1deb1d59e25b2200e8ef631c3ec2dd67870158df8a3dd687492e4ad9820c7715

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1deb1d59e25b2200e8ef631c3ec2dd67870158df8a3dd687492e4ad9820c7715.exe
Size

2.7MB
MD5

f73c8c34698daef0fcba3e53714247cf
SHA1

73475153d5fd37278a4a95a46004478cbe5391a4
SHA256

1deb1d59e25b2200e8ef631c3ec2dd67870158df8a3dd687492e4ad9820c7715
SHA512

e720dfc32f84da4224d9ae884c922499cdf8f7753c3f9b640353117708f925f2e74fe4f469f7816762061c56f0faccc2ec54f266299d308535ad94137d3499af
SSDEEP

49152:mDkUrjmGODtKWKatRBQrea6lARAonilZh3k0FhJ2oTvU6JrBm:m4U9ODsWtSr/6CRfilvk8J9vUg8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2548	2156	1deb1d59e25b2200e8ef631c3ec2dd67870158df8a3dd687492e4ad9820c7715.exe	28
PID 2156 wrote to memory of 2548	2156	1deb1d59e25b2200e8ef631c3ec2dd67870158df8a3dd687492e4ad9820c7715.exe	28
PID 2156 wrote to memory of 2548	2156	1deb1d59e25b2200e8ef631c3ec2dd67870158df8a3dd687492e4ad9820c7715.exe	28
PID 2156 wrote to memory of 2548	2156	1deb1d59e25b2200e8ef631c3ec2dd67870158df8a3dd687492e4ad9820c7715.exe	28
PID 2548 wrote to memory of 2744	2548	control.exe	29
PID 2548 wrote to memory of 2744	2548	control.exe	29
PID 2548 wrote to memory of 2744	2548	control.exe	29
PID 2548 wrote to memory of 2744	2548	control.exe	29
PID 2548 wrote to memory of 2744	2548	control.exe	29
PID 2548 wrote to memory of 2744	2548	control.exe	29
PID 2548 wrote to memory of 2744	2548	control.exe	29
PID 2744 wrote to memory of 2624	2744	rundll32.exe	30
PID 2744 wrote to memory of 2624	2744	rundll32.exe	30
PID 2744 wrote to memory of 2624	2744	rundll32.exe	30
PID 2744 wrote to memory of 2624	2744	rundll32.exe	30
PID 2624 wrote to memory of 2736	2624	RunDll32.exe	31
PID 2624 wrote to memory of 2736	2624	RunDll32.exe	31
PID 2624 wrote to memory of 2736	2624	RunDll32.exe	31
PID 2624 wrote to memory of 2736	2624	RunDll32.exe	31
PID 2624 wrote to memory of 2736	2624	RunDll32.exe	31
PID 2624 wrote to memory of 2736	2624	RunDll32.exe	31
PID 2624 wrote to memory of 2736	2624	RunDll32.exe	31

C:\Users\Admin\AppData\Local\Temp\1deb1d59e25b2200e8ef631c3ec2dd67870158df8a3dd687492e4ad9820c7715.exe
"C:\Users\Admin\AppData\Local\Temp\1deb1d59e25b2200e8ef631c3ec2dd67870158df8a3dd687492e4ad9820c7715.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\9umo.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\9umo.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\9umo.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\9umo.CpL",
        5⤵
        Loads dropped DLL
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9umo.CpL

Filesize
2.7MB

MD5
f2bdd8e9e35bccf276e02e265b2dff2a

SHA1
e8922e04820248b4786e5039951d5da02711b1bf

SHA256
651c458ce872b4eb71ec0f4992238e503053e2697219315fba234239471c1b9c

SHA512
a9c6086d63b837622c484ddd6cbb9a4478ecd0d3e7a1fa6185035aac97c553b2f2654ce0da2375075de34e0009ca8e35b7732e421f998ccca550b22c4fa9274a

Download Submit
\Users\Admin\AppData\Local\Temp\9umo.cpl

Filesize
2.7MB

MD5
f2bdd8e9e35bccf276e02e265b2dff2a

SHA1
e8922e04820248b4786e5039951d5da02711b1bf

SHA256
651c458ce872b4eb71ec0f4992238e503053e2697219315fba234239471c1b9c

SHA512
a9c6086d63b837622c484ddd6cbb9a4478ecd0d3e7a1fa6185035aac97c553b2f2654ce0da2375075de34e0009ca8e35b7732e421f998ccca550b22c4fa9274a

Download Submit
\Users\Admin\AppData\Local\Temp\9umo.cpl

Filesize
2.7MB

MD5
f2bdd8e9e35bccf276e02e265b2dff2a

SHA1
e8922e04820248b4786e5039951d5da02711b1bf

SHA256
651c458ce872b4eb71ec0f4992238e503053e2697219315fba234239471c1b9c

SHA512
a9c6086d63b837622c484ddd6cbb9a4478ecd0d3e7a1fa6185035aac97c553b2f2654ce0da2375075de34e0009ca8e35b7732e421f998ccca550b22c4fa9274a

Download Submit
\Users\Admin\AppData\Local\Temp\9umo.cpl

Filesize
2.7MB

MD5
f2bdd8e9e35bccf276e02e265b2dff2a

SHA1
e8922e04820248b4786e5039951d5da02711b1bf

SHA256
651c458ce872b4eb71ec0f4992238e503053e2697219315fba234239471c1b9c

SHA512
a9c6086d63b837622c484ddd6cbb9a4478ecd0d3e7a1fa6185035aac97c553b2f2654ce0da2375075de34e0009ca8e35b7732e421f998ccca550b22c4fa9274a

Download Submit
\Users\Admin\AppData\Local\Temp\9umo.cpl

Filesize
2.7MB

MD5
f2bdd8e9e35bccf276e02e265b2dff2a

SHA1
e8922e04820248b4786e5039951d5da02711b1bf

SHA256
651c458ce872b4eb71ec0f4992238e503053e2697219315fba234239471c1b9c

SHA512
a9c6086d63b837622c484ddd6cbb9a4478ecd0d3e7a1fa6185035aac97c553b2f2654ce0da2375075de34e0009ca8e35b7732e421f998ccca550b22c4fa9274a

Download Submit
\Users\Admin\AppData\Local\Temp\9umo.cpl

Filesize
2.7MB

MD5
f2bdd8e9e35bccf276e02e265b2dff2a

SHA1
e8922e04820248b4786e5039951d5da02711b1bf

SHA256
651c458ce872b4eb71ec0f4992238e503053e2697219315fba234239471c1b9c

SHA512
a9c6086d63b837622c484ddd6cbb9a4478ecd0d3e7a1fa6185035aac97c553b2f2654ce0da2375075de34e0009ca8e35b7732e421f998ccca550b22c4fa9274a

Download Submit
\Users\Admin\AppData\Local\Temp\9umo.cpl

Filesize
2.7MB

MD5
f2bdd8e9e35bccf276e02e265b2dff2a

SHA1
e8922e04820248b4786e5039951d5da02711b1bf

SHA256
651c458ce872b4eb71ec0f4992238e503053e2697219315fba234239471c1b9c

SHA512
a9c6086d63b837622c484ddd6cbb9a4478ecd0d3e7a1fa6185035aac97c553b2f2654ce0da2375075de34e0009ca8e35b7732e421f998ccca550b22c4fa9274a

Download Submit
\Users\Admin\AppData\Local\Temp\9umo.cpl

Filesize
2.7MB

MD5
f2bdd8e9e35bccf276e02e265b2dff2a

SHA1
e8922e04820248b4786e5039951d5da02711b1bf

SHA256
651c458ce872b4eb71ec0f4992238e503053e2697219315fba234239471c1b9c

SHA512
a9c6086d63b837622c484ddd6cbb9a4478ecd0d3e7a1fa6185035aac97c553b2f2654ce0da2375075de34e0009ca8e35b7732e421f998ccca550b22c4fa9274a

Download Submit
\Users\Admin\AppData\Local\Temp\9umo.cpl

Filesize
2.7MB

MD5
f2bdd8e9e35bccf276e02e265b2dff2a

SHA1
e8922e04820248b4786e5039951d5da02711b1bf

SHA256
651c458ce872b4eb71ec0f4992238e503053e2697219315fba234239471c1b9c

SHA512
a9c6086d63b837622c484ddd6cbb9a4478ecd0d3e7a1fa6185035aac97c553b2f2654ce0da2375075de34e0009ca8e35b7732e421f998ccca550b22c4fa9274a

Download Submit
memory/2736-29-0x0000000002810000-0x0000000002906000-memory.dmp

Filesize
984KB

Download
memory/2736-21-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2736-24-0x00000000026F0000-0x0000000002801000-memory.dmp

Filesize
1.1MB

Download
memory/2736-25-0x0000000002810000-0x0000000002906000-memory.dmp

Filesize
984KB

Download
memory/2736-28-0x0000000002810000-0x0000000002906000-memory.dmp

Filesize
984KB

Download
memory/2744-9-0x0000000010000000-0x00000000102B7000-memory.dmp

Filesize
2.7MB

Download
memory/2744-16-0x0000000002760000-0x0000000002856000-memory.dmp

Filesize
984KB

Download
memory/2744-15-0x0000000002760000-0x0000000002856000-memory.dmp

Filesize
984KB

Download
memory/2744-12-0x0000000002760000-0x0000000002856000-memory.dmp

Filesize
984KB

Download
memory/2744-11-0x0000000002640000-0x0000000002751000-memory.dmp

Filesize
1.1MB

Download
memory/2744-8-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download