45f4d8e008932a793b0070ab1e85cae710f8c25aa51a9a1b8f3b5041979de479

Analysis

max time kernel
128s
max time network
133s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22/07/2023, 12:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45f4d8e008932a793b0070ab1e85cae710f8c25aa51a9a1b8f3b5041979de479.exe
Size

1.5MB
MD5

9a79b6974ee6425a1e9c5efb73fad726
SHA1

b5a0374c1cc9d04c78da23a623d0bfdf0504013f
SHA256

45f4d8e008932a793b0070ab1e85cae710f8c25aa51a9a1b8f3b5041979de479
SHA512

792103471305a7641aa5e7294604382cad77a53faad0de3e1ad8f9cb31ad15ec97ae4cf60523562627d6ac5d3bf6417ad4f13275799035fe9427c66da41045ea
SSDEEP

24576:qDkUNi1slEk0xLwgxwuuSanTFFi22b27kc3o2fV4Q8YlvuGVENHDkhm/RfpxeRG6:qDkUjjiU8Xan5Q2PRo26/wvuGV6IcRBc

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4240	rundll32.exe
1076	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000_Classes\Local Settings	45f4d8e008932a793b0070ab1e85cae710f8c25aa51a9a1b8f3b5041979de479.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 4856	4012	45f4d8e008932a793b0070ab1e85cae710f8c25aa51a9a1b8f3b5041979de479.exe	70
PID 4012 wrote to memory of 4856	4012	45f4d8e008932a793b0070ab1e85cae710f8c25aa51a9a1b8f3b5041979de479.exe	70
PID 4012 wrote to memory of 4856	4012	45f4d8e008932a793b0070ab1e85cae710f8c25aa51a9a1b8f3b5041979de479.exe	70
PID 4856 wrote to memory of 4240	4856	control.exe	72
PID 4856 wrote to memory of 4240	4856	control.exe	72
PID 4856 wrote to memory of 4240	4856	control.exe	72
PID 4240 wrote to memory of 2468	4240	rundll32.exe	73
PID 4240 wrote to memory of 2468	4240	rundll32.exe	73
PID 2468 wrote to memory of 1076	2468	RunDll32.exe	74
PID 2468 wrote to memory of 1076	2468	RunDll32.exe	74
PID 2468 wrote to memory of 1076	2468	RunDll32.exe	74

C:\Users\Admin\AppData\Local\Temp\45f4d8e008932a793b0070ab1e85cae710f8c25aa51a9a1b8f3b5041979de479.exe
"C:\Users\Admin\AppData\Local\Temp\45f4d8e008932a793b0070ab1e85cae710f8c25aa51a9a1b8f3b5041979de479.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\iZX5.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\iZX5.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\iZX5.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\iZX5.cpL",
        5⤵
        Loads dropped DLL
        
        PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iZX5.cpL

Filesize
1.2MB

MD5
f399f314f8fe0b4418a090201b7efbe1

SHA1
9d8642794a199c8eb51fa7aaf2b900b55e1c974f

SHA256
259ca1c9668f86c26d6184a3a8c3277c127fd95441fe9254835ef2fbe458a31d

SHA512
fa9465cf548dd8818715a23add33215b14baab9ad829f6b9b77f6cfb129b098aa02b8845d23001d651fd43c5afa20886a35fb9056635b336867953336ac87eb8

Download Submit
\Users\Admin\AppData\Local\Temp\izx5.cpl

Filesize
1.2MB

MD5
f399f314f8fe0b4418a090201b7efbe1

SHA1
9d8642794a199c8eb51fa7aaf2b900b55e1c974f

SHA256
259ca1c9668f86c26d6184a3a8c3277c127fd95441fe9254835ef2fbe458a31d

SHA512
fa9465cf548dd8818715a23add33215b14baab9ad829f6b9b77f6cfb129b098aa02b8845d23001d651fd43c5afa20886a35fb9056635b336867953336ac87eb8

Download Submit
\Users\Admin\AppData\Local\Temp\izx5.cpl

Filesize
1.2MB

MD5
f399f314f8fe0b4418a090201b7efbe1

SHA1
9d8642794a199c8eb51fa7aaf2b900b55e1c974f

SHA256
259ca1c9668f86c26d6184a3a8c3277c127fd95441fe9254835ef2fbe458a31d

SHA512
fa9465cf548dd8818715a23add33215b14baab9ad829f6b9b77f6cfb129b098aa02b8845d23001d651fd43c5afa20886a35fb9056635b336867953336ac87eb8

Download Submit
memory/1076-148-0x0000000005630000-0x000000000571F000-memory.dmp

Filesize
956KB

Download
memory/1076-147-0x0000000005630000-0x000000000571F000-memory.dmp

Filesize
956KB

Download
memory/1076-144-0x0000000005630000-0x000000000571F000-memory.dmp

Filesize
956KB

Download
memory/1076-143-0x0000000005520000-0x0000000005628000-memory.dmp

Filesize
1.0MB

Download
memory/1076-137-0x0000000003400000-0x0000000003406000-memory.dmp

Filesize
24KB

Download
memory/4240-125-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/4240-135-0x0000000004EE0000-0x0000000004FCF000-memory.dmp

Filesize
956KB

Download
memory/4240-134-0x0000000004EE0000-0x0000000004FCF000-memory.dmp

Filesize
956KB

Download
memory/4240-131-0x0000000004EE0000-0x0000000004FCF000-memory.dmp

Filesize
956KB

Download
memory/4240-130-0x0000000004DD0000-0x0000000004ED8000-memory.dmp

Filesize
1.0MB

Download
memory/4240-124-0x0000000000C80000-0x0000000000C86000-memory.dmp

Filesize
24KB

Download