db5b70617a14193a6250498e709ec3cebc1e96e402523e96f382454a5e248a09

General

Target

db5b70617a14193a6250498e709ec3cebc1e96e402523e96f382454a5e248a09.exe
Size

1.4MB
MD5

15b1e3c57cfa82e529bb6a3b93ac7170
SHA1

9c63cb0b95aac6d4933a2e10e4f366ccb68da3a7
SHA256

db5b70617a14193a6250498e709ec3cebc1e96e402523e96f382454a5e248a09
SHA512

26c1de7a699dc2f932f0c9dbaa7c8f80606d6145bf71c2bd493ae42c0d0b50b37e45451fc9d1a43fe481d157a7492312e8159c22ce99497cc154a52ce14707ee
SSDEEP

24576:5OtT5xvEe1PWJ2hgYU/vSRqzJeVoJQrCA/anxxaSMXJXJHO8WunQM6BjjnlI:5OtT/1PE2hgYs9888CAGxaSMXJ5HuHju

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
4964	rundll32.exe
4964	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	db5b70617a14193a6250498e709ec3cebc1e96e402523e96f382454a5e248a09.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 4136	3044	db5b70617a14193a6250498e709ec3cebc1e96e402523e96f382454a5e248a09.exe	66
PID 3044 wrote to memory of 4136	3044	db5b70617a14193a6250498e709ec3cebc1e96e402523e96f382454a5e248a09.exe	66
PID 3044 wrote to memory of 4136	3044	db5b70617a14193a6250498e709ec3cebc1e96e402523e96f382454a5e248a09.exe	66
PID 4136 wrote to memory of 4964	4136	control.exe	68
PID 4136 wrote to memory of 4964	4136	control.exe	68
PID 4136 wrote to memory of 4964	4136	control.exe	68
PID 4964 wrote to memory of 4164	4964	rundll32.exe	69
PID 4964 wrote to memory of 4164	4964	rundll32.exe	69
PID 4164 wrote to memory of 2584	4164	RunDll32.exe	70
PID 4164 wrote to memory of 2584	4164	RunDll32.exe	70
PID 4164 wrote to memory of 2584	4164	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\db5b70617a14193a6250498e709ec3cebc1e96e402523e96f382454a5e248a09.exe
"C:\Users\Admin\AppData\Local\Temp\db5b70617a14193a6250498e709ec3cebc1e96e402523e96f382454a5e248a09.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SBP7SIQr.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SBP7SIQr.Cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SBP7SIQr.Cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4164
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\SBP7SIQr.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:2584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SBP7SIQr.Cpl

Filesize
1.2MB

MD5
18ca51c01b3c2271ee86aa36516c8ed9

SHA1
ff799f1687618e1cfe1674e4726c9d7b42b18f79

SHA256
a3fe0c464f4ce6a8d2854e5e395ee2483538e4f501adc3b3ea2a66824cf619cb

SHA512
4a79c6145f1611148e55a24e150836c0be9f40bfa70f575719312f8631c5a9f3c274c0fba1e4e4014bf5f7df83166b54bdfe42cc148f9dad4f46a8cbc567e56a

Download Submit
\Users\Admin\AppData\Local\Temp\sbP7SIqr.cpl

Filesize
1.2MB

MD5
18ca51c01b3c2271ee86aa36516c8ed9

SHA1
ff799f1687618e1cfe1674e4726c9d7b42b18f79

SHA256
a3fe0c464f4ce6a8d2854e5e395ee2483538e4f501adc3b3ea2a66824cf619cb

SHA512
4a79c6145f1611148e55a24e150836c0be9f40bfa70f575719312f8631c5a9f3c274c0fba1e4e4014bf5f7df83166b54bdfe42cc148f9dad4f46a8cbc567e56a

Download Submit
\Users\Admin\AppData\Local\Temp\sbP7SIqr.cpl

Filesize
1.2MB

MD5
18ca51c01b3c2271ee86aa36516c8ed9

SHA1
ff799f1687618e1cfe1674e4726c9d7b42b18f79

SHA256
a3fe0c464f4ce6a8d2854e5e395ee2483538e4f501adc3b3ea2a66824cf619cb

SHA512
4a79c6145f1611148e55a24e150836c0be9f40bfa70f575719312f8631c5a9f3c274c0fba1e4e4014bf5f7df83166b54bdfe42cc148f9dad4f46a8cbc567e56a

Download Submit
\Users\Admin\AppData\Local\Temp\sbP7SIqr.cpl

Filesize
1.2MB

MD5
18ca51c01b3c2271ee86aa36516c8ed9

SHA1
ff799f1687618e1cfe1674e4726c9d7b42b18f79

SHA256
a3fe0c464f4ce6a8d2854e5e395ee2483538e4f501adc3b3ea2a66824cf619cb

SHA512
4a79c6145f1611148e55a24e150836c0be9f40bfa70f575719312f8631c5a9f3c274c0fba1e4e4014bf5f7df83166b54bdfe42cc148f9dad4f46a8cbc567e56a

Download Submit
\Users\Admin\AppData\Local\Temp\sbP7SIqr.cpl

Filesize
1.2MB

MD5
18ca51c01b3c2271ee86aa36516c8ed9

SHA1
ff799f1687618e1cfe1674e4726c9d7b42b18f79

SHA256
a3fe0c464f4ce6a8d2854e5e395ee2483538e4f501adc3b3ea2a66824cf619cb

SHA512
4a79c6145f1611148e55a24e150836c0be9f40bfa70f575719312f8631c5a9f3c274c0fba1e4e4014bf5f7df83166b54bdfe42cc148f9dad4f46a8cbc567e56a

Download Submit
memory/2584-152-0x00000000048F0000-0x00000000049BE000-memory.dmp

Filesize
824KB

Download
memory/2584-151-0x00000000048F0000-0x00000000049BE000-memory.dmp

Filesize
824KB

Download
memory/2584-148-0x00000000048F0000-0x00000000049BE000-memory.dmp

Filesize
824KB

Download
memory/2584-147-0x0000000004800000-0x00000000048E6000-memory.dmp

Filesize
920KB

Download
memory/2584-145-0x0000000000710000-0x0000000000716000-memory.dmp

Filesize
24KB

Download
memory/2584-143-0x0000000000B60000-0x0000000000C8B000-memory.dmp

Filesize
1.2MB

Download
memory/2584-142-0x0000000000B60000-0x0000000000C8B000-memory.dmp

Filesize
1.2MB

Download
memory/4964-130-0x0000000000CD0000-0x0000000000DFB000-memory.dmp

Filesize
1.2MB

Download
memory/4964-139-0x0000000004A40000-0x0000000004B0E000-memory.dmp

Filesize
824KB

Download
memory/4964-138-0x0000000004A40000-0x0000000004B0E000-memory.dmp

Filesize
824KB

Download
memory/4964-135-0x0000000004A40000-0x0000000004B0E000-memory.dmp

Filesize
824KB

Download
memory/4964-134-0x0000000004950000-0x0000000004A36000-memory.dmp

Filesize
920KB

Download
memory/4964-132-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/4964-129-0x0000000000CD0000-0x0000000000DFB000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing