04f133caeb89097c8a29b5810971e40fb3adedfee3aa85b2ebe48289168e39db

General

Target

04f133caeb89097c8a29b5810971e40fb3adedfee3aa85b2ebe48289168e39db.exe
Size

1.5MB
MD5

5d4ae70183a17ca240ad3fed0674037f
SHA1

7840296630f27090899522b28552384803dd3284
SHA256

04f133caeb89097c8a29b5810971e40fb3adedfee3aa85b2ebe48289168e39db
SHA512

03e4db85d9f5c11f11ab6be15c7b2dd3d76e952de1922d958b26161bb1e475e6c8f1849ecc515af3d31d61cb815704a8a95ab4ca86e2d74d9f286453bb0514b2
SSDEEP

24576:dOuz3GIV6EGkM+mc4egX/OZq42Ku3kMyniMvMjSYFb7e8N8ZNc/IPhaQ6nZR:suz3GDPxvO84uVyiMUS+7e8uk/yha3n

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2996	rundll32.exe
1640	rundll32.exe
1640	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000_Classes\Local Settings	04f133caeb89097c8a29b5810971e40fb3adedfee3aa85b2ebe48289168e39db.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3928	4720	04f133caeb89097c8a29b5810971e40fb3adedfee3aa85b2ebe48289168e39db.exe	69
PID 4720 wrote to memory of 3928	4720	04f133caeb89097c8a29b5810971e40fb3adedfee3aa85b2ebe48289168e39db.exe	69
PID 4720 wrote to memory of 3928	4720	04f133caeb89097c8a29b5810971e40fb3adedfee3aa85b2ebe48289168e39db.exe	69
PID 3928 wrote to memory of 2996	3928	control.exe	71
PID 3928 wrote to memory of 2996	3928	control.exe	71
PID 3928 wrote to memory of 2996	3928	control.exe	71
PID 2996 wrote to memory of 944	2996	rundll32.exe	72
PID 2996 wrote to memory of 944	2996	rundll32.exe	72
PID 944 wrote to memory of 1640	944	RunDll32.exe	73
PID 944 wrote to memory of 1640	944	RunDll32.exe	73
PID 944 wrote to memory of 1640	944	RunDll32.exe	73

C:\Users\Admin\AppData\Local\Temp\04f133caeb89097c8a29b5810971e40fb3adedfee3aa85b2ebe48289168e39db.exe
"C:\Users\Admin\AppData\Local\Temp\04f133caeb89097c8a29b5810971e40fb3adedfee3aa85b2ebe48289168e39db.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\6CKR.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\6CKR.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\6CKR.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\6CKR.cPl",
        5⤵
        Loads dropped DLL
        
        PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6CKR.cPl

Filesize
1.3MB

MD5
2f06497109a001323e8bad418bf7e458

SHA1
0e705a41d76070d1c7aa317d00a74b42ea4d3e66

SHA256
1a686ccf47013ea60e6c9dba470bb5751cfc33f41a3719d5af243200f22c63f2

SHA512
d992f59aca80024f7b5fa02f9cead8a1880efcdd42d55ab903ad6d2b05425df5580bcc368b62fa03a1239b5cbe88f485f5c43487d8408915094c9a8c81fd5af8

Download Submit
\Users\Admin\AppData\Local\Temp\6CkR.cpl

Filesize
1.3MB

MD5
2f06497109a001323e8bad418bf7e458

SHA1
0e705a41d76070d1c7aa317d00a74b42ea4d3e66

SHA256
1a686ccf47013ea60e6c9dba470bb5751cfc33f41a3719d5af243200f22c63f2

SHA512
d992f59aca80024f7b5fa02f9cead8a1880efcdd42d55ab903ad6d2b05425df5580bcc368b62fa03a1239b5cbe88f485f5c43487d8408915094c9a8c81fd5af8

Download Submit
\Users\Admin\AppData\Local\Temp\6CkR.cpl

Filesize
1.3MB

MD5
2f06497109a001323e8bad418bf7e458

SHA1
0e705a41d76070d1c7aa317d00a74b42ea4d3e66

SHA256
1a686ccf47013ea60e6c9dba470bb5751cfc33f41a3719d5af243200f22c63f2

SHA512
d992f59aca80024f7b5fa02f9cead8a1880efcdd42d55ab903ad6d2b05425df5580bcc368b62fa03a1239b5cbe88f485f5c43487d8408915094c9a8c81fd5af8

Download Submit
\Users\Admin\AppData\Local\Temp\6CkR.cpl

Filesize
1.3MB

MD5
2f06497109a001323e8bad418bf7e458

SHA1
0e705a41d76070d1c7aa317d00a74b42ea4d3e66

SHA256
1a686ccf47013ea60e6c9dba470bb5751cfc33f41a3719d5af243200f22c63f2

SHA512
d992f59aca80024f7b5fa02f9cead8a1880efcdd42d55ab903ad6d2b05425df5580bcc368b62fa03a1239b5cbe88f485f5c43487d8408915094c9a8c81fd5af8

Download Submit
memory/1640-139-0x0000000004230000-0x0000000004385000-memory.dmp

Filesize
1.3MB

Download
memory/1640-137-0x0000000004230000-0x0000000004385000-memory.dmp

Filesize
1.3MB

Download
memory/1640-138-0x0000000002510000-0x0000000002516000-memory.dmp

Filesize
24KB

Download
memory/1640-143-0x0000000004750000-0x000000000486B000-memory.dmp

Filesize
1.1MB

Download
memory/1640-144-0x0000000004870000-0x0000000004971000-memory.dmp

Filesize
1.0MB

Download
memory/1640-147-0x0000000004870000-0x0000000004971000-memory.dmp

Filesize
1.0MB

Download
memory/1640-148-0x0000000004870000-0x0000000004971000-memory.dmp

Filesize
1.0MB

Download
memory/2996-130-0x0000000004E60000-0x0000000004F61000-memory.dmp

Filesize
1.0MB

Download
memory/2996-133-0x0000000004E60000-0x0000000004F61000-memory.dmp

Filesize
1.0MB

Download
memory/2996-134-0x0000000004E60000-0x0000000004F61000-memory.dmp

Filesize
1.0MB

Download
memory/2996-129-0x0000000004D40000-0x0000000004E5B000-memory.dmp

Filesize
1.1MB

Download
memory/2996-124-0x0000000002BC0000-0x0000000002BC6000-memory.dmp

Filesize
24KB

Download
memory/2996-125-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing