2646dd01581c1813f0478a25051ca4edac5e5c4fedcbd1ac0b4ca758426ec52d

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
29/06/2023, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

743231862cd5eebccceec6420da8d849.exe
Size

1.5MB
MD5

743231862cd5eebccceec6420da8d849
SHA1

010f3f295fa5a40b5d153dc7cedd8b9b8161df4f
SHA256

2646dd01581c1813f0478a25051ca4edac5e5c4fedcbd1ac0b4ca758426ec52d
SHA512

bd754600efa22147b6106ac93af24fadccfb56a69a0d4b1a2b02ac4ccf5a03e4f463e4246e51751a680c4110201a86595574c5f1250b1324eab112cb67cf9fb4
SSDEEP

49152:qDkUjj/ll6POkDpovMg/M9e7qz0HqFXGySqo:q4UFQ/DpeV/MXpFXGL

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1300	1744	743231862cd5eebccceec6420da8d849.exe	28
PID 1744 wrote to memory of 1300	1744	743231862cd5eebccceec6420da8d849.exe	28
PID 1744 wrote to memory of 1300	1744	743231862cd5eebccceec6420da8d849.exe	28
PID 1744 wrote to memory of 1300	1744	743231862cd5eebccceec6420da8d849.exe	28
PID 1300 wrote to memory of 2044	1300	control.exe	29
PID 1300 wrote to memory of 2044	1300	control.exe	29
PID 1300 wrote to memory of 2044	1300	control.exe	29
PID 1300 wrote to memory of 2044	1300	control.exe	29
PID 1300 wrote to memory of 2044	1300	control.exe	29
PID 1300 wrote to memory of 2044	1300	control.exe	29
PID 1300 wrote to memory of 2044	1300	control.exe	29
PID 2044 wrote to memory of 1108	2044	rundll32.exe	30
PID 2044 wrote to memory of 1108	2044	rundll32.exe	30
PID 2044 wrote to memory of 1108	2044	rundll32.exe	30
PID 2044 wrote to memory of 1108	2044	rundll32.exe	30
PID 1108 wrote to memory of 520	1108	RunDll32.exe	31
PID 1108 wrote to memory of 520	1108	RunDll32.exe	31
PID 1108 wrote to memory of 520	1108	RunDll32.exe	31
PID 1108 wrote to memory of 520	1108	RunDll32.exe	31
PID 1108 wrote to memory of 520	1108	RunDll32.exe	31
PID 1108 wrote to memory of 520	1108	RunDll32.exe	31
PID 1108 wrote to memory of 520	1108	RunDll32.exe	31

C:\Users\Admin\AppData\Local\Temp\743231862cd5eebccceec6420da8d849.exe
"C:\Users\Admin\AppData\Local\Temp\743231862cd5eebccceec6420da8d849.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7ICMkG_G.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7ICMkG_G.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7ICMkG_G.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7ICMkG_G.CpL",
        5⤵
        Loads dropped DLL
        
        PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ICMkG_G.CpL

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
\Users\Admin\AppData\Local\Temp\7ICMkg_G.cpl

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
\Users\Admin\AppData\Local\Temp\7ICMkg_G.cpl

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
\Users\Admin\AppData\Local\Temp\7ICMkg_G.cpl

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
\Users\Admin\AppData\Local\Temp\7ICMkg_G.cpl

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
\Users\Admin\AppData\Local\Temp\7ICMkg_G.cpl

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
\Users\Admin\AppData\Local\Temp\7ICMkg_G.cpl

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
\Users\Admin\AppData\Local\Temp\7ICMkg_G.cpl

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
\Users\Admin\AppData\Local\Temp\7ICMkg_G.cpl

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
memory/520-67-0x0000000000900000-0x0000000000AA5000-memory.dmp

Filesize
1.6MB

Download
memory/2044-62-0x0000000002240000-0x00000000023E5000-memory.dmp

Filesize
1.6MB

Download