644ef457eea92a4d3495f2076f841df0b701fe148aa16307c9973159129f0189

General

Target

644ef457eea92a4d3495f2076f841df0b701fe148aa16307c9973159129f0189.exe
Size

2.9MB
MD5

4eb8bdea2d89f3c273012480b79dc524
SHA1

a6be2a73d06bae552886ee653e90b70571ee5e7c
SHA256

644ef457eea92a4d3495f2076f841df0b701fe148aa16307c9973159129f0189
SHA512

91736ee4a478ad62df931a8e82ee839f33dd621c9ba04d649ad86b206d3c959ca4976117769983721030dfbe453e933e4934020ea50015aaa3b1f4d7e897dfee
SSDEEP

49152:nILW0qg8DmBn98ZXzcxAVg8Bp5d85SjpinTrUrDjYjq0Hm/Ah5/CP7mHLW/5+:nA8KBn98ZXoxAzdRucjb0G/Ah8qHLWR+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4380	rundll32.exe
4380	rundll32.exe
4364	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	644ef457eea92a4d3495f2076f841df0b701fe148aa16307c9973159129f0189.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2828	4164	644ef457eea92a4d3495f2076f841df0b701fe148aa16307c9973159129f0189.exe	82
PID 4164 wrote to memory of 2828	4164	644ef457eea92a4d3495f2076f841df0b701fe148aa16307c9973159129f0189.exe	82
PID 4164 wrote to memory of 2828	4164	644ef457eea92a4d3495f2076f841df0b701fe148aa16307c9973159129f0189.exe	82
PID 2828 wrote to memory of 4380	2828	control.exe	84
PID 2828 wrote to memory of 4380	2828	control.exe	84
PID 2828 wrote to memory of 4380	2828	control.exe	84
PID 4380 wrote to memory of 2548	4380	rundll32.exe	92
PID 4380 wrote to memory of 2548	4380	rundll32.exe	92
PID 2548 wrote to memory of 4364	2548	RunDll32.exe	93
PID 2548 wrote to memory of 4364	2548	RunDll32.exe	93
PID 2548 wrote to memory of 4364	2548	RunDll32.exe	93

C:\Users\Admin\AppData\Local\Temp\644ef457eea92a4d3495f2076f841df0b701fe148aa16307c9973159129f0189.exe
"C:\Users\Admin\AppData\Local\Temp\644ef457eea92a4d3495f2076f841df0b701fe148aa16307c9973159129f0189.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\S~Lt.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\S~Lt.Cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\S~Lt.Cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\S~Lt.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\S~Lt.Cpl

Filesize
2.6MB

MD5
622bc5a0fccee5a36ba2ae9c942e1062

SHA1
b5281f6ad718d182ea54e24de412021098cabcae

SHA256
1ee29ab1a6077f10a9209c37c9d04ccbee8f6900bda465bb3cf357c6952808bc

SHA512
bb93dc7d0287a091b13693f1a6f39f1051a2082dbee3045042d431cdb1b5a7f743ee3bce2a00fdcebe8966e1066c421f63f2e66560b6888d872d2e4ff796ef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\s~Lt.cpl

Filesize
2.6MB

MD5
622bc5a0fccee5a36ba2ae9c942e1062

SHA1
b5281f6ad718d182ea54e24de412021098cabcae

SHA256
1ee29ab1a6077f10a9209c37c9d04ccbee8f6900bda465bb3cf357c6952808bc

SHA512
bb93dc7d0287a091b13693f1a6f39f1051a2082dbee3045042d431cdb1b5a7f743ee3bce2a00fdcebe8966e1066c421f63f2e66560b6888d872d2e4ff796ef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\s~Lt.cpl

Filesize
2.6MB

MD5
622bc5a0fccee5a36ba2ae9c942e1062

SHA1
b5281f6ad718d182ea54e24de412021098cabcae

SHA256
1ee29ab1a6077f10a9209c37c9d04ccbee8f6900bda465bb3cf357c6952808bc

SHA512
bb93dc7d0287a091b13693f1a6f39f1051a2082dbee3045042d431cdb1b5a7f743ee3bce2a00fdcebe8966e1066c421f63f2e66560b6888d872d2e4ff796ef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\s~Lt.cpl

Filesize
2.6MB

MD5
622bc5a0fccee5a36ba2ae9c942e1062

SHA1
b5281f6ad718d182ea54e24de412021098cabcae

SHA256
1ee29ab1a6077f10a9209c37c9d04ccbee8f6900bda465bb3cf357c6952808bc

SHA512
bb93dc7d0287a091b13693f1a6f39f1051a2082dbee3045042d431cdb1b5a7f743ee3bce2a00fdcebe8966e1066c421f63f2e66560b6888d872d2e4ff796ef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\s~Lt.cpl

Filesize
2.6MB

MD5
622bc5a0fccee5a36ba2ae9c942e1062

SHA1
b5281f6ad718d182ea54e24de412021098cabcae

SHA256
1ee29ab1a6077f10a9209c37c9d04ccbee8f6900bda465bb3cf357c6952808bc

SHA512
bb93dc7d0287a091b13693f1a6f39f1051a2082dbee3045042d431cdb1b5a7f743ee3bce2a00fdcebe8966e1066c421f63f2e66560b6888d872d2e4ff796ef25

Download Submit
memory/4364-25-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/4364-24-0x00000000011E0000-0x00000000011E6000-memory.dmp

Filesize
24KB

Download
memory/4364-29-0x00000000029F0000-0x0000000002B01000-memory.dmp

Filesize
1.1MB

Download
memory/4364-30-0x0000000003200000-0x00000000032F7000-memory.dmp

Filesize
988KB

Download
memory/4364-33-0x0000000003200000-0x00000000032F7000-memory.dmp

Filesize
988KB

Download
memory/4364-34-0x0000000003200000-0x00000000032F7000-memory.dmp

Filesize
988KB

Download
memory/4380-13-0x0000000000B30000-0x0000000000B36000-memory.dmp

Filesize
24KB

Download
memory/4380-17-0x0000000002FB0000-0x00000000030C1000-memory.dmp

Filesize
1.1MB

Download
memory/4380-18-0x00000000030D0000-0x00000000031C7000-memory.dmp

Filesize
988KB

Download
memory/4380-21-0x00000000030D0000-0x00000000031C7000-memory.dmp

Filesize
988KB

Download
memory/4380-22-0x00000000030D0000-0x00000000031C7000-memory.dmp

Filesize
988KB

Download
memory/4380-14-0x0000000002960000-0x0000000002C03000-memory.dmp

Filesize
2.6MB

Download
memory/4380-12-0x0000000002960000-0x0000000002C03000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing