82739be1d5a824ee643ac4cdde4229c9071cbec590e8375f6e4a1b85fadb98d6

General

Target

82739be1d5a824ee643ac4cdde4229c9071cbec590e8375f6e4a1b85fadb98d6.exe
Size

3.1MB
MD5

43eb363b6534a333800033f8eb4fc69c
SHA1

5f6a7d521fe4f385bec4072e2fdc877ae7b25f5d
SHA256

82739be1d5a824ee643ac4cdde4229c9071cbec590e8375f6e4a1b85fadb98d6
SHA512

27f3c8f84fdf0c2025bb87cbad60e6ba2ff53829942d874fad58e1c05843c44a567c2f2c34e24544dd45e4b728856bfc99a98f0df0dbe691a618dbf8484e572f
SSDEEP

98304:2WhlrBfKELjhBz7DrmXfNHKzkkoCaf3Ic6av61i7ueavgu:QUhdDyhKeCfiieav/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2824	rundll32.exe
1972	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	82739be1d5a824ee643ac4cdde4229c9071cbec590e8375f6e4a1b85fadb98d6.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 3888	3968	82739be1d5a824ee643ac4cdde4229c9071cbec590e8375f6e4a1b85fadb98d6.exe	82
PID 3968 wrote to memory of 3888	3968	82739be1d5a824ee643ac4cdde4229c9071cbec590e8375f6e4a1b85fadb98d6.exe	82
PID 3968 wrote to memory of 3888	3968	82739be1d5a824ee643ac4cdde4229c9071cbec590e8375f6e4a1b85fadb98d6.exe	82
PID 3888 wrote to memory of 2824	3888	control.exe	84
PID 3888 wrote to memory of 2824	3888	control.exe	84
PID 3888 wrote to memory of 2824	3888	control.exe	84
PID 2824 wrote to memory of 2636	2824	rundll32.exe	92
PID 2824 wrote to memory of 2636	2824	rundll32.exe	92
PID 2636 wrote to memory of 1972	2636	RunDll32.exe	93
PID 2636 wrote to memory of 1972	2636	RunDll32.exe	93
PID 2636 wrote to memory of 1972	2636	RunDll32.exe	93

C:\Users\Admin\AppData\Local\Temp\82739be1d5a824ee643ac4cdde4229c9071cbec590e8375f6e4a1b85fadb98d6.exe
"C:\Users\Admin\AppData\Local\Temp\82739be1d5a824ee643ac4cdde4229c9071cbec590e8375f6e4a1b85fadb98d6.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\9xBBDBoL.CPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\9xBBDBoL.CPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\9xBBDBoL.CPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\9xBBDBoL.CPl",
        5⤵
        Loads dropped DLL
        
        PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9xBBDBoL.CPl

Filesize
2.4MB

MD5
94836fabe87b0ffee9b1d332b7196d1f

SHA1
d96e87b99288e5ed9e8beca7a8168584fcabcde0

SHA256
5b7271dfe3395d2c6b921f99b6580d1293e57da3eda68030809143d51dc0c2cd

SHA512
ce599ce0cae114fc7ca953cb76e8b94f78e98e2dd6a7e8aab3f5c6949761a00149f5faf0065aa3ed6da9e0b42f15d552bfae3e06c8585107f7cc7e1f22e369fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9xBBdBol.cpl

Filesize
2.4MB

MD5
94836fabe87b0ffee9b1d332b7196d1f

SHA1
d96e87b99288e5ed9e8beca7a8168584fcabcde0

SHA256
5b7271dfe3395d2c6b921f99b6580d1293e57da3eda68030809143d51dc0c2cd

SHA512
ce599ce0cae114fc7ca953cb76e8b94f78e98e2dd6a7e8aab3f5c6949761a00149f5faf0065aa3ed6da9e0b42f15d552bfae3e06c8585107f7cc7e1f22e369fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9xBBdBol.cpl

Filesize
2.4MB

MD5
94836fabe87b0ffee9b1d332b7196d1f

SHA1
d96e87b99288e5ed9e8beca7a8168584fcabcde0

SHA256
5b7271dfe3395d2c6b921f99b6580d1293e57da3eda68030809143d51dc0c2cd

SHA512
ce599ce0cae114fc7ca953cb76e8b94f78e98e2dd6a7e8aab3f5c6949761a00149f5faf0065aa3ed6da9e0b42f15d552bfae3e06c8585107f7cc7e1f22e369fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9xBBdBol.cpl

Filesize
2.4MB

MD5
94836fabe87b0ffee9b1d332b7196d1f

SHA1
d96e87b99288e5ed9e8beca7a8168584fcabcde0

SHA256
5b7271dfe3395d2c6b921f99b6580d1293e57da3eda68030809143d51dc0c2cd

SHA512
ce599ce0cae114fc7ca953cb76e8b94f78e98e2dd6a7e8aab3f5c6949761a00149f5faf0065aa3ed6da9e0b42f15d552bfae3e06c8585107f7cc7e1f22e369fa

Download Submit
memory/1972-165-0x00000000031A0000-0x000000000327E000-memory.dmp

Filesize
888KB

Download
memory/1972-164-0x00000000031A0000-0x000000000327E000-memory.dmp

Filesize
888KB

Download
memory/1972-161-0x00000000031A0000-0x000000000327E000-memory.dmp

Filesize
888KB

Download
memory/1972-160-0x0000000002DC0000-0x0000000002EB6000-memory.dmp

Filesize
984KB

Download
memory/1972-156-0x0000000000E70000-0x0000000000E76000-memory.dmp

Filesize
24KB

Download
memory/2824-145-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/2824-153-0x0000000003180000-0x000000000325E000-memory.dmp

Filesize
888KB

Download
memory/2824-152-0x0000000003180000-0x000000000325E000-memory.dmp

Filesize
888KB

Download
memory/2824-149-0x0000000003180000-0x000000000325E000-memory.dmp

Filesize
888KB

Download
memory/2824-148-0x0000000003080000-0x0000000003176000-memory.dmp

Filesize
984KB

Download
memory/2824-144-0x0000000002C70000-0x0000000002C76000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing