c99b70d765199870f2530ceedfc6f2833fa6092b4725972e94706ce08b1a59e3

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 13:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c99b70d765199870f2530ceedfc6f2833fa6092b4725972e94706ce08b1a59e3.exe
Size

1.6MB
MD5

2636f7151ddb23d5ba7a934b9f27ca30
SHA1

38208a11d6322a422b89a754e945c486550f76b1
SHA256

c99b70d765199870f2530ceedfc6f2833fa6092b4725972e94706ce08b1a59e3
SHA512

9613ad1236fee60bc60d613f85819b3394244702558018527322e1142fe25dabdd5392b301bb642bb8b4742558984718aff56fb8958047465f473df0f945c945
SSDEEP

24576:8cbD/e1EBSgF74vyq9Dk8XeTtWOXuh6ayS3DJg/o7UG4jJ3nwQgjfhiDBwTb7Ep:8cbi6SiUdXeppM6a13VrV4jJ1gVi8m

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
2624	rundll32.exe
2624	rundll32.exe
2624	rundll32.exe
2624	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2120	1848	c99b70d765199870f2530ceedfc6f2833fa6092b4725972e94706ce08b1a59e3.exe	28
PID 1848 wrote to memory of 2120	1848	c99b70d765199870f2530ceedfc6f2833fa6092b4725972e94706ce08b1a59e3.exe	28
PID 1848 wrote to memory of 2120	1848	c99b70d765199870f2530ceedfc6f2833fa6092b4725972e94706ce08b1a59e3.exe	28
PID 1848 wrote to memory of 2120	1848	c99b70d765199870f2530ceedfc6f2833fa6092b4725972e94706ce08b1a59e3.exe	28
PID 2120 wrote to memory of 1064	2120	control.exe	29
PID 2120 wrote to memory of 1064	2120	control.exe	29
PID 2120 wrote to memory of 1064	2120	control.exe	29
PID 2120 wrote to memory of 1064	2120	control.exe	29
PID 2120 wrote to memory of 1064	2120	control.exe	29
PID 2120 wrote to memory of 1064	2120	control.exe	29
PID 2120 wrote to memory of 1064	2120	control.exe	29
PID 1064 wrote to memory of 2620	1064	rundll32.exe	30
PID 1064 wrote to memory of 2620	1064	rundll32.exe	30
PID 1064 wrote to memory of 2620	1064	rundll32.exe	30
PID 1064 wrote to memory of 2620	1064	rundll32.exe	30
PID 2620 wrote to memory of 2624	2620	RunDll32.exe	31
PID 2620 wrote to memory of 2624	2620	RunDll32.exe	31
PID 2620 wrote to memory of 2624	2620	RunDll32.exe	31
PID 2620 wrote to memory of 2624	2620	RunDll32.exe	31
PID 2620 wrote to memory of 2624	2620	RunDll32.exe	31
PID 2620 wrote to memory of 2624	2620	RunDll32.exe	31
PID 2620 wrote to memory of 2624	2620	RunDll32.exe	31

C:\Users\Admin\AppData\Local\Temp\c99b70d765199870f2530ceedfc6f2833fa6092b4725972e94706ce08b1a59e3.exe
"C:\Users\Admin\AppData\Local\Temp\c99b70d765199870f2530ceedfc6f2833fa6092b4725972e94706ce08b1a59e3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl",
        5⤵
        Loads dropped DLL
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl

Filesize
1.4MB

MD5
35604c5d205e3651f7ec5d6fcda133a0

SHA1
f78ca77a192ecc290cfd00ee975a73ce9bad5cb4

SHA256
05189a3cb02bb862fa8814f574defbee25c4043d0bc4ca8633ba6fda0d11a8d0

SHA512
2b3c2e524a1f9fb3c46d616b9e197a891a349e17bc68164b37b45ab2192427fb2142b8a3efadce6de9eae702651d015f32970b92ad5711e06f9594513db0fbc7

Download Submit
\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl

Filesize
1.4MB

MD5
35604c5d205e3651f7ec5d6fcda133a0

SHA1
f78ca77a192ecc290cfd00ee975a73ce9bad5cb4

SHA256
05189a3cb02bb862fa8814f574defbee25c4043d0bc4ca8633ba6fda0d11a8d0

SHA512
2b3c2e524a1f9fb3c46d616b9e197a891a349e17bc68164b37b45ab2192427fb2142b8a3efadce6de9eae702651d015f32970b92ad5711e06f9594513db0fbc7

Download Submit
\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl

Filesize
1.4MB

MD5
35604c5d205e3651f7ec5d6fcda133a0

SHA1
f78ca77a192ecc290cfd00ee975a73ce9bad5cb4

SHA256
05189a3cb02bb862fa8814f574defbee25c4043d0bc4ca8633ba6fda0d11a8d0

SHA512
2b3c2e524a1f9fb3c46d616b9e197a891a349e17bc68164b37b45ab2192427fb2142b8a3efadce6de9eae702651d015f32970b92ad5711e06f9594513db0fbc7

Download Submit
\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl

Filesize
1.4MB

MD5
35604c5d205e3651f7ec5d6fcda133a0

SHA1
f78ca77a192ecc290cfd00ee975a73ce9bad5cb4

SHA256
05189a3cb02bb862fa8814f574defbee25c4043d0bc4ca8633ba6fda0d11a8d0

SHA512
2b3c2e524a1f9fb3c46d616b9e197a891a349e17bc68164b37b45ab2192427fb2142b8a3efadce6de9eae702651d015f32970b92ad5711e06f9594513db0fbc7

Download Submit
\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl

Filesize
1.4MB

MD5
35604c5d205e3651f7ec5d6fcda133a0

SHA1
f78ca77a192ecc290cfd00ee975a73ce9bad5cb4

SHA256
05189a3cb02bb862fa8814f574defbee25c4043d0bc4ca8633ba6fda0d11a8d0

SHA512
2b3c2e524a1f9fb3c46d616b9e197a891a349e17bc68164b37b45ab2192427fb2142b8a3efadce6de9eae702651d015f32970b92ad5711e06f9594513db0fbc7

Download Submit
\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl

Filesize
1.4MB

MD5
35604c5d205e3651f7ec5d6fcda133a0

SHA1
f78ca77a192ecc290cfd00ee975a73ce9bad5cb4

SHA256
05189a3cb02bb862fa8814f574defbee25c4043d0bc4ca8633ba6fda0d11a8d0

SHA512
2b3c2e524a1f9fb3c46d616b9e197a891a349e17bc68164b37b45ab2192427fb2142b8a3efadce6de9eae702651d015f32970b92ad5711e06f9594513db0fbc7

Download Submit
\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl

Filesize
1.4MB

MD5
35604c5d205e3651f7ec5d6fcda133a0

SHA1
f78ca77a192ecc290cfd00ee975a73ce9bad5cb4

SHA256
05189a3cb02bb862fa8814f574defbee25c4043d0bc4ca8633ba6fda0d11a8d0

SHA512
2b3c2e524a1f9fb3c46d616b9e197a891a349e17bc68164b37b45ab2192427fb2142b8a3efadce6de9eae702651d015f32970b92ad5711e06f9594513db0fbc7

Download Submit
\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl

Filesize
1.4MB

MD5
35604c5d205e3651f7ec5d6fcda133a0

SHA1
f78ca77a192ecc290cfd00ee975a73ce9bad5cb4

SHA256
05189a3cb02bb862fa8814f574defbee25c4043d0bc4ca8633ba6fda0d11a8d0

SHA512
2b3c2e524a1f9fb3c46d616b9e197a891a349e17bc68164b37b45ab2192427fb2142b8a3efadce6de9eae702651d015f32970b92ad5711e06f9594513db0fbc7

Download Submit
\Users\Admin\AppData\Local\Temp\WRBOCGq.cpl

Filesize
1.4MB

MD5
35604c5d205e3651f7ec5d6fcda133a0

SHA1
f78ca77a192ecc290cfd00ee975a73ce9bad5cb4

SHA256
05189a3cb02bb862fa8814f574defbee25c4043d0bc4ca8633ba6fda0d11a8d0

SHA512
2b3c2e524a1f9fb3c46d616b9e197a891a349e17bc68164b37b45ab2192427fb2142b8a3efadce6de9eae702651d015f32970b92ad5711e06f9594513db0fbc7

Download Submit
memory/1064-8-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/1064-19-0x0000000002680000-0x000000000276A000-memory.dmp

Filesize
936KB

Download
memory/1064-18-0x0000000002680000-0x000000000276A000-memory.dmp

Filesize
936KB

Download
memory/1064-15-0x0000000002680000-0x000000000276A000-memory.dmp

Filesize
936KB

Download
memory/1064-14-0x0000000002570000-0x0000000002673000-memory.dmp

Filesize
1.0MB

Download
memory/1064-9-0x0000000010000000-0x0000000010161000-memory.dmp

Filesize
1.4MB

Download
memory/2624-24-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/2624-27-0x0000000002670000-0x0000000002773000-memory.dmp

Filesize
1.0MB

Download
memory/2624-28-0x0000000002780000-0x000000000286A000-memory.dmp

Filesize
936KB

Download
memory/2624-31-0x0000000002780000-0x000000000286A000-memory.dmp

Filesize
936KB

Download
memory/2624-32-0x0000000002780000-0x000000000286A000-memory.dmp

Filesize
936KB

Download