Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
06/08/2023, 17:10
Static task
static1
Behavioral task
behavioral1
Sample
d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe
Resource
win10v2004-20230703-en
General
-
Target
d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe
-
Size
2.8MB
-
MD5
46b4dffd9aa4113ce729c10875cd311c
-
SHA1
f9afdcaf30321b7a866c398144c69196351916fc
-
SHA256
d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d
-
SHA512
46c0c898349207b2ef1af462c8d7bb70badecfa6e476113ac396a4b6895f83be83eb221fcc458ce80a0e452f30c2ebe96aaa1b1cdc6d06396a755ef5c438c4c4
-
SSDEEP
49152:wWhr59BfJXAE+UsNHCmp6bNPiV4qd2DZNoRxSSZJ0gDbiHAy1JlsPQ1VhttMTUxN:wWhrPBfKEOiA6bNP24qsDLoRxSCJYOlO
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2608 rundll32.exe 2608 rundll32.exe 4596 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1296 wrote to memory of 5048 1296 d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe 80 PID 1296 wrote to memory of 5048 1296 d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe 80 PID 1296 wrote to memory of 5048 1296 d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe 80 PID 5048 wrote to memory of 2608 5048 control.exe 83 PID 5048 wrote to memory of 2608 5048 control.exe 83 PID 5048 wrote to memory of 2608 5048 control.exe 83 PID 2608 wrote to memory of 708 2608 rundll32.exe 88 PID 2608 wrote to memory of 708 2608 rundll32.exe 88 PID 708 wrote to memory of 4596 708 RunDll32.exe 89 PID 708 wrote to memory of 4596 708 RunDll32.exe 89 PID 708 wrote to memory of 4596 708 RunDll32.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe"C:\Users\Admin\AppData\Local\Temp\d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\8PN~cF.cPL",2⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\8PN~cF.cPL",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\8PN~cF.cPL",4⤵
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\8PN~cF.cPL",5⤵
- Loads dropped DLL
PID:4596
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD597330b5c48213c20c0cb9fa0db60df78
SHA164e113474e6204355f7f09a120db48fe0c56d4bb
SHA256efe8d1a2094ddf5b3f92bed0d11e5724ca2214ecf5f5770a7853b2764f2d51c7
SHA51268bd5caf4dd5fa52501ee833a3421ca85ef398c2ee5e62a8c4068161d0b6196d35d4cc87bf11d735b38c578500602e0f313808c56bacce6e456cda30f5bc1070
-
Filesize
2.3MB
MD597330b5c48213c20c0cb9fa0db60df78
SHA164e113474e6204355f7f09a120db48fe0c56d4bb
SHA256efe8d1a2094ddf5b3f92bed0d11e5724ca2214ecf5f5770a7853b2764f2d51c7
SHA51268bd5caf4dd5fa52501ee833a3421ca85ef398c2ee5e62a8c4068161d0b6196d35d4cc87bf11d735b38c578500602e0f313808c56bacce6e456cda30f5bc1070
-
Filesize
2.3MB
MD597330b5c48213c20c0cb9fa0db60df78
SHA164e113474e6204355f7f09a120db48fe0c56d4bb
SHA256efe8d1a2094ddf5b3f92bed0d11e5724ca2214ecf5f5770a7853b2764f2d51c7
SHA51268bd5caf4dd5fa52501ee833a3421ca85ef398c2ee5e62a8c4068161d0b6196d35d4cc87bf11d735b38c578500602e0f313808c56bacce6e456cda30f5bc1070
-
Filesize
2.3MB
MD597330b5c48213c20c0cb9fa0db60df78
SHA164e113474e6204355f7f09a120db48fe0c56d4bb
SHA256efe8d1a2094ddf5b3f92bed0d11e5724ca2214ecf5f5770a7853b2764f2d51c7
SHA51268bd5caf4dd5fa52501ee833a3421ca85ef398c2ee5e62a8c4068161d0b6196d35d4cc87bf11d735b38c578500602e0f313808c56bacce6e456cda30f5bc1070
-
Filesize
2.3MB
MD597330b5c48213c20c0cb9fa0db60df78
SHA164e113474e6204355f7f09a120db48fe0c56d4bb
SHA256efe8d1a2094ddf5b3f92bed0d11e5724ca2214ecf5f5770a7853b2764f2d51c7
SHA51268bd5caf4dd5fa52501ee833a3421ca85ef398c2ee5e62a8c4068161d0b6196d35d4cc87bf11d735b38c578500602e0f313808c56bacce6e456cda30f5bc1070