735d979fa7788f08f1f01c180f7ca0c4cd7bcbce122a511bcd2375be99304b61

General

Target

735d979fa7788f08f1f01c180f7ca0c4cd7bcbce122a511bcd2375be99304b61.exe
Size

1.3MB
MD5

ce0d530cf1542b59146139dcc0cf1adf
SHA1

f8055197b2de0b280a71716adce193eec4871df0
SHA256

735d979fa7788f08f1f01c180f7ca0c4cd7bcbce122a511bcd2375be99304b61
SHA512

93c7465edb3aa5891e0c0a8d56ebf33590042e04ea751575f978b34e3b0a73a0b626d390bba8fc90c8e464b27504b27e975e32a1af715d5770cf77f50d2dd51a
SSDEEP

24576:YLeTtjJFtHrKfFrEiYMTmO8bQe19bhvn0t9PU4p4E/STFs1vyxFpkRep:YLYkfVE2KOwH19tqeirSF9FpaO

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
4608	rundll32.exe
4608	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 3476	3648	735d979fa7788f08f1f01c180f7ca0c4cd7bcbce122a511bcd2375be99304b61.exe	66
PID 3648 wrote to memory of 3476	3648	735d979fa7788f08f1f01c180f7ca0c4cd7bcbce122a511bcd2375be99304b61.exe	66
PID 3648 wrote to memory of 3476	3648	735d979fa7788f08f1f01c180f7ca0c4cd7bcbce122a511bcd2375be99304b61.exe	66
PID 3476 wrote to memory of 4608	3476	control.exe	67
PID 3476 wrote to memory of 4608	3476	control.exe	67
PID 3476 wrote to memory of 4608	3476	control.exe	67
PID 4608 wrote to memory of 2056	4608	rundll32.exe	68
PID 4608 wrote to memory of 2056	4608	rundll32.exe	68
PID 2056 wrote to memory of 1636	2056	RunDll32.exe	69
PID 2056 wrote to memory of 1636	2056	RunDll32.exe	69
PID 2056 wrote to memory of 1636	2056	RunDll32.exe	69

C:\Users\Admin\AppData\Local\Temp\735d979fa7788f08f1f01c180f7ca0c4cd7bcbce122a511bcd2375be99304b61.exe
"C:\Users\Admin\AppData\Local\Temp\735d979fa7788f08f1f01c180f7ca0c4cd7bcbce122a511bcd2375be99304b61.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\NBCD.9Jb
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\NBCD.9Jb
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\NBCD.9Jb
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\NBCD.9Jb
        5⤵
        Loads dropped DLL
        
        PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NBCD.9Jb

Filesize
1.4MB

MD5
c6fd7199391cf051c70370bc257601c8

SHA1
de146643cbadbefa6fab80efd11e9a47e0776246

SHA256
b49320e8c877ca855b9d725e90e46813fb65c666d2ffb3f730bb610c5e5d206a

SHA512
9ced521d9d9326c5821c81efc92d7f0056c868ec4e97eb80f56aa46d3e2053436188dad803cea2fc6643fdf1caa2b54efeeeb1cd3a421300d20b28f1e9ad6b0e

Download Submit
\Users\Admin\AppData\Local\Temp\NbCD.9Jb

Filesize
1.4MB

MD5
c6fd7199391cf051c70370bc257601c8

SHA1
de146643cbadbefa6fab80efd11e9a47e0776246

SHA256
b49320e8c877ca855b9d725e90e46813fb65c666d2ffb3f730bb610c5e5d206a

SHA512
9ced521d9d9326c5821c81efc92d7f0056c868ec4e97eb80f56aa46d3e2053436188dad803cea2fc6643fdf1caa2b54efeeeb1cd3a421300d20b28f1e9ad6b0e

Download Submit
\Users\Admin\AppData\Local\Temp\NbCD.9Jb

Filesize
1.4MB

MD5
c6fd7199391cf051c70370bc257601c8

SHA1
de146643cbadbefa6fab80efd11e9a47e0776246

SHA256
b49320e8c877ca855b9d725e90e46813fb65c666d2ffb3f730bb610c5e5d206a

SHA512
9ced521d9d9326c5821c81efc92d7f0056c868ec4e97eb80f56aa46d3e2053436188dad803cea2fc6643fdf1caa2b54efeeeb1cd3a421300d20b28f1e9ad6b0e

Download Submit
\Users\Admin\AppData\Local\Temp\NbCD.9Jb

Filesize
1.4MB

MD5
c6fd7199391cf051c70370bc257601c8

SHA1
de146643cbadbefa6fab80efd11e9a47e0776246

SHA256
b49320e8c877ca855b9d725e90e46813fb65c666d2ffb3f730bb610c5e5d206a

SHA512
9ced521d9d9326c5821c81efc92d7f0056c868ec4e97eb80f56aa46d3e2053436188dad803cea2fc6643fdf1caa2b54efeeeb1cd3a421300d20b28f1e9ad6b0e

Download Submit
\Users\Admin\AppData\Local\Temp\NbCD.9Jb

Filesize
1.4MB

MD5
c6fd7199391cf051c70370bc257601c8

SHA1
de146643cbadbefa6fab80efd11e9a47e0776246

SHA256
b49320e8c877ca855b9d725e90e46813fb65c666d2ffb3f730bb610c5e5d206a

SHA512
9ced521d9d9326c5821c81efc92d7f0056c868ec4e97eb80f56aa46d3e2053436188dad803cea2fc6643fdf1caa2b54efeeeb1cd3a421300d20b28f1e9ad6b0e

Download Submit
memory/1636-152-0x0000000004BB0000-0x0000000004C89000-memory.dmp

Filesize
868KB

Download
memory/1636-151-0x0000000004BB0000-0x0000000004C89000-memory.dmp

Filesize
868KB

Download
memory/1636-148-0x0000000004BB0000-0x0000000004C89000-memory.dmp

Filesize
868KB

Download
memory/1636-147-0x0000000004AC0000-0x0000000004BAE000-memory.dmp

Filesize
952KB

Download
memory/1636-144-0x0000000002C70000-0x0000000002C76000-memory.dmp

Filesize
24KB

Download
memory/1636-142-0x00000000046D0000-0x000000000482E000-memory.dmp

Filesize
1.4MB

Download
memory/1636-141-0x00000000046D0000-0x000000000482E000-memory.dmp

Filesize
1.4MB

Download
memory/4608-127-0x0000000004450000-0x00000000045AE000-memory.dmp

Filesize
1.4MB

Download
memory/4608-138-0x0000000004910000-0x00000000049E9000-memory.dmp

Filesize
868KB

Download
memory/4608-137-0x0000000004910000-0x00000000049E9000-memory.dmp

Filesize
868KB

Download
memory/4608-134-0x0000000004910000-0x00000000049E9000-memory.dmp

Filesize
868KB

Download
memory/4608-133-0x0000000004810000-0x00000000048FE000-memory.dmp

Filesize
952KB

Download
memory/4608-129-0x00000000046F0000-0x00000000046F6000-memory.dmp

Filesize
24KB

Download
memory/4608-126-0x0000000004450000-0x00000000045AE000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing