9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe
Size

1.9MB
MD5

2af29bc7d67f65add890bede62d7ba50
SHA1

4158f8b6f8378767ed1a658ea0e2db11eafcd1fc
SHA256

9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0
SHA512

a4a87fb974d01524d05a7c0c7e71908521ae57ed3103bfe60d9ad6cc83fb4fea45d870ca8284be5e0451eb5bc79845209fe4795fdafdeea19af8a15c582ef623
SSDEEP

49152:wWhr59BfJXAE+USYqWcQYlrUOx5l+tlJcrxEfXghaE30L6aTESjog:wWhrPBfKE7zYYOxcLcCfQQEE3TESJ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
2692	rundll32.exe
2692	rundll32.exe
2692	rundll32.exe
2692	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2636	2792	9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe	28
PID 2792 wrote to memory of 2636	2792	9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe	28
PID 2792 wrote to memory of 2636	2792	9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe	28
PID 2792 wrote to memory of 2636	2792	9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe	28
PID 2636 wrote to memory of 2760	2636	control.exe	29
PID 2636 wrote to memory of 2760	2636	control.exe	29
PID 2636 wrote to memory of 2760	2636	control.exe	29
PID 2636 wrote to memory of 2760	2636	control.exe	29
PID 2636 wrote to memory of 2760	2636	control.exe	29
PID 2636 wrote to memory of 2760	2636	control.exe	29
PID 2636 wrote to memory of 2760	2636	control.exe	29
PID 2760 wrote to memory of 2768	2760	rundll32.exe	30
PID 2760 wrote to memory of 2768	2760	rundll32.exe	30
PID 2760 wrote to memory of 2768	2760	rundll32.exe	30
PID 2760 wrote to memory of 2768	2760	rundll32.exe	30
PID 2768 wrote to memory of 2692	2768	RunDll32.exe	31
PID 2768 wrote to memory of 2692	2768	RunDll32.exe	31
PID 2768 wrote to memory of 2692	2768	RunDll32.exe	31
PID 2768 wrote to memory of 2692	2768	RunDll32.exe	31
PID 2768 wrote to memory of 2692	2768	RunDll32.exe	31
PID 2768 wrote to memory of 2692	2768	RunDll32.exe	31
PID 2768 wrote to memory of 2692	2768	RunDll32.exe	31

C:\Users\Admin\AppData\Local\Temp\9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe
"C:\Users\Admin\AppData\Local\Temp\9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",
        5⤵
        Loads dropped DLL
        
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
\Users\Admin\AppData\Local\Temp\VhsVs~c9.cpl

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
\Users\Admin\AppData\Local\Temp\VhsVs~c9.cpl

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
\Users\Admin\AppData\Local\Temp\VhsVs~c9.cpl

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
\Users\Admin\AppData\Local\Temp\VhsVs~c9.cpl

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
\Users\Admin\AppData\Local\Temp\VhsVs~c9.cpl

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
\Users\Admin\AppData\Local\Temp\VhsVs~c9.cpl

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
\Users\Admin\AppData\Local\Temp\VhsVs~c9.cpl

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
\Users\Admin\AppData\Local\Temp\VhsVs~c9.cpl

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
memory/2692-33-0x00000000026D0000-0x00000000027BA000-memory.dmp

Filesize
936KB

Download
memory/2692-24-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/2692-28-0x00000000025C0000-0x00000000026C3000-memory.dmp

Filesize
1.0MB

Download
memory/2692-29-0x00000000026D0000-0x00000000027BA000-memory.dmp

Filesize
936KB

Download
memory/2692-32-0x00000000026D0000-0x00000000027BA000-memory.dmp

Filesize
936KB

Download
memory/2760-8-0x0000000010000000-0x0000000010161000-memory.dmp

Filesize
1.4MB

Download
memory/2760-19-0x0000000002700000-0x00000000027EA000-memory.dmp

Filesize
936KB

Download
memory/2760-18-0x0000000002700000-0x00000000027EA000-memory.dmp

Filesize
936KB

Download
memory/2760-15-0x0000000002700000-0x00000000027EA000-memory.dmp

Filesize
936KB

Download
memory/2760-14-0x00000000025F0000-0x00000000026F3000-memory.dmp

Filesize
1.0MB

Download
memory/2760-9-0x00000000000E0000-0x00000000000E6000-memory.dmp

Filesize
24KB

Download