc002d7a4dba9f24e49c4789b0c09dc5e5cf816c36328430b783d.exe	66
PID 2900 wrote to memory of 4968	2900	e929e7f7494bc002d7a4dba9f24e49c4789b0c09dc5e5cf816c36328430b783d.exe	66
PID 4968 wrote to memory of 3612	4968	control.exe	68
PID 4968 wrote to memory of 3612	4968	control.exe	68
PID 4968 wrote to memory of 3612	4968	control.exe	68
PID 3612 wrote to memory of 2608	3612	rundll32.exe	69
PID 3612 wrote to memory of 2608	3612	rundll32.exe	69
PID 2608 wrote to memory of 4164	2608	RunDll32.exe	70
PID 2608 wrote to memory of 4164	2608	RunDll32.exe	70
PID 2608 wrote to memory of 4164	2608	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\e929e7f7494bc002d7a4dba9f24e49c4789b0c09dc5e5cf816c36328430b783d.exe
"C:\Users\Admin\AppData\Local\Temp\e929e7f7494bc002d7a4dba9f24e49c4789b0c09dc5e5cf816c36328430b783d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\IHbw.CPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\IHbw.CPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\IHbw.CPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\IHbw.CPl",
        5⤵
        Loads dropped DLL
        
        PID:4164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IHbw.CPl

Filesize
1.1MB

MD5
56bcbb2c96a5e80cac59126fc99a47ed

SHA1
e82d0d82a66764d03f49b3be95518932b607d56f

SHA256
d4d3b71ebbb124fc7070c9a0c0f58cd7410a80a7be3c7f30ab967b131724b1f8

SHA512
978f09e5a13a487be6a467df8762b1a8a4230489cf9c472c5dfe30ad12846252985e3d04c787f463db79591c184201e44fd35d52a2902157f95d18264e214248

Download Submit
\Users\Admin\AppData\Local\Temp\IHbw.cpl

Filesize
1.1MB

MD5
56bcbb2c96a5e80cac59126fc99a47ed

SHA1
e82d0d82a66764d03f49b3be95518932b607d56f

SHA256
d4d3b71ebbb124fc7070c9a0c0f58cd7410a80a7be3c7f30ab967b131724b1f8

SHA512
978f09e5a13a487be6a467df8762b1a8a4230489cf9c472c5dfe30ad12846252985e3d04c787f463db79591c184201e44fd35d52a2902157f95d18264e214248

Download Submit
\Users\Admin\AppData\Local\Temp\IHbw.cpl

Filesize
1.1MB

MD5
56bcbb2c96a5e80cac59126fc99a47ed

SHA1
e82d0d82a66764d03f49b3be95518932b607d56f

SHA256
d4d3b71ebbb124fc7070c9a0c0f58cd7410a80a7be3c7f30ab967b131724b1f8

SHA512
978f09e5a13a487be6a467df8762b1a8a4230489cf9c472c5dfe30ad12846252985e3d04c787f463db79591c184201e44fd35d52a2902157f95d18264e214248

Download Submit
memory/3612-128-0x0000000000A30000-0x0000000000A36000-memory.dmp

Filesize
24KB

Download
memory/3612-131-0x0000000004A60000-0x0000000004B4B000-memory.dmp

Filesize
940KB

Download
memory/3612-132-0x0000000004B50000-0x0000000004C23000-memory.dmp

Filesize
844KB

Download
memory/3612-133-0x0000000004B50000-0x0000000004C23000-memory.dmp

Filesize
844KB

Download
memory/3612-135-0x0000000004B50000-0x0000000004C23000-memory.dmp

Filesize
844KB

Download
memory/3612-136-0x0000000004B50000-0x0000000004C23000-memory.dmp

Filesize
844KB

Download
memory/3612-126-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4164-140-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/4164-143-0x0000000004AB0000-0x0000000004B9B000-memory.dmp

Filesize
940KB

Download
memory/4164-145-0x0000000004BA0000-0x0000000004C73000-memory.dmp

Filesize
844KB

Download
memory/4164-147-0x0000000004BA0000-0x0000000004C73000-memory.dmp

Filesize
844KB

Download
memory/4164-148-0x0000000004BA0000-0x0000000004C73000-memory.dmp

Filesize
844KB

Download