c82fc4cbb61be6ec170db9a7f21bd0a678a70419deb8bed891c8b0f176e0efa4

General

Target

c82fc4cbb61be6ec170db9a7f21bd0a678a70419deb8bed891c8b0f176e0efa4.exe
Size

2.2MB
MD5

a774aa5a08df00a32d5bc793a2b3035a
SHA1

0ce3fee23a519452990504e32a114d85527cf957
SHA256

c82fc4cbb61be6ec170db9a7f21bd0a678a70419deb8bed891c8b0f176e0efa4
SHA512

fad8a9ea587a6c34f3400f9b8fdbd702c06ac4bf3d27e5f6144955176d9ff42b044be3b42f58f3c0e94e12aeb9b19a8d7aabf5e5dd9e66faf6a26ada9410db0b
SSDEEP

49152:2WhlHLBfJXAE96bAhssOIoC2E3+XgCjkO8r6suVKN8w0I3gDIfRjz:2WhlrBfKE8oHodxQCjD8xuV5Ncpz

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
4296	rundll32.exe
4296	rundll32.exe
1456	rundll32.exe
1456	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	c82fc4cbb61be6ec170db9a7f21bd0a678a70419deb8bed891c8b0f176e0efa4.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 3908	3428	c82fc4cbb61be6ec170db9a7f21bd0a678a70419deb8bed891c8b0f176e0efa4.exe	82
PID 3428 wrote to memory of 3908	3428	c82fc4cbb61be6ec170db9a7f21bd0a678a70419deb8bed891c8b0f176e0efa4.exe	82
PID 3428 wrote to memory of 3908	3428	c82fc4cbb61be6ec170db9a7f21bd0a678a70419deb8bed891c8b0f176e0efa4.exe	82
PID 3908 wrote to memory of 4296	3908	control.exe	84
PID 3908 wrote to memory of 4296	3908	control.exe	84
PID 3908 wrote to memory of 4296	3908	control.exe	84
PID 4296 wrote to memory of 4120	4296	rundll32.exe	92
PID 4296 wrote to memory of 4120	4296	rundll32.exe	92
PID 4120 wrote to memory of 1456	4120	RunDll32.exe	93
PID 4120 wrote to memory of 1456	4120	RunDll32.exe	93
PID 4120 wrote to memory of 1456	4120	RunDll32.exe	93

C:\Users\Admin\AppData\Local\Temp\c82fc4cbb61be6ec170db9a7f21bd0a678a70419deb8bed891c8b0f176e0efa4.exe
"C:\Users\Admin\AppData\Local\Temp\c82fc4cbb61be6ec170db9a7f21bd0a678a70419deb8bed891c8b0f176e0efa4.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\pEIY.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\pEIY.CPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\pEIY.CPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\pEIY.CPL",
        5⤵
        Loads dropped DLL
        
        PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pEIY.CPL

Filesize
1.7MB

MD5
b4dfa566067f595c45439067bdb1c229

SHA1
b48d958decc8524abe4103b717ce87d45d74166b

SHA256
f73d8638afd30b6f91613c0d34ca9f4d20dda86eb9f6d25052ef60a72ebef3eb

SHA512
5aa43b9b1d30272cd731fc0dc5dcca7c5961c3fef3c29548da04851522278232a9740fd9f4881ed8695db4111cedd7f7dde8e3ce892d07f73ec3fd8de8d83c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEIy.cpl

Filesize
1.7MB

MD5
b4dfa566067f595c45439067bdb1c229

SHA1
b48d958decc8524abe4103b717ce87d45d74166b

SHA256
f73d8638afd30b6f91613c0d34ca9f4d20dda86eb9f6d25052ef60a72ebef3eb

SHA512
5aa43b9b1d30272cd731fc0dc5dcca7c5961c3fef3c29548da04851522278232a9740fd9f4881ed8695db4111cedd7f7dde8e3ce892d07f73ec3fd8de8d83c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEIy.cpl

Filesize
1.7MB

MD5
b4dfa566067f595c45439067bdb1c229

SHA1
b48d958decc8524abe4103b717ce87d45d74166b

SHA256
f73d8638afd30b6f91613c0d34ca9f4d20dda86eb9f6d25052ef60a72ebef3eb

SHA512
5aa43b9b1d30272cd731fc0dc5dcca7c5961c3fef3c29548da04851522278232a9740fd9f4881ed8695db4111cedd7f7dde8e3ce892d07f73ec3fd8de8d83c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEIy.cpl

Filesize
1.7MB

MD5
b4dfa566067f595c45439067bdb1c229

SHA1
b48d958decc8524abe4103b717ce87d45d74166b

SHA256
f73d8638afd30b6f91613c0d34ca9f4d20dda86eb9f6d25052ef60a72ebef3eb

SHA512
5aa43b9b1d30272cd731fc0dc5dcca7c5961c3fef3c29548da04851522278232a9740fd9f4881ed8695db4111cedd7f7dde8e3ce892d07f73ec3fd8de8d83c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEIy.cpl

Filesize
1.7MB

MD5
b4dfa566067f595c45439067bdb1c229

SHA1
b48d958decc8524abe4103b717ce87d45d74166b

SHA256
f73d8638afd30b6f91613c0d34ca9f4d20dda86eb9f6d25052ef60a72ebef3eb

SHA512
5aa43b9b1d30272cd731fc0dc5dcca7c5961c3fef3c29548da04851522278232a9740fd9f4881ed8695db4111cedd7f7dde8e3ce892d07f73ec3fd8de8d83c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\pEIy.cpl

Filesize
1.7MB

MD5
b4dfa566067f595c45439067bdb1c229

SHA1
b48d958decc8524abe4103b717ce87d45d74166b

SHA256
f73d8638afd30b6f91613c0d34ca9f4d20dda86eb9f6d25052ef60a72ebef3eb

SHA512
5aa43b9b1d30272cd731fc0dc5dcca7c5961c3fef3c29548da04851522278232a9740fd9f4881ed8695db4111cedd7f7dde8e3ce892d07f73ec3fd8de8d83c35

Download Submit
memory/1456-166-0x0000000002DE0000-0x0000000002ECB000-memory.dmp

Filesize
940KB

Download
memory/1456-163-0x0000000002DE0000-0x0000000002ECB000-memory.dmp

Filesize
940KB

Download
memory/1456-162-0x0000000002CD0000-0x0000000002DD1000-memory.dmp

Filesize
1.0MB

Download
memory/1456-158-0x0000000000990000-0x0000000000996000-memory.dmp

Filesize
24KB

Download
memory/1456-159-0x0000000002840000-0x00000000029FB000-memory.dmp

Filesize
1.7MB

Download
memory/1456-157-0x0000000002840000-0x00000000029FB000-memory.dmp

Filesize
1.7MB

Download
memory/1456-167-0x0000000002DE0000-0x0000000002ECB000-memory.dmp

Filesize
940KB

Download
memory/4296-146-0x0000000000A60000-0x0000000000A66000-memory.dmp

Filesize
24KB

Download
memory/4296-154-0x0000000002B60000-0x0000000002C4B000-memory.dmp

Filesize
940KB

Download
memory/4296-153-0x0000000002B60000-0x0000000002C4B000-memory.dmp

Filesize
940KB

Download
memory/4296-150-0x0000000002B60000-0x0000000002C4B000-memory.dmp

Filesize
940KB

Download
memory/4296-149-0x0000000002A50000-0x0000000002B51000-memory.dmp

Filesize
1.0MB

Download
memory/4296-147-0x00000000025C0000-0x000000000277B000-memory.dmp

Filesize
1.7MB

Download
memory/4296-145-0x00000000025C0000-0x000000000277B000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing