7969c21db8b84f425da517cdfcd869980dba393186641d74843bd2f0390fb54d

General

Target

7969c21db8b84f425da517cdfcd869980dba393186641d74843bd2f0390fb54d.exe
Size

2.8MB
MD5

f3c7a1989d04b8641261ec25cfdc7e41
SHA1

54d80f6d5cae89184197aeaaeb797ca8a5bdedc8
SHA256

7969c21db8b84f425da517cdfcd869980dba393186641d74843bd2f0390fb54d
SHA512

f05ea72e4f0f4c6702d62ea6fadca2dd4a0c534a5b56c0362ef328305b102ad92fe52f97d3a63f593d72d079b4d5cb3d9232306c506d8502cd4d199c1282f63f
SSDEEP

49152:HdgoAtbKFwR8PjNdGQfkuU2RopZz/8K4OEr106ywgS/ImJ/X6oNoUmzAbIvl:H+bCvPjfs2Wj1ErO6ywB/Rv9NZpq

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4784	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	7969c21db8b84f425da517cdfcd869980dba393186641d74843bd2f0390fb54d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 2576	4264	7969c21db8b84f425da517cdfcd869980dba393186641d74843bd2f0390fb54d.exe	81
PID 4264 wrote to memory of 2576	4264	7969c21db8b84f425da517cdfcd869980dba393186641d74843bd2f0390fb54d.exe	81
PID 4264 wrote to memory of 2576	4264	7969c21db8b84f425da517cdfcd869980dba393186641d74843bd2f0390fb54d.exe	81
PID 2576 wrote to memory of 4784	2576	control.exe	83
PID 2576 wrote to memory of 4784	2576	control.exe	83
PID 2576 wrote to memory of 4784	2576	control.exe	83
PID 4784 wrote to memory of 4436	4784	rundll32.exe	88
PID 4784 wrote to memory of 4436	4784	rundll32.exe	88
PID 4436 wrote to memory of 2228	4436	RunDll32.exe	89
PID 4436 wrote to memory of 2228	4436	RunDll32.exe	89
PID 4436 wrote to memory of 2228	4436	RunDll32.exe	89

C:\Users\Admin\AppData\Local\Temp\7969c21db8b84f425da517cdfcd869980dba393186641d74843bd2f0390fb54d.exe
"C:\Users\Admin\AppData\Local\Temp\7969c21db8b84f425da517cdfcd869980dba393186641d74843bd2f0390fb54d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\OMAVG_.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OMAVG_.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OMAVG_.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\OMAVG_.CpL",
        5⤵
        Loads dropped DLL
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OMAVG_.CpL

Filesize
2.3MB

MD5
ac2b1e3806c36082af86dee52d4af1b1

SHA1
18c3a5c18180b4094855c3d91406744912f62437

SHA256
95a4de28c3ebb7e05d8d887ac89a2f82dbbafd43f45bb55dcd52b9a1a568644a

SHA512
59a84c348b15193c99b257d87509f30fb9b15eb360745493ceef27c80354e6a9119a2b5fc2e52a76e5b2ccf5b4c8a81e96d7cfc569bab756dabe52a509603389

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMAVG_.cpl

Filesize
2.3MB

MD5
ac2b1e3806c36082af86dee52d4af1b1

SHA1
18c3a5c18180b4094855c3d91406744912f62437

SHA256
95a4de28c3ebb7e05d8d887ac89a2f82dbbafd43f45bb55dcd52b9a1a568644a

SHA512
59a84c348b15193c99b257d87509f30fb9b15eb360745493ceef27c80354e6a9119a2b5fc2e52a76e5b2ccf5b4c8a81e96d7cfc569bab756dabe52a509603389

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMAVG_.cpl

Filesize
2.3MB

MD5
ac2b1e3806c36082af86dee52d4af1b1

SHA1
18c3a5c18180b4094855c3d91406744912f62437

SHA256
95a4de28c3ebb7e05d8d887ac89a2f82dbbafd43f45bb55dcd52b9a1a568644a

SHA512
59a84c348b15193c99b257d87509f30fb9b15eb360745493ceef27c80354e6a9119a2b5fc2e52a76e5b2ccf5b4c8a81e96d7cfc569bab756dabe52a509603389

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMAVG_.cpl

Filesize
2.3MB

MD5
ac2b1e3806c36082af86dee52d4af1b1

SHA1
18c3a5c18180b4094855c3d91406744912f62437

SHA256
95a4de28c3ebb7e05d8d887ac89a2f82dbbafd43f45bb55dcd52b9a1a568644a

SHA512
59a84c348b15193c99b257d87509f30fb9b15eb360745493ceef27c80354e6a9119a2b5fc2e52a76e5b2ccf5b4c8a81e96d7cfc569bab756dabe52a509603389

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMAVG_.cpl

Filesize
2.3MB

MD5
ac2b1e3806c36082af86dee52d4af1b1

SHA1
18c3a5c18180b4094855c3d91406744912f62437

SHA256
95a4de28c3ebb7e05d8d887ac89a2f82dbbafd43f45bb55dcd52b9a1a568644a

SHA512
59a84c348b15193c99b257d87509f30fb9b15eb360745493ceef27c80354e6a9119a2b5fc2e52a76e5b2ccf5b4c8a81e96d7cfc569bab756dabe52a509603389

Download Submit
memory/2228-155-0x00000000028F0000-0x0000000002B34000-memory.dmp

Filesize
2.3MB

Download
memory/2228-163-0x0000000002400000-0x00000000024DE000-memory.dmp

Filesize
888KB

Download
memory/2228-162-0x0000000002400000-0x00000000024DE000-memory.dmp

Filesize
888KB

Download
memory/2228-159-0x0000000002400000-0x00000000024DE000-memory.dmp

Filesize
888KB

Download
memory/2228-158-0x0000000002E90000-0x0000000002F87000-memory.dmp

Filesize
988KB

Download
memory/2228-156-0x00000000028F0000-0x0000000002B34000-memory.dmp

Filesize
2.3MB

Download
memory/4784-144-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

Filesize
24KB

Download
memory/4784-152-0x0000000002EF0000-0x0000000002FCE000-memory.dmp

Filesize
888KB

Download
memory/4784-151-0x0000000002EF0000-0x0000000002FCE000-memory.dmp

Filesize
888KB

Download
memory/4784-148-0x0000000002EF0000-0x0000000002FCE000-memory.dmp

Filesize
888KB

Download
memory/4784-147-0x0000000002DF0000-0x0000000002EE7000-memory.dmp

Filesize
988KB

Download
memory/4784-145-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing