d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d

General

Target

d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe
Size

2.8MB
MD5

46b4dffd9aa4113ce729c10875cd311c
SHA1

f9afdcaf30321b7a866c398144c69196351916fc
SHA256

d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d
SHA512

46c0c898349207b2ef1af462c8d7bb70badecfa6e476113ac396a4b6895f83be83eb221fcc458ce80a0e452f30c2ebe96aaa1b1cdc6d06396a755ef5c438c4c4
SSDEEP

49152:wWhr59BfJXAE+UsNHCmp6bNPiV4qd2DZNoRxSSZJ0gDbiHAy1JlsPQ1VhttMTUxN:wWhrPBfKEOiA6bNP24qsDLoRxSCJYOlO

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2608	rundll32.exe
2608	rundll32.exe
4596	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 5048	1296	d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe	80
PID 1296 wrote to memory of 5048	1296	d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe	80
PID 1296 wrote to memory of 5048	1296	d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe	80
PID 5048 wrote to memory of 2608	5048	control.exe	83
PID 5048 wrote to memory of 2608	5048	control.exe	83
PID 5048 wrote to memory of 2608	5048	control.exe	83
PID 2608 wrote to memory of 708	2608	rundll32.exe	88
PID 2608 wrote to memory of 708	2608	rundll32.exe	88
PID 708 wrote to memory of 4596	708	RunDll32.exe	89
PID 708 wrote to memory of 4596	708	RunDll32.exe	89
PID 708 wrote to memory of 4596	708	RunDll32.exe	89

C:\Users\Admin\AppData\Local\Temp\d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe
"C:\Users\Admin\AppData\Local\Temp\d5e69f91b59ec7c35a48ab9d3018c9a891257cc2a4433335da58393dd93d949d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\8PN~cF.cPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\8PN~cF.cPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\8PN~cF.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:708
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\8PN~cF.cPL",
        5⤵
        Loads dropped DLL
        
        PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8PN~cF.cPL

Filesize
2.3MB

MD5
97330b5c48213c20c0cb9fa0db60df78

SHA1
64e113474e6204355f7f09a120db48fe0c56d4bb

SHA256
efe8d1a2094ddf5b3f92bed0d11e5724ca2214ecf5f5770a7853b2764f2d51c7

SHA512
68bd5caf4dd5fa52501ee833a3421ca85ef398c2ee5e62a8c4068161d0b6196d35d4cc87bf11d735b38c578500602e0f313808c56bacce6e456cda30f5bc1070

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pn~cF.cpl

Filesize
2.3MB

MD5
97330b5c48213c20c0cb9fa0db60df78

SHA1
64e113474e6204355f7f09a120db48fe0c56d4bb

SHA256
efe8d1a2094ddf5b3f92bed0d11e5724ca2214ecf5f5770a7853b2764f2d51c7

SHA512
68bd5caf4dd5fa52501ee833a3421ca85ef398c2ee5e62a8c4068161d0b6196d35d4cc87bf11d735b38c578500602e0f313808c56bacce6e456cda30f5bc1070

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pn~cF.cpl

Filesize
2.3MB

MD5
97330b5c48213c20c0cb9fa0db60df78

SHA1
64e113474e6204355f7f09a120db48fe0c56d4bb

SHA256
efe8d1a2094ddf5b3f92bed0d11e5724ca2214ecf5f5770a7853b2764f2d51c7

SHA512
68bd5caf4dd5fa52501ee833a3421ca85ef398c2ee5e62a8c4068161d0b6196d35d4cc87bf11d735b38c578500602e0f313808c56bacce6e456cda30f5bc1070

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pn~cF.cpl

Filesize
2.3MB

MD5
97330b5c48213c20c0cb9fa0db60df78

SHA1
64e113474e6204355f7f09a120db48fe0c56d4bb

SHA256
efe8d1a2094ddf5b3f92bed0d11e5724ca2214ecf5f5770a7853b2764f2d51c7

SHA512
68bd5caf4dd5fa52501ee833a3421ca85ef398c2ee5e62a8c4068161d0b6196d35d4cc87bf11d735b38c578500602e0f313808c56bacce6e456cda30f5bc1070

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pn~cF.cpl

Filesize
2.3MB

MD5
97330b5c48213c20c0cb9fa0db60df78

SHA1
64e113474e6204355f7f09a120db48fe0c56d4bb

SHA256
efe8d1a2094ddf5b3f92bed0d11e5724ca2214ecf5f5770a7853b2764f2d51c7

SHA512
68bd5caf4dd5fa52501ee833a3421ca85ef398c2ee5e62a8c4068161d0b6196d35d4cc87bf11d735b38c578500602e0f313808c56bacce6e456cda30f5bc1070

Download Submit
memory/2608-145-0x0000000002550000-0x000000000279D000-memory.dmp

Filesize
2.3MB

Download
memory/2608-146-0x00000000007B0000-0x00000000007B6000-memory.dmp

Filesize
24KB

Download
memory/2608-149-0x0000000002BB0000-0x0000000002CB1000-memory.dmp

Filesize
1.0MB

Download
memory/2608-150-0x0000000002CC0000-0x0000000002DA9000-memory.dmp

Filesize
932KB

Download
memory/2608-151-0x0000000002CC0000-0x0000000002DA9000-memory.dmp

Filesize
932KB

Download
memory/2608-153-0x0000000002CC0000-0x0000000002DA9000-memory.dmp

Filesize
932KB

Download
memory/2608-154-0x0000000002CC0000-0x0000000002DA9000-memory.dmp

Filesize
932KB

Download
memory/2608-147-0x0000000002550000-0x000000000279D000-memory.dmp

Filesize
2.3MB

Download
memory/4596-157-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/4596-156-0x00000000030A0000-0x00000000030A6000-memory.dmp

Filesize
24KB

Download
memory/4596-159-0x0000000003430000-0x0000000003531000-memory.dmp

Filesize
1.0MB

Download
memory/4596-161-0x0000000003550000-0x0000000003639000-memory.dmp

Filesize
932KB

Download
memory/4596-163-0x0000000003550000-0x0000000003639000-memory.dmp

Filesize
932KB

Download
memory/4596-164-0x0000000003550000-0x0000000003639000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing