5bdb19eb99597a8660386f8a5bd298dfbfe3b9e97a4dd58cc5dda278e30e4c64

General

Target

5bdb19eb99597a8660386f8a5bd298dfbfe3b9e97a4dd58cc5dda278e30e4c64.exe
Size

2.2MB
MD5

0c1e825745ec1b327e63e2810731c32b
SHA1

7d6e19e0535e059ef14763556b39e783e7201833
SHA256

5bdb19eb99597a8660386f8a5bd298dfbfe3b9e97a4dd58cc5dda278e30e4c64
SHA512

b30ef4c55b8f4000a30c5c2a8d2b5fb5802ff1e1a3a18c4a99bd902b6ece32110a9294759110ccd9031b8d2cfa47c990537eb8e86293aa030b398a3b7dba054c
SSDEEP

49152:ISog6K5XG3uzrz22xKUy7zzCnqrC3N4dTMdEotIwikm6Dli3pN5b:ISyKFG+z5xHKId4dTPVkmPZN5b

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
336	rundll32.exe
1828	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2644	2672	5bdb19eb99597a8660386f8a5bd298dfbfe3b9e97a4dd58cc5dda278e30e4c64.exe	70
PID 2672 wrote to memory of 2644	2672	5bdb19eb99597a8660386f8a5bd298dfbfe3b9e97a4dd58cc5dda278e30e4c64.exe	70
PID 2672 wrote to memory of 2644	2672	5bdb19eb99597a8660386f8a5bd298dfbfe3b9e97a4dd58cc5dda278e30e4c64.exe	70
PID 2644 wrote to memory of 3636	2644	cmd.exe	73
PID 2644 wrote to memory of 3636	2644	cmd.exe	73
PID 2644 wrote to memory of 3636	2644	cmd.exe	73
PID 3636 wrote to memory of 336	3636	control.exe	74
PID 3636 wrote to memory of 336	3636	control.exe	74
PID 3636 wrote to memory of 336	3636	control.exe	74
PID 336 wrote to memory of 2744	336	rundll32.exe	75
PID 336 wrote to memory of 2744	336	rundll32.exe	75
PID 2744 wrote to memory of 1828	2744	RunDll32.exe	76
PID 2744 wrote to memory of 1828	2744	RunDll32.exe	76
PID 2744 wrote to memory of 1828	2744	RunDll32.exe	76

C:\Users\Admin\AppData\Local\Temp\5bdb19eb99597a8660386f8a5bd298dfbfe3b9e97a4dd58cc5dda278e30e4c64.exe
"C:\Users\Admin\AppData\Local\Temp\5bdb19eb99597a8660386f8a5bd298dfbfe3b9e97a4dd58cc5dda278e30e4c64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z7E3A1A70\AK.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\control.exe
    cONtROL.EXe "C:\Users\Admin\AppData\Local\Temp\7z7E3A1A70\kMJ4I.wsf"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7E3A1A70\kMJ4I.wsf"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:336
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7E3A1A70\kMJ4I.wsf"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z7E3A1A70\kMJ4I.wsf"
        6⤵
        Loads dropped DLL
        
        PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z7E3A1A70\AK.cmd

Filesize
35B

MD5
9b12d19fbb3515c77e4c0d3e0c729382

SHA1
5fd4972e5b7ce51a3a25042663becb3a77b46dfd

SHA256
4ee80abb3097b5039ee919ee384f072ea483acc194ad54c5dc71d69bf5d95390

SHA512
83eee81bf66c39addcda0e57603468779c3f58fe8985bd42ee824f42bcf5c56e3c759f45117a3b32383eb897a31ecece610101585bed91286241d63eb5a68331

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7E3A1A70\kMJ4I.wsf

Filesize
2.3MB

MD5
ecdc797793e330040f8cbd554012d78f

SHA1
bf6ede2575d0480b112e43e25c79a5a21f32e6a3

SHA256
5106ef9cb8018331b581312ebea7439261fcbf9a4d29adb0ddc279578ff1c906

SHA512
af0796682d61a6d6acc434f83d69ca0fe5e01e4964f24f82e6e54f4c5556f1bcdf7bf7376d15f01192624db909e11fa28765b4ab17bc290f638f79d38dbce268

Download Submit
\Users\Admin\AppData\Local\Temp\7z7E3A1A70\kmJ4I.wsf

Filesize
2.3MB

MD5
ecdc797793e330040f8cbd554012d78f

SHA1
bf6ede2575d0480b112e43e25c79a5a21f32e6a3

SHA256
5106ef9cb8018331b581312ebea7439261fcbf9a4d29adb0ddc279578ff1c906

SHA512
af0796682d61a6d6acc434f83d69ca0fe5e01e4964f24f82e6e54f4c5556f1bcdf7bf7376d15f01192624db909e11fa28765b4ab17bc290f638f79d38dbce268

Download Submit
\Users\Admin\AppData\Local\Temp\7z7E3A1A70\kmJ4I.wsf

Filesize
2.3MB

MD5
ecdc797793e330040f8cbd554012d78f

SHA1
bf6ede2575d0480b112e43e25c79a5a21f32e6a3

SHA256
5106ef9cb8018331b581312ebea7439261fcbf9a4d29adb0ddc279578ff1c906

SHA512
af0796682d61a6d6acc434f83d69ca0fe5e01e4964f24f82e6e54f4c5556f1bcdf7bf7376d15f01192624db909e11fa28765b4ab17bc290f638f79d38dbce268

Download Submit
memory/336-19-0x0000000004960000-0x0000000004A5C000-memory.dmp

Filesize
1008KB

Download
memory/336-14-0x0000000004840000-0x0000000004958000-memory.dmp

Filesize
1.1MB

Download
memory/336-15-0x0000000010000000-0x0000000010242000-memory.dmp

Filesize
2.3MB

Download
memory/336-16-0x0000000004960000-0x0000000004A5C000-memory.dmp

Filesize
1008KB

Download
memory/336-9-0x0000000002600000-0x0000000002606000-memory.dmp

Filesize
24KB

Download
memory/336-20-0x0000000004960000-0x0000000004A5C000-memory.dmp

Filesize
1008KB

Download
memory/336-10-0x0000000010000000-0x0000000010242000-memory.dmp

Filesize
2.3MB

Download
memory/1828-22-0x0000000003F50000-0x0000000003F56000-memory.dmp

Filesize
24KB

Download
memory/1828-28-0x0000000004690000-0x00000000047A8000-memory.dmp

Filesize
1.1MB

Download
memory/1828-29-0x00000000047B0000-0x00000000048AC000-memory.dmp

Filesize
1008KB

Download
memory/1828-32-0x00000000047B0000-0x00000000048AC000-memory.dmp

Filesize
1008KB

Download
memory/1828-33-0x00000000047B0000-0x00000000048AC000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing