32a5cc387b35bab81c95f1893c1079f29eccf7705264543020de9ce915dd6145

Analysis

max time kernel
44s
max time network
18s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32a5cc387b35bab81c95f1893c1079f29eccf7705264543020de9ce915dd6145.exe
Size

2.4MB
MD5

62737e9d8fa194680c14ac93e7e2ca60
SHA1

d59244314fbdae385e1b6668272400577b97d62d
SHA256

32a5cc387b35bab81c95f1893c1079f29eccf7705264543020de9ce915dd6145
SHA512

a10db4d37f620857b60405d6e967b6b48f5dcaf7c1e0d5335bd6d5e3888030d784b73f70a0fd8d8f162e557fbc652c32d71ba645ef6595ded85442a6463e6023
SSDEEP

49152:IS2AgDNXtNFslW7023Kq3j8MbTRCXHIdezovJNuOH6SXHx34tyo4ZSq+jQFv/:IS29DNXrsl26qz8MbVCXodCoBNua6SBR

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2944	rundll32.exe
2944	rundll32.exe
2944	rundll32.exe
2944	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2720	2064	32a5cc387b35bab81c95f1893c1079f29eccf7705264543020de9ce915dd6145.exe	28
PID 2064 wrote to memory of 2720	2064	32a5cc387b35bab81c95f1893c1079f29eccf7705264543020de9ce915dd6145.exe	28
PID 2064 wrote to memory of 2720	2064	32a5cc387b35bab81c95f1893c1079f29eccf7705264543020de9ce915dd6145.exe	28
PID 2064 wrote to memory of 2720	2064	32a5cc387b35bab81c95f1893c1079f29eccf7705264543020de9ce915dd6145.exe	28
PID 2720 wrote to memory of 2868	2720	cmd.exe	30
PID 2720 wrote to memory of 2868	2720	cmd.exe	30
PID 2720 wrote to memory of 2868	2720	cmd.exe	30
PID 2720 wrote to memory of 2868	2720	cmd.exe	30
PID 2868 wrote to memory of 2740	2868	control.exe	31
PID 2868 wrote to memory of 2740	2868	control.exe	31
PID 2868 wrote to memory of 2740	2868	control.exe	31
PID 2868 wrote to memory of 2740	2868	control.exe	31
PID 2868 wrote to memory of 2740	2868	control.exe	31
PID 2868 wrote to memory of 2740	2868	control.exe	31
PID 2868 wrote to memory of 2740	2868	control.exe	31
PID 2740 wrote to memory of 2556	2740	rundll32.exe	34
PID 2740 wrote to memory of 2556	2740	rundll32.exe	34
PID 2740 wrote to memory of 2556	2740	rundll32.exe	34
PID 2740 wrote to memory of 2556	2740	rundll32.exe	34
PID 2556 wrote to memory of 2944	2556	RunDll32.exe	35
PID 2556 wrote to memory of 2944	2556	RunDll32.exe	35
PID 2556 wrote to memory of 2944	2556	RunDll32.exe	35
PID 2556 wrote to memory of 2944	2556	RunDll32.exe	35
PID 2556 wrote to memory of 2944	2556	RunDll32.exe	35
PID 2556 wrote to memory of 2944	2556	RunDll32.exe	35
PID 2556 wrote to memory of 2944	2556	RunDll32.exe	35

C:\Users\Admin\AppData\Local\Temp\32a5cc387b35bab81c95f1893c1079f29eccf7705264543020de9ce915dd6145.exe
"C:\Users\Admin\AppData\Local\Temp\32a5cc387b35bab81c95f1893c1079f29eccf7705264543020de9ce915dd6145.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7z66BB6810\gCIBK.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\control.exe
    ConTRol.exE "C:\Users\Admin\AppData\Local\Temp\7z66BB6810\EYP.9S"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z66BB6810\EYP.9S"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z66BB6810\EYP.9S"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z66BB6810\EYP.9S"
        6⤵
        Loads dropped DLL
        
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z66BB6810\EYP.9S

Filesize
2.4MB

MD5
827bfc38984ca04e505babe0c95f3bb9

SHA1
065ac005a40f7ada0f4388a84500f2b7a35d6079

SHA256
7fc0edcf223e22a4a76b8cc30810dc44ae217b5c0b6582ed5e956e8a2306cecd

SHA512
be093e4365d9a7f411f0291ca55d76b3de53ab460cf7de79999271d30f6daf8c1d01972708991b231b7f5a546f1949a965ace0d166135eaa2442eb3dade6bcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z66BB6810\gCIBK.cmd

Filesize
26B

MD5
57299dcccbb133bde7b4954e2bd4d448

SHA1
c2e19e48f0c0820a31deb708353a0f9afc89511b

SHA256
aaec1b15a8b73b2eae5f95bebee1cbcdddcd4f61e52032b5ad0b4261d4f80f79

SHA512
46c3388aa474bc8ac0d47b0475ef3ebf14e327f9d2afc66e9963a307c5dcc004bd6c15ea5616a502f6ba5905c186bfbbb12eee2e4b74a73180f2a11532e51bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z66BB6810\gCIBK.cmd

Filesize
26B

MD5
57299dcccbb133bde7b4954e2bd4d448

SHA1
c2e19e48f0c0820a31deb708353a0f9afc89511b

SHA256
aaec1b15a8b73b2eae5f95bebee1cbcdddcd4f61e52032b5ad0b4261d4f80f79

SHA512
46c3388aa474bc8ac0d47b0475ef3ebf14e327f9d2afc66e9963a307c5dcc004bd6c15ea5616a502f6ba5905c186bfbbb12eee2e4b74a73180f2a11532e51bba

Download Submit
\Users\Admin\AppData\Local\Temp\7z66BB6810\eYP.9s

Filesize
2.4MB

MD5
827bfc38984ca04e505babe0c95f3bb9

SHA1
065ac005a40f7ada0f4388a84500f2b7a35d6079

SHA256
7fc0edcf223e22a4a76b8cc30810dc44ae217b5c0b6582ed5e956e8a2306cecd

SHA512
be093e4365d9a7f411f0291ca55d76b3de53ab460cf7de79999271d30f6daf8c1d01972708991b231b7f5a546f1949a965ace0d166135eaa2442eb3dade6bcef

Download Submit
\Users\Admin\AppData\Local\Temp\7z66BB6810\eYP.9s

Filesize
2.4MB

MD5
827bfc38984ca04e505babe0c95f3bb9

SHA1
065ac005a40f7ada0f4388a84500f2b7a35d6079

SHA256
7fc0edcf223e22a4a76b8cc30810dc44ae217b5c0b6582ed5e956e8a2306cecd

SHA512
be093e4365d9a7f411f0291ca55d76b3de53ab460cf7de79999271d30f6daf8c1d01972708991b231b7f5a546f1949a965ace0d166135eaa2442eb3dade6bcef

Download Submit
\Users\Admin\AppData\Local\Temp\7z66BB6810\eYP.9s

Filesize
2.4MB

MD5
827bfc38984ca04e505babe0c95f3bb9

SHA1
065ac005a40f7ada0f4388a84500f2b7a35d6079

SHA256
7fc0edcf223e22a4a76b8cc30810dc44ae217b5c0b6582ed5e956e8a2306cecd

SHA512
be093e4365d9a7f411f0291ca55d76b3de53ab460cf7de79999271d30f6daf8c1d01972708991b231b7f5a546f1949a965ace0d166135eaa2442eb3dade6bcef

Download Submit
\Users\Admin\AppData\Local\Temp\7z66BB6810\eYP.9s

Filesize
2.4MB

MD5
827bfc38984ca04e505babe0c95f3bb9

SHA1
065ac005a40f7ada0f4388a84500f2b7a35d6079

SHA256
7fc0edcf223e22a4a76b8cc30810dc44ae217b5c0b6582ed5e956e8a2306cecd

SHA512
be093e4365d9a7f411f0291ca55d76b3de53ab460cf7de79999271d30f6daf8c1d01972708991b231b7f5a546f1949a965ace0d166135eaa2442eb3dade6bcef

Download Submit
\Users\Admin\AppData\Local\Temp\7z66BB6810\eYP.9s

Filesize
2.4MB

MD5
827bfc38984ca04e505babe0c95f3bb9

SHA1
065ac005a40f7ada0f4388a84500f2b7a35d6079

SHA256
7fc0edcf223e22a4a76b8cc30810dc44ae217b5c0b6582ed5e956e8a2306cecd

SHA512
be093e4365d9a7f411f0291ca55d76b3de53ab460cf7de79999271d30f6daf8c1d01972708991b231b7f5a546f1949a965ace0d166135eaa2442eb3dade6bcef

Download Submit
\Users\Admin\AppData\Local\Temp\7z66BB6810\eYP.9s

Filesize
2.4MB

MD5
827bfc38984ca04e505babe0c95f3bb9

SHA1
065ac005a40f7ada0f4388a84500f2b7a35d6079

SHA256
7fc0edcf223e22a4a76b8cc30810dc44ae217b5c0b6582ed5e956e8a2306cecd

SHA512
be093e4365d9a7f411f0291ca55d76b3de53ab460cf7de79999271d30f6daf8c1d01972708991b231b7f5a546f1949a965ace0d166135eaa2442eb3dade6bcef

Download Submit
\Users\Admin\AppData\Local\Temp\7z66BB6810\eYP.9s

Filesize
2.4MB

MD5
827bfc38984ca04e505babe0c95f3bb9

SHA1
065ac005a40f7ada0f4388a84500f2b7a35d6079

SHA256
7fc0edcf223e22a4a76b8cc30810dc44ae217b5c0b6582ed5e956e8a2306cecd

SHA512
be093e4365d9a7f411f0291ca55d76b3de53ab460cf7de79999271d30f6daf8c1d01972708991b231b7f5a546f1949a965ace0d166135eaa2442eb3dade6bcef

Download Submit
\Users\Admin\AppData\Local\Temp\7z66BB6810\eYP.9s

Filesize
2.4MB

MD5
827bfc38984ca04e505babe0c95f3bb9

SHA1
065ac005a40f7ada0f4388a84500f2b7a35d6079

SHA256
7fc0edcf223e22a4a76b8cc30810dc44ae217b5c0b6582ed5e956e8a2306cecd

SHA512
be093e4365d9a7f411f0291ca55d76b3de53ab460cf7de79999271d30f6daf8c1d01972708991b231b7f5a546f1949a965ace0d166135eaa2442eb3dade6bcef

Download Submit
memory/2740-32-0x00000000027E0000-0x00000000028D9000-memory.dmp

Filesize
996KB

Download
memory/2740-33-0x00000000027E0000-0x00000000028D9000-memory.dmp

Filesize
996KB

Download
memory/2740-29-0x00000000027E0000-0x00000000028D9000-memory.dmp

Filesize
996KB

Download
memory/2740-28-0x00000000026C0000-0x00000000027D4000-memory.dmp

Filesize
1.1MB

Download
memory/2740-23-0x00000000001A0000-0x00000000001A6000-memory.dmp

Filesize
24KB

Download
memory/2740-24-0x0000000010000000-0x0000000010263000-memory.dmp

Filesize
2.4MB

Download
memory/2944-38-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2944-41-0x0000000002570000-0x0000000002684000-memory.dmp

Filesize
1.1MB

Download
memory/2944-42-0x0000000002690000-0x0000000002789000-memory.dmp

Filesize
996KB

Download
memory/2944-45-0x0000000002690000-0x0000000002789000-memory.dmp

Filesize
996KB

Download
memory/2944-46-0x0000000002690000-0x0000000002789000-memory.dmp

Filesize
996KB

Download