aacec29e255d86472875388beee63953b6164a7d60c1e0d09a25b45d4ae851e1

General

Target

aacec29e255d86472875388beee63953b6164a7d60c1e0d09a25b45d4ae851e1.exe
Size

2.2MB
MD5

74c7319562424fb8b371e4e78ee96b1d
SHA1

e5537984006422e28f7783b0bed822c0d2ce0fc7
SHA256

aacec29e255d86472875388beee63953b6164a7d60c1e0d09a25b45d4ae851e1
SHA512

230aea9bf157a9a25fdc59158d2e25adac3ba626bd6753f7b6d43bb475880be90f6d7402affe80cc693646413f345c2511db9234328eb1030712e0fc59953207
SSDEEP

49152:ISBNBgNl82fxf2DGNELzTTTJB3uLtLknVhj17lcvQ5lPsSGLGXyc:ISBAT8axxuLHv3pVlcY/Ps3G5

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
656	rundll32.exe
2816	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2108	2744	aacec29e255d86472875388beee63953b6164a7d60c1e0d09a25b45d4ae851e1.exe	70
PID 2744 wrote to memory of 2108	2744	aacec29e255d86472875388beee63953b6164a7d60c1e0d09a25b45d4ae851e1.exe	70
PID 2744 wrote to memory of 2108	2744	aacec29e255d86472875388beee63953b6164a7d60c1e0d09a25b45d4ae851e1.exe	70
PID 2108 wrote to memory of 3348	2108	cmd.exe	73
PID 2108 wrote to memory of 3348	2108	cmd.exe	73
PID 2108 wrote to memory of 3348	2108	cmd.exe	73
PID 3348 wrote to memory of 656	3348	control.exe	74
PID 3348 wrote to memory of 656	3348	control.exe	74
PID 3348 wrote to memory of 656	3348	control.exe	74
PID 656 wrote to memory of 408	656	rundll32.exe	75
PID 656 wrote to memory of 408	656	rundll32.exe	75
PID 408 wrote to memory of 2816	408	RunDll32.exe	76
PID 408 wrote to memory of 2816	408	RunDll32.exe	76
PID 408 wrote to memory of 2816	408	RunDll32.exe	76

C:\Users\Admin\AppData\Local\Temp\aacec29e255d86472875388beee63953b6164a7d60c1e0d09a25b45d4ae851e1.exe
"C:\Users\Admin\AppData\Local\Temp\aacec29e255d86472875388beee63953b6164a7d60c1e0d09a25b45d4ae851e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z7FDF3AB8\uz7v.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\control.exe
    ContROl.EXe "C:\Users\Admin\AppData\Local\Temp\7z7FDF3AB8\NjHp.JJ_"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7FDF3AB8\NjHp.JJ_"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:656
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7FDF3AB8\NjHp.JJ_"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:408
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z7FDF3AB8\NjHp.JJ_"
        6⤵
        Loads dropped DLL
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z7FDF3AB8\NjHp.JJ_

Filesize
2.3MB

MD5
f94195cfa37fff94e370d4c2661926b0

SHA1
2bdf94c8abe18dea26f45974d1993fb39e0fd407

SHA256
564634cd325b10d2a0c5c863d606af34696709cd42c42b7acbf2a77170129706

SHA512
b24b4627694877208a5addbcc1744e28f82fbd57cb004e1a27ade679b77fa6ff26c7da891f02c8745a798c7eebe92ab1c50413fdfad70548a1b8a2b9613af8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7FDF3AB8\uz7v.cmd

Filesize
33B

MD5
4bff93b2e229cee97207e1956cf76b7f

SHA1
45e9da50d4a866a665e4b1f31a7e98eeeae8c63e

SHA256
9398d7df0f718e21e8a54e1de3b8ac1a661fbabd3e9f99178e3a16de180abcda

SHA512
f3657c34364edf4e1796019a758e29d408faef6883b0106198004c5726c169584292bc567e90d33bd124091ff4c03634ff680af0524e2e3f80bda2875517c0d4

Download Submit
\Users\Admin\AppData\Local\Temp\7z7FDF3AB8\NjHp.jJ_

Filesize
2.3MB

MD5
f94195cfa37fff94e370d4c2661926b0

SHA1
2bdf94c8abe18dea26f45974d1993fb39e0fd407

SHA256
564634cd325b10d2a0c5c863d606af34696709cd42c42b7acbf2a77170129706

SHA512
b24b4627694877208a5addbcc1744e28f82fbd57cb004e1a27ade679b77fa6ff26c7da891f02c8745a798c7eebe92ab1c50413fdfad70548a1b8a2b9613af8cf

Download Submit
\Users\Admin\AppData\Local\Temp\7z7FDF3AB8\NjHp.jJ_

Filesize
2.3MB

MD5
f94195cfa37fff94e370d4c2661926b0

SHA1
2bdf94c8abe18dea26f45974d1993fb39e0fd407

SHA256
564634cd325b10d2a0c5c863d606af34696709cd42c42b7acbf2a77170129706

SHA512
b24b4627694877208a5addbcc1744e28f82fbd57cb004e1a27ade679b77fa6ff26c7da891f02c8745a798c7eebe92ab1c50413fdfad70548a1b8a2b9613af8cf

Download Submit
memory/656-10-0x00000000031F0000-0x00000000031F6000-memory.dmp

Filesize
24KB

Download
memory/656-15-0x0000000005350000-0x0000000005468000-memory.dmp

Filesize
1.1MB

Download
memory/656-16-0x0000000005470000-0x000000000556C000-memory.dmp

Filesize
1008KB

Download
memory/656-19-0x0000000005470000-0x000000000556C000-memory.dmp

Filesize
1008KB

Download
memory/656-20-0x0000000005470000-0x000000000556C000-memory.dmp

Filesize
1008KB

Download
memory/656-9-0x0000000010000000-0x0000000010242000-memory.dmp

Filesize
2.3MB

Download
memory/2816-22-0x0000000003500000-0x0000000003506000-memory.dmp

Filesize
24KB

Download
memory/2816-28-0x0000000005530000-0x0000000005648000-memory.dmp

Filesize
1.1MB

Download
memory/2816-29-0x0000000005650000-0x000000000574C000-memory.dmp

Filesize
1008KB

Download
memory/2816-32-0x0000000005650000-0x000000000574C000-memory.dmp

Filesize
1008KB

Download
memory/2816-33-0x0000000005650000-0x000000000574C000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing