dc888b371f4ba611346dc51d6effcaf2be3680adbc73651d90cb1dea752a45c5

General

Target

dc888b371f4ba611346dc51d6effcaf2be3680adbc73651d90cb1dea752a45c5.exe
Size

1.4MB
MD5

38aa2954bb94ecc536433215204fa952
SHA1

6a3f78e20382174ffc1952a904cd8f8ae86e9c27
SHA256

dc888b371f4ba611346dc51d6effcaf2be3680adbc73651d90cb1dea752a45c5
SHA512

b1fc008e3fe121e6a5c8dbba81458f11ead4cc6897c6fb3b28dfb95684e97d7e71a258f731086f69bd2928a8156fd55702ab58173dbec29567ce4e06379fc2e7
SSDEEP

24576:gJr8tE+gHqkj5A9bp0PTnEtXak/23fA3TbPH3rHY1nu75BOB0/9XT+9H9/+0Tvon:gJ4Nkj5nnaKBfAjz3DsuDO4SX/rTvC

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1564 rundll32.exe
1452 rundll32.exe
1452 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1564	rundll32.exe
1452	rundll32.exe
1452	rundll32.exe

Modifies registry class 1 IoCs

Processes:

dc888b371f4ba611346dc51d6effcaf2be3680adbc73651d90cb1dea752a45c5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	dc888b371f4ba611346dc51d6effcaf2be3680adbc73651d90cb1dea752a45c5.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

dc888b371f4ba611346dc51d6effcaf2be3680adbc73651d90cb1dea752a45c5.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 2052 wrote to memory of 2456	2052	dc888b371f4ba611346dc51d6effcaf2be3680adbc73651d90cb1dea752a45c5.exe	control.exe
PID 2052 wrote to memory of 2456	2052	dc888b371f4ba611346dc51d6effcaf2be3680adbc73651d90cb1dea752a45c5.exe	control.exe
PID 2052 wrote to memory of 2456	2052	dc888b371f4ba611346dc51d6effcaf2be3680adbc73651d90cb1dea752a45c5.exe	control.exe
PID 2456 wrote to memory of 1564	2456	control.exe	rundll32.exe
PID 2456 wrote to memory of 1564	2456	control.exe	rundll32.exe
PID 2456 wrote to memory of 1564	2456	control.exe	rundll32.exe
PID 1564 wrote to memory of 4040	1564	rundll32.exe	RunDll32.exe
PID 1564 wrote to memory of 4040	1564	rundll32.exe	RunDll32.exe
PID 4040 wrote to memory of 1452	4040	RunDll32.exe	rundll32.exe
PID 4040 wrote to memory of 1452	4040	RunDll32.exe	rundll32.exe
PID 4040 wrote to memory of 1452	4040	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\dc888b371f4ba611346dc51d6effcaf2be3680adbc73651d90cb1dea752a45c5.exe
"C:\Users\Admin\AppData\Local\Temp\dc888b371f4ba611346dc51d6effcaf2be3680adbc73651d90cb1dea752a45c5.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\GO9eA.Cpl",
2⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\GO9eA.Cpl",
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\GO9eA.Cpl",
4⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\GO9eA.Cpl",
5⤵
- Loads dropped DLL
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GO9eA.Cpl
Filesize
1.1MB

MD5
b3eb3504d90d99e6be3dc01405f6c6f1

SHA1
52bd25b3c1cdca11fd360a1eb013b79473847d54

SHA256
99492cd42f41ba16b45e4cd0f61307f780442bfa3851940a33acf8fb52fbd353

SHA512
e269c36307ab948bbed2e8302c318bfd7146aa9a62d7081628466a7cd17b878dfb0730b62620f84009b9fbe60b1dcdc16b3ca928f0082586b430871ac42779ec

Download Submit
\Users\Admin\AppData\Local\Temp\GO9ea.cpl
Filesize
1.1MB

MD5
b3eb3504d90d99e6be3dc01405f6c6f1

SHA1
52bd25b3c1cdca11fd360a1eb013b79473847d54

SHA256
99492cd42f41ba16b45e4cd0f61307f780442bfa3851940a33acf8fb52fbd353

SHA512
e269c36307ab948bbed2e8302c318bfd7146aa9a62d7081628466a7cd17b878dfb0730b62620f84009b9fbe60b1dcdc16b3ca928f0082586b430871ac42779ec

Download Submit
\Users\Admin\AppData\Local\Temp\GO9ea.cpl
Filesize
1.1MB

MD5
b3eb3504d90d99e6be3dc01405f6c6f1

SHA1
52bd25b3c1cdca11fd360a1eb013b79473847d54

SHA256
99492cd42f41ba16b45e4cd0f61307f780442bfa3851940a33acf8fb52fbd353

SHA512
e269c36307ab948bbed2e8302c318bfd7146aa9a62d7081628466a7cd17b878dfb0730b62620f84009b9fbe60b1dcdc16b3ca928f0082586b430871ac42779ec

Download Submit
\Users\Admin\AppData\Local\Temp\GO9ea.cpl
Filesize
1.1MB

MD5
b3eb3504d90d99e6be3dc01405f6c6f1

SHA1
52bd25b3c1cdca11fd360a1eb013b79473847d54

SHA256
99492cd42f41ba16b45e4cd0f61307f780442bfa3851940a33acf8fb52fbd353

SHA512
e269c36307ab948bbed2e8302c318bfd7146aa9a62d7081628466a7cd17b878dfb0730b62620f84009b9fbe60b1dcdc16b3ca928f0082586b430871ac42779ec

Download Submit
memory/1452-139-0x0000000004400000-0x0000000004525000-memory.dmp

Filesize
1.1MB

Download
memory/1452-148-0x0000000004B10000-0x0000000004BEB000-memory.dmp

Filesize
876KB

Download
memory/1452-147-0x0000000004B10000-0x0000000004BEB000-memory.dmp

Filesize
876KB

Download
memory/1452-145-0x0000000004B10000-0x0000000004BEB000-memory.dmp

Filesize
876KB

Download
memory/1452-143-0x0000000004A10000-0x0000000004B03000-memory.dmp

Filesize
972KB

Download
memory/1452-142-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/1452-140-0x0000000004400000-0x0000000004525000-memory.dmp

Filesize
1.1MB

Download
memory/1564-131-0x00000000051E0000-0x00000000052D3000-memory.dmp

Filesize
972KB

Download
memory/1564-136-0x00000000052E0000-0x00000000053BB000-memory.dmp

Filesize
876KB

Download
memory/1564-135-0x00000000052E0000-0x00000000053BB000-memory.dmp

Filesize
876KB

Download
memory/1564-132-0x00000000052E0000-0x00000000053BB000-memory.dmp

Filesize
876KB

Download
memory/1564-133-0x00000000052E0000-0x00000000053BB000-memory.dmp

Filesize
876KB

Download
memory/1564-130-0x0000000003290000-0x0000000003296000-memory.dmp

Filesize
24KB

Download
memory/1564-128-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing