0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe
Size

1.8MB
MD5

8b5937861b7cae2b0ed67954876a2f36
SHA1

d50360ecc36c057fea9945653cfa21c75e8edd70
SHA256

0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d
SHA512

f01fe493d293dc0a7770381efdf00e0ed2754d367ea90a7dc7dbcaedb463207c3abcb92651e2c3c5f4726aae7d3a7bf88899798721273cf060fd7ef379aabad7
SSDEEP

49152:wWhr59BfJXAE+UKuPzCClp/XbRD3mCZBeHtTU:wWhrPBfKEBPzxPbR7pGlU

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2656	rundll32.exe
2656	rundll32.exe
2656	rundll32.exe
2656	rundll32.exe
2528	rundll32.exe
2528	rundll32.exe
2528	rundll32.exe
2528	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2612	2928	0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe	28
PID 2928 wrote to memory of 2612	2928	0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe	28
PID 2928 wrote to memory of 2612	2928	0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe	28
PID 2928 wrote to memory of 2612	2928	0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe	28
PID 2612 wrote to memory of 2656	2612	control.exe	29
PID 2612 wrote to memory of 2656	2612	control.exe	29
PID 2612 wrote to memory of 2656	2612	control.exe	29
PID 2612 wrote to memory of 2656	2612	control.exe	29
PID 2612 wrote to memory of 2656	2612	control.exe	29
PID 2612 wrote to memory of 2656	2612	control.exe	29
PID 2612 wrote to memory of 2656	2612	control.exe	29
PID 2656 wrote to memory of 2520	2656	rundll32.exe	32
PID 2656 wrote to memory of 2520	2656	rundll32.exe	32
PID 2656 wrote to memory of 2520	2656	rundll32.exe	32
PID 2656 wrote to memory of 2520	2656	rundll32.exe	32
PID 2520 wrote to memory of 2528	2520	RunDll32.exe	33
PID 2520 wrote to memory of 2528	2520	RunDll32.exe	33
PID 2520 wrote to memory of 2528	2520	RunDll32.exe	33
PID 2520 wrote to memory of 2528	2520	RunDll32.exe	33
PID 2520 wrote to memory of 2528	2520	RunDll32.exe	33
PID 2520 wrote to memory of 2528	2520	RunDll32.exe	33
PID 2520 wrote to memory of 2528	2520	RunDll32.exe	33

C:\Users\Admin\AppData\Local\Temp\0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe
"C:\Users\Admin\AppData\Local\Temp\0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\XIGH2R.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XIGH2R.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XIGH2R.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\XIGH2R.CpL",
        5⤵
        Loads dropped DLL
        
        PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XIGH2R.CpL

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
\Users\Admin\AppData\Local\Temp\XiGH2r.cpl

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
\Users\Admin\AppData\Local\Temp\XiGH2r.cpl

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
\Users\Admin\AppData\Local\Temp\XiGH2r.cpl

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
\Users\Admin\AppData\Local\Temp\XiGH2r.cpl

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
\Users\Admin\AppData\Local\Temp\XiGH2r.cpl

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
\Users\Admin\AppData\Local\Temp\XiGH2r.cpl

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
\Users\Admin\AppData\Local\Temp\XiGH2r.cpl

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
\Users\Admin\AppData\Local\Temp\XiGH2r.cpl

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
memory/2528-37-0x00000000025E0000-0x00000000026D2000-memory.dmp

Filesize
968KB

Download
memory/2528-32-0x00000000021F0000-0x00000000022FC000-memory.dmp

Filesize
1.0MB

Download
memory/2528-25-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/2528-33-0x00000000025E0000-0x00000000026D2000-memory.dmp

Filesize
968KB

Download
memory/2528-36-0x00000000025E0000-0x00000000026D2000-memory.dmp

Filesize
968KB

Download
memory/2656-8-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/2656-20-0x0000000002660000-0x0000000002752000-memory.dmp

Filesize
968KB

Download
memory/2656-19-0x0000000010000000-0x0000000010161000-memory.dmp

Filesize
1.4MB

Download
memory/2656-18-0x0000000002660000-0x0000000002752000-memory.dmp

Filesize
968KB

Download
memory/2656-15-0x0000000002660000-0x0000000002752000-memory.dmp

Filesize
968KB

Download
memory/2656-14-0x0000000002550000-0x000000000265C000-memory.dmp

Filesize
1.0MB

Download
memory/2656-9-0x0000000010000000-0x0000000010161000-memory.dmp

Filesize
1.4MB

Download