ca794de79f1afbfee648b3ac91082764b2b90b2b8f1155c048c19f490887f5a5

General

Target

ca794de79f1afbfee648b3ac91082764b2b90b2b8f1155c048c19f490887f5a5.exe
Size

1.4MB
MD5

fd36f3e1ae47434fbf450795d4ab4f7b
SHA1

204be930609eb69cb985e19aaf32c1f510fe8525
SHA256

ca794de79f1afbfee648b3ac91082764b2b90b2b8f1155c048c19f490887f5a5
SHA512

58579a4dcdee8d63aef89f2c83fa9f278be720721622da9f0a946b651f94674b78d04a1365d47d6e812673d968a0466d652797d3c0d109d3e5c0a3c4636aabe5
SSDEEP

24576:I/XEXjJSFHUK12DKcNRflu3p5a8kDB3548hExFoaKgCus4tSna5r5iwxaTGgs:I/oS12QOD15jhExuvw35MCb

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2128 rundll32.exe
2636 rundll32.exe
2636 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2128	rundll32.exe
2636	rundll32.exe
2636	rundll32.exe

Modifies registry class 1 IoCs

Processes:

ca794de79f1afbfee648b3ac91082764b2b90b2b8f1155c048c19f490887f5a5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	ca794de79f1afbfee648b3ac91082764b2b90b2b8f1155c048c19f490887f5a5.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ca794de79f1afbfee648b3ac91082764b2b90b2b8f1155c048c19f490887f5a5.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 2788 wrote to memory of 3592	2788	ca794de79f1afbfee648b3ac91082764b2b90b2b8f1155c048c19f490887f5a5.exe	control.exe
PID 2788 wrote to memory of 3592	2788	ca794de79f1afbfee648b3ac91082764b2b90b2b8f1155c048c19f490887f5a5.exe	control.exe
PID 2788 wrote to memory of 3592	2788	ca794de79f1afbfee648b3ac91082764b2b90b2b8f1155c048c19f490887f5a5.exe	control.exe
PID 3592 wrote to memory of 2128	3592	control.exe	rundll32.exe
PID 3592 wrote to memory of 2128	3592	control.exe	rundll32.exe
PID 3592 wrote to memory of 2128	3592	control.exe	rundll32.exe
PID 2128 wrote to memory of 4712	2128	rundll32.exe	RunDll32.exe
PID 2128 wrote to memory of 4712	2128	rundll32.exe	RunDll32.exe
PID 4712 wrote to memory of 2636	4712	RunDll32.exe	rundll32.exe
PID 4712 wrote to memory of 2636	4712	RunDll32.exe	rundll32.exe
PID 4712 wrote to memory of 2636	4712	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ca794de79f1afbfee648b3ac91082764b2b90b2b8f1155c048c19f490887f5a5.exe
"C:\Users\Admin\AppData\Local\Temp\ca794de79f1afbfee648b3ac91082764b2b90b2b8f1155c048c19f490887f5a5.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\J~lHOTGU.cpL",
2⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\J~lHOTGU.cpL",
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\J~lHOTGU.cpL",
4⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\J~lHOTGU.cpL",
5⤵
- Loads dropped DLL
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\J~lHOTGU.cpL
Filesize
1.1MB

MD5
3ad7faca4ffc0a735e70ff51f36a7f90

SHA1
33a79878dcf30e36965941452a97c287d3ae4d3b

SHA256
0447262f21179d56bf8e309d061f1a1ea02d3e4664e704e1497d83f0e8b47265

SHA512
f4f7d57be48d9a94a78b87ae557cbc5b53bc145b5aafcd77ea686de2c6e843bfdc9220e8826be7cc4c14500050abcdcaf8d9ad403eb4cd7041301329c738fd5c

Download Submit
\Users\Admin\AppData\Local\Temp\j~lHoTgU.cpl
Filesize
1.1MB

MD5
3ad7faca4ffc0a735e70ff51f36a7f90

SHA1
33a79878dcf30e36965941452a97c287d3ae4d3b

SHA256
0447262f21179d56bf8e309d061f1a1ea02d3e4664e704e1497d83f0e8b47265

SHA512
f4f7d57be48d9a94a78b87ae557cbc5b53bc145b5aafcd77ea686de2c6e843bfdc9220e8826be7cc4c14500050abcdcaf8d9ad403eb4cd7041301329c738fd5c

Download Submit
\Users\Admin\AppData\Local\Temp\j~lHoTgU.cpl
Filesize
1.1MB

MD5
3ad7faca4ffc0a735e70ff51f36a7f90

SHA1
33a79878dcf30e36965941452a97c287d3ae4d3b

SHA256
0447262f21179d56bf8e309d061f1a1ea02d3e4664e704e1497d83f0e8b47265

SHA512
f4f7d57be48d9a94a78b87ae557cbc5b53bc145b5aafcd77ea686de2c6e843bfdc9220e8826be7cc4c14500050abcdcaf8d9ad403eb4cd7041301329c738fd5c

Download Submit
\Users\Admin\AppData\Local\Temp\j~lHoTgU.cpl
Filesize
1.1MB

MD5
3ad7faca4ffc0a735e70ff51f36a7f90

SHA1
33a79878dcf30e36965941452a97c287d3ae4d3b

SHA256
0447262f21179d56bf8e309d061f1a1ea02d3e4664e704e1497d83f0e8b47265

SHA512
f4f7d57be48d9a94a78b87ae557cbc5b53bc145b5aafcd77ea686de2c6e843bfdc9220e8826be7cc4c14500050abcdcaf8d9ad403eb4cd7041301329c738fd5c

Download Submit
memory/2128-133-0x0000000004FF0000-0x00000000050CB000-memory.dmp

Filesize
876KB

Download
memory/2128-125-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2128-130-0x0000000004FF0000-0x00000000050CB000-memory.dmp

Filesize
876KB

Download
memory/2128-132-0x0000000004FF0000-0x00000000050CB000-memory.dmp

Filesize
876KB

Download
memory/2128-128-0x0000000004EF0000-0x0000000004FE3000-memory.dmp

Filesize
972KB

Download
memory/2128-127-0x0000000002DA0000-0x0000000002DA6000-memory.dmp

Filesize
24KB

Download
memory/2128-129-0x0000000004FF0000-0x00000000050CB000-memory.dmp

Filesize
876KB

Download
memory/2636-136-0x0000000004410000-0x0000000004535000-memory.dmp

Filesize
1.1MB

Download
memory/2636-137-0x0000000004410000-0x0000000004535000-memory.dmp

Filesize
1.1MB

Download
memory/2636-139-0x00000000027D0000-0x00000000027D6000-memory.dmp

Filesize
24KB

Download
memory/2636-140-0x0000000004770000-0x0000000004863000-memory.dmp

Filesize
972KB

Download
memory/2636-142-0x0000000004870000-0x000000000494B000-memory.dmp

Filesize
876KB

Download
memory/2636-144-0x0000000004870000-0x000000000494B000-memory.dmp

Filesize
876KB

Download
memory/2636-145-0x0000000004870000-0x000000000494B000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing