b57d247d5e61233bae958a87d897500169a9b48b8a58e42a6effc9c503944a44

General

Target

b57d247d5e61233bae958a87d897500169a9b48b8a58e42a6effc9c503944a44.exe
Size

3.0MB
MD5

4bb4673d0094b327f9f8102becd9c744
SHA1

77718b24a5b83a4707239e28a4b706010e3b6c2d
SHA256

b57d247d5e61233bae958a87d897500169a9b48b8a58e42a6effc9c503944a44
SHA512

83db7100be3994673c34068c69a5ee1fee393c69194039602494580cb440d6ee548369d4b20d5bd96f73cef303cce4ba46d38837c3746a25b2fcc61f92f65113
SSDEEP

49152:PaqbKvH7byM1y0XQtaZkggEWdubEOMM8Yk22E59gS9uBNuJf4duLAF:PMvHawV/ScWoIjYgEkSJj8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4368	rundll32.exe
4368	rundll32.exe
2512	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings	b57d247d5e61233bae958a87d897500169a9b48b8a58e42a6effc9c503944a44.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1400	2276	b57d247d5e61233bae958a87d897500169a9b48b8a58e42a6effc9c503944a44.exe	69
PID 2276 wrote to memory of 1400	2276	b57d247d5e61233bae958a87d897500169a9b48b8a58e42a6effc9c503944a44.exe	69
PID 2276 wrote to memory of 1400	2276	b57d247d5e61233bae958a87d897500169a9b48b8a58e42a6effc9c503944a44.exe	69
PID 1400 wrote to memory of 4368	1400	control.exe	71
PID 1400 wrote to memory of 4368	1400	control.exe	71
PID 1400 wrote to memory of 4368	1400	control.exe	71
PID 4368 wrote to memory of 4956	4368	rundll32.exe	72
PID 4368 wrote to memory of 4956	4368	rundll32.exe	72
PID 4956 wrote to memory of 2512	4956	RunDll32.exe	73
PID 4956 wrote to memory of 2512	4956	RunDll32.exe	73
PID 4956 wrote to memory of 2512	4956	RunDll32.exe	73

C:\Users\Admin\AppData\Local\Temp\b57d247d5e61233bae958a87d897500169a9b48b8a58e42a6effc9c503944a44.exe
"C:\Users\Admin\AppData\Local\Temp\b57d247d5e61233bae958a87d897500169a9b48b8a58e42a6effc9c503944a44.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\B0QCNG.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\B0QCNG.CPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\B0QCNG.CPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4956
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\B0QCNG.CPL",
        5⤵
        Loads dropped DLL
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B0QCNG.CPL

Filesize
2.5MB

MD5
4b2d19b776efae3cbaa27d07854951d3

SHA1
38538c4aae6fd141905b9a1c88552fc990c2be85

SHA256
569d0c05bebb150838ef7d5c03eb03b9c127cc3d6b7c2e00a2e0c8b8ca40cd96

SHA512
696f3e81645b201248955fdb61cd4d13427c708cee4a8a6effa9f1d9a87307fb5f73d551cf7d45c9a448495ca484525026f792ac641ad1fffe789d7d125b0a78

Download Submit
\Users\Admin\AppData\Local\Temp\B0QCNg.cpl

Filesize
2.5MB

MD5
4b2d19b776efae3cbaa27d07854951d3

SHA1
38538c4aae6fd141905b9a1c88552fc990c2be85

SHA256
569d0c05bebb150838ef7d5c03eb03b9c127cc3d6b7c2e00a2e0c8b8ca40cd96

SHA512
696f3e81645b201248955fdb61cd4d13427c708cee4a8a6effa9f1d9a87307fb5f73d551cf7d45c9a448495ca484525026f792ac641ad1fffe789d7d125b0a78

Download Submit
\Users\Admin\AppData\Local\Temp\B0QCNg.cpl

Filesize
2.5MB

MD5
4b2d19b776efae3cbaa27d07854951d3

SHA1
38538c4aae6fd141905b9a1c88552fc990c2be85

SHA256
569d0c05bebb150838ef7d5c03eb03b9c127cc3d6b7c2e00a2e0c8b8ca40cd96

SHA512
696f3e81645b201248955fdb61cd4d13427c708cee4a8a6effa9f1d9a87307fb5f73d551cf7d45c9a448495ca484525026f792ac641ad1fffe789d7d125b0a78

Download Submit
\Users\Admin\AppData\Local\Temp\B0QCNg.cpl

Filesize
2.5MB

MD5
4b2d19b776efae3cbaa27d07854951d3

SHA1
38538c4aae6fd141905b9a1c88552fc990c2be85

SHA256
569d0c05bebb150838ef7d5c03eb03b9c127cc3d6b7c2e00a2e0c8b8ca40cd96

SHA512
696f3e81645b201248955fdb61cd4d13427c708cee4a8a6effa9f1d9a87307fb5f73d551cf7d45c9a448495ca484525026f792ac641ad1fffe789d7d125b0a78

Download Submit
memory/2512-149-0x00000000055B0000-0x0000000005683000-memory.dmp

Filesize
844KB

Download
memory/2512-148-0x00000000055B0000-0x0000000005683000-memory.dmp

Filesize
844KB

Download
memory/2512-145-0x00000000055B0000-0x0000000005683000-memory.dmp

Filesize
844KB

Download
memory/2512-144-0x00000000054C0000-0x00000000055AB000-memory.dmp

Filesize
940KB

Download
memory/2512-139-0x0000000003360000-0x0000000003366000-memory.dmp

Filesize
24KB

Download
memory/2512-140-0x0000000000400000-0x0000000000680000-memory.dmp

Filesize
2.5MB

Download
memory/4368-127-0x00000000009E0000-0x00000000009E6000-memory.dmp

Filesize
24KB

Download
memory/4368-137-0x0000000004DB0000-0x0000000004E83000-memory.dmp

Filesize
844KB

Download
memory/4368-136-0x0000000004DB0000-0x0000000004E83000-memory.dmp

Filesize
844KB

Download
memory/4368-133-0x0000000004DB0000-0x0000000004E83000-memory.dmp

Filesize
844KB

Download
memory/4368-132-0x0000000004CC0000-0x0000000004DAB000-memory.dmp

Filesize
940KB

Download
memory/4368-128-0x0000000000EE0000-0x0000000001160000-memory.dmp

Filesize
2.5MB

Download
memory/4368-126-0x0000000000EE0000-0x0000000001160000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing