f052b51147ff8036ce17a162f75cb6afd6a9b9b146de969018e8d41964e119df

General

Target

f052b51147ff8036ce17a162f75cb6afd6a9b9b146de969018e8d41964e119df.exe
Size

2.3MB
MD5

f13f49d16818e8a16dc7ac29f1d5cab6
SHA1

5b1c266116739b74da85c115bab04a7d1479baf1
SHA256

f052b51147ff8036ce17a162f75cb6afd6a9b9b146de969018e8d41964e119df
SHA512

2de96a95260f18f24996eb69df8e30e4f42e915d07afcedf78082e011009752cbba62c6064fb6d41ce58447c4629d9ca3f16fe1d5787478facccf8214a50f356
SSDEEP

49152:8cbi6FGj5VZXY7sibPkAwmQCPiE4AZE1TV+0mX4:8cb6xoY+cfbELE/hC4

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3096	rundll32.exe
1744	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	f052b51147ff8036ce17a162f75cb6afd6a9b9b146de969018e8d41964e119df.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 4568	3868	f052b51147ff8036ce17a162f75cb6afd6a9b9b146de969018e8d41964e119df.exe	81
PID 3868 wrote to memory of 4568	3868	f052b51147ff8036ce17a162f75cb6afd6a9b9b146de969018e8d41964e119df.exe	81
PID 3868 wrote to memory of 4568	3868	f052b51147ff8036ce17a162f75cb6afd6a9b9b146de969018e8d41964e119df.exe	81
PID 4568 wrote to memory of 3096	4568	control.exe	83
PID 4568 wrote to memory of 3096	4568	control.exe	83
PID 4568 wrote to memory of 3096	4568	control.exe	83
PID 3096 wrote to memory of 952	3096	rundll32.exe	86
PID 3096 wrote to memory of 952	3096	rundll32.exe	86
PID 952 wrote to memory of 1744	952	RunDll32.exe	87
PID 952 wrote to memory of 1744	952	RunDll32.exe	87
PID 952 wrote to memory of 1744	952	RunDll32.exe	87

C:\Users\Admin\AppData\Local\Temp\f052b51147ff8036ce17a162f75cb6afd6a9b9b146de969018e8d41964e119df.exe
"C:\Users\Admin\AppData\Local\Temp\f052b51147ff8036ce17a162f75cb6afd6a9b9b146de969018e8d41964e119df.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\XPAI8D6E.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XPAI8D6E.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XPAI8D6E.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:952
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\XPAI8D6E.cPl",
        5⤵
        Loads dropped DLL
        
        PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XPAI8D6E.cPl

Filesize
2.3MB

MD5
8de82f199bdf0573f4e661a83e15cc02

SHA1
d717482e1ab432be459d005b12890b927125d91f

SHA256
d1808aac8cdd7edd4c0df8029509ad3e89f376b6fb9ca7a3b7ce6bb90dcd6e0b

SHA512
48ce3199d7f71e8e56ab8965da721a4b29e7108057a898a86b44f4521f44b465be687a2d0c38a8b1eea7c225f86f464750692d8f1cc2bee3dd9f5d09cf3b0fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPAi8D6E.cpl

Filesize
2.3MB

MD5
8de82f199bdf0573f4e661a83e15cc02

SHA1
d717482e1ab432be459d005b12890b927125d91f

SHA256
d1808aac8cdd7edd4c0df8029509ad3e89f376b6fb9ca7a3b7ce6bb90dcd6e0b

SHA512
48ce3199d7f71e8e56ab8965da721a4b29e7108057a898a86b44f4521f44b465be687a2d0c38a8b1eea7c225f86f464750692d8f1cc2bee3dd9f5d09cf3b0fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPAi8D6E.cpl

Filesize
2.3MB

MD5
8de82f199bdf0573f4e661a83e15cc02

SHA1
d717482e1ab432be459d005b12890b927125d91f

SHA256
d1808aac8cdd7edd4c0df8029509ad3e89f376b6fb9ca7a3b7ce6bb90dcd6e0b

SHA512
48ce3199d7f71e8e56ab8965da721a4b29e7108057a898a86b44f4521f44b465be687a2d0c38a8b1eea7c225f86f464750692d8f1cc2bee3dd9f5d09cf3b0fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPAi8D6E.cpl

Filesize
2.3MB

MD5
8de82f199bdf0573f4e661a83e15cc02

SHA1
d717482e1ab432be459d005b12890b927125d91f

SHA256
d1808aac8cdd7edd4c0df8029509ad3e89f376b6fb9ca7a3b7ce6bb90dcd6e0b

SHA512
48ce3199d7f71e8e56ab8965da721a4b29e7108057a898a86b44f4521f44b465be687a2d0c38a8b1eea7c225f86f464750692d8f1cc2bee3dd9f5d09cf3b0fd3

Download Submit
memory/1744-29-0x00000000035D0000-0x00000000036B5000-memory.dmp

Filesize
916KB

Download
memory/1744-28-0x00000000035D0000-0x00000000036B5000-memory.dmp

Filesize
916KB

Download
memory/1744-25-0x00000000035D0000-0x00000000036B5000-memory.dmp

Filesize
916KB

Download
memory/1744-24-0x00000000034D0000-0x00000000035CD000-memory.dmp

Filesize
1012KB

Download
memory/1744-21-0x0000000001340000-0x0000000001346000-memory.dmp

Filesize
24KB

Download
memory/3096-12-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/3096-19-0x0000000003330000-0x0000000003415000-memory.dmp

Filesize
916KB

Download
memory/3096-18-0x0000000003330000-0x0000000003415000-memory.dmp

Filesize
916KB

Download
memory/3096-15-0x0000000003330000-0x0000000003415000-memory.dmp

Filesize
916KB

Download
memory/3096-14-0x0000000003230000-0x000000000332D000-memory.dmp

Filesize
1012KB

Download
memory/3096-11-0x0000000001270000-0x0000000001276000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing