3116278bbc60be67ae2884876133cc594b9efeb70710dd251e4e3283a28ce7f2

General

Target

3116278bbc60be67ae2884876133cc594b9efeb70710dd251e4e3283a28ce7f2.exe
Size

3.0MB
MD5

e4906eee0b813e779889c559f6ba6489
SHA1

cbf260ff621740b0f2fa9a7123e161f191121a92
SHA256

3116278bbc60be67ae2884876133cc594b9efeb70710dd251e4e3283a28ce7f2
SHA512

8b5cdade2505d7b3b5a63200ff210fff11fb327c609366bdd0ec5fc6954a74a20e5f210feaaea91ba6ff37d41ec8713835a4e314d6cd59282ddce7801d7badce
SSDEEP

98304:kWhSeBfKEGNO3Bi3ZoQu9xH51rZ9YTDD1TeTUiz:Cm3gJoQSxHDZOvpMUiz

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
5004	rundll32.exe
972	rundll32.exe
972	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings	3116278bbc60be67ae2884876133cc594b9efeb70710dd251e4e3283a28ce7f2.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 4884	4816	3116278bbc60be67ae2884876133cc594b9efeb70710dd251e4e3283a28ce7f2.exe	69
PID 4816 wrote to memory of 4884	4816	3116278bbc60be67ae2884876133cc594b9efeb70710dd251e4e3283a28ce7f2.exe	69
PID 4816 wrote to memory of 4884	4816	3116278bbc60be67ae2884876133cc594b9efeb70710dd251e4e3283a28ce7f2.exe	69
PID 4884 wrote to memory of 5004	4884	control.exe	71
PID 4884 wrote to memory of 5004	4884	control.exe	71
PID 4884 wrote to memory of 5004	4884	control.exe	71
PID 5004 wrote to memory of 4032	5004	rundll32.exe	72
PID 5004 wrote to memory of 4032	5004	rundll32.exe	72
PID 4032 wrote to memory of 972	4032	RunDll32.exe	73
PID 4032 wrote to memory of 972	4032	RunDll32.exe	73
PID 4032 wrote to memory of 972	4032	RunDll32.exe	73

C:\Users\Admin\AppData\Local\Temp\3116278bbc60be67ae2884876133cc594b9efeb70710dd251e4e3283a28ce7f2.exe
"C:\Users\Admin\AppData\Local\Temp\3116278bbc60be67ae2884876133cc594b9efeb70710dd251e4e3283a28ce7f2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\1EHyC.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\1EHyC.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\1EHyC.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\1EHyC.cpl",
        5⤵
        Loads dropped DLL
        
        PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1EHyC.cpl

Filesize
2.6MB

MD5
47a8b04f2ffdc38ba095c8ceb6c9b555

SHA1
50a0caae1e2d9417f26bf027e75c607c7d3ed538

SHA256
59c942fa22766ff4d5ec7561b905aebd4874756c9f7251b65eeb67ec9d94758f

SHA512
caae235fa87282a38213221396734c01ef6b1811902da1714a9c5f68ef7e8e6c6feeee329b0a59eb7432b0eed3134fddaca80e04e9e16edb8b96ddcb6cd7a0b2

Download Submit
\Users\Admin\AppData\Local\Temp\1ehyC.cpl

Filesize
2.6MB

MD5
47a8b04f2ffdc38ba095c8ceb6c9b555

SHA1
50a0caae1e2d9417f26bf027e75c607c7d3ed538

SHA256
59c942fa22766ff4d5ec7561b905aebd4874756c9f7251b65eeb67ec9d94758f

SHA512
caae235fa87282a38213221396734c01ef6b1811902da1714a9c5f68ef7e8e6c6feeee329b0a59eb7432b0eed3134fddaca80e04e9e16edb8b96ddcb6cd7a0b2

Download Submit
\Users\Admin\AppData\Local\Temp\1ehyC.cpl

Filesize
2.6MB

MD5
47a8b04f2ffdc38ba095c8ceb6c9b555

SHA1
50a0caae1e2d9417f26bf027e75c607c7d3ed538

SHA256
59c942fa22766ff4d5ec7561b905aebd4874756c9f7251b65eeb67ec9d94758f

SHA512
caae235fa87282a38213221396734c01ef6b1811902da1714a9c5f68ef7e8e6c6feeee329b0a59eb7432b0eed3134fddaca80e04e9e16edb8b96ddcb6cd7a0b2

Download Submit
\Users\Admin\AppData\Local\Temp\1ehyC.cpl

Filesize
2.6MB

MD5
47a8b04f2ffdc38ba095c8ceb6c9b555

SHA1
50a0caae1e2d9417f26bf027e75c607c7d3ed538

SHA256
59c942fa22766ff4d5ec7561b905aebd4874756c9f7251b65eeb67ec9d94758f

SHA512
caae235fa87282a38213221396734c01ef6b1811902da1714a9c5f68ef7e8e6c6feeee329b0a59eb7432b0eed3134fddaca80e04e9e16edb8b96ddcb6cd7a0b2

Download Submit
memory/972-17-0x0000000004310000-0x000000000459E000-memory.dmp

Filesize
2.6MB

Download
memory/972-27-0x0000000004A80000-0x0000000004B7A000-memory.dmp

Filesize
1000KB

Download
memory/972-26-0x0000000004A80000-0x0000000004B7A000-memory.dmp

Filesize
1000KB

Download
memory/972-24-0x0000000004A80000-0x0000000004B7A000-memory.dmp

Filesize
1000KB

Download
memory/972-22-0x0000000004960000-0x0000000004A73000-memory.dmp

Filesize
1.1MB

Download
memory/972-18-0x0000000002410000-0x0000000002416000-memory.dmp

Filesize
24KB

Download
memory/972-19-0x0000000004310000-0x000000000459E000-memory.dmp

Filesize
2.6MB

Download
memory/5004-8-0x0000000004FD0000-0x00000000050E3000-memory.dmp

Filesize
1.1MB

Download
memory/5004-14-0x00000000050F0000-0x00000000051EA000-memory.dmp

Filesize
1000KB

Download
memory/5004-13-0x00000000050F0000-0x00000000051EA000-memory.dmp

Filesize
1000KB

Download
memory/5004-11-0x00000000050F0000-0x00000000051EA000-memory.dmp

Filesize
1000KB

Download
memory/5004-10-0x00000000050F0000-0x00000000051EA000-memory.dmp

Filesize
1000KB

Download
memory/5004-9-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/5004-5-0x0000000002FF0000-0x0000000002FF6000-memory.dmp

Filesize
24KB

Download
memory/5004-6-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing