4826668db47c66d0977b1854238ae8300d3c898cfcd1b22b601c46958f1e687e

General

Target

4826668db47c66d0977b1854238ae8300d3c898cfcd1b22b601c46958f1e687e.exe
Size

1.8MB
MD5

1ddd6dc29ff1a2755b3520ea3ba235f4
SHA1

e5c2f962599c6ae6ca0ae354c8f65fefa92a4c85
SHA256

4826668db47c66d0977b1854238ae8300d3c898cfcd1b22b601c46958f1e687e
SHA512

27f449e9510efe462009a0c9d215bbd5d1cc6e30190bbd5dc0c65f7b9ea9ffd849fc2ecf6098487db5ec20ec88de082383320c31df4e19bc753508118a7feb71
SSDEEP

24576:cY6HE3ooxQ2Qc7CgeRYox/kRP2lEDuxtVgUHHgwpspHCUSnGcdXkO2IdVt9Jf6AY:cYEE4oDUxYOlED4ghw25E9dP9CHvCSD

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3204	rundll32.exe
2252	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 2776	4308	4826668db47c66d0977b1854238ae8300d3c898cfcd1b22b601c46958f1e687e.exe	70
PID 4308 wrote to memory of 2776	4308	4826668db47c66d0977b1854238ae8300d3c898cfcd1b22b601c46958f1e687e.exe	70
PID 4308 wrote to memory of 2776	4308	4826668db47c66d0977b1854238ae8300d3c898cfcd1b22b601c46958f1e687e.exe	70
PID 2776 wrote to memory of 4804	2776	cmd.exe	73
PID 2776 wrote to memory of 4804	2776	cmd.exe	73
PID 2776 wrote to memory of 4804	2776	cmd.exe	73
PID 4804 wrote to memory of 3204	4804	control.exe	74
PID 4804 wrote to memory of 3204	4804	control.exe	74
PID 4804 wrote to memory of 3204	4804	control.exe	74
PID 3204 wrote to memory of 864	3204	rundll32.exe	75
PID 3204 wrote to memory of 864	3204	rundll32.exe	75
PID 864 wrote to memory of 2252	864	RunDll32.exe	76
PID 864 wrote to memory of 2252	864	RunDll32.exe	76
PID 864 wrote to memory of 2252	864	RunDll32.exe	76

C:\Users\Admin\AppData\Local\Temp\4826668db47c66d0977b1854238ae8300d3c898cfcd1b22b601c46958f1e687e.exe
"C:\Users\Admin\AppData\Local\Temp\4826668db47c66d0977b1854238ae8300d3c898cfcd1b22b601c46958f1e687e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z7BADC0D4\eWJ2.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\control.exe
    cONTROL.exe "C:\Users\Admin\AppData\Local\Temp\7z7BADC0D4\2P3NEC5M.0"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7BADC0D4\2P3NEC5M.0"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7BADC0D4\2P3NEC5M.0"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z7BADC0D4\2P3NEC5M.0"
        6⤵
        Loads dropped DLL
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z7BADC0D4\2P3NEC5M.0

Filesize
1.8MB

MD5
e7b53cc8db457957f9ea3ef8c1dbf8b1

SHA1
fe5bc00ae9ebbbe52bd56d00ffbc4785fb64b0a0

SHA256
8265871d5c7f7ea63ef1902167cc2914738209761029ea6640679d89006db14f

SHA512
67bb37b10857389b1db5d702ee0cbf34d3674c6e655be94d7a8000ae30331f2463854a1ad752fac865163e029ec45a91f2978a8156c962e5b68743a568aa80f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7BADC0D4\eWJ2.bat

Filesize
33B

MD5
362f79783eacb65fa266852227484e5f

SHA1
fd77925c4493282a3baa82eb5ff90ff4a3742fda

SHA256
0f40e096a49c2091dc3a726e9bbbc876188321dc60d7b4daa9234ba452d0fad2

SHA512
24789b6ef7d3b5b403f8b1c26f33acc4dcedc26c7ec29a5a2940f1203acc5e8ef9efc051f7e82b742aa78741f6f4a2abe41c5f633001c8b19f0a81923027b50f

Download Submit
\Users\Admin\AppData\Local\Temp\7z7BADC0D4\2P3NEC5m.0

Filesize
1.8MB

MD5
e7b53cc8db457957f9ea3ef8c1dbf8b1

SHA1
fe5bc00ae9ebbbe52bd56d00ffbc4785fb64b0a0

SHA256
8265871d5c7f7ea63ef1902167cc2914738209761029ea6640679d89006db14f

SHA512
67bb37b10857389b1db5d702ee0cbf34d3674c6e655be94d7a8000ae30331f2463854a1ad752fac865163e029ec45a91f2978a8156c962e5b68743a568aa80f7

Download Submit
\Users\Admin\AppData\Local\Temp\7z7BADC0D4\2P3NEC5m.0

Filesize
1.8MB

MD5
e7b53cc8db457957f9ea3ef8c1dbf8b1

SHA1
fe5bc00ae9ebbbe52bd56d00ffbc4785fb64b0a0

SHA256
8265871d5c7f7ea63ef1902167cc2914738209761029ea6640679d89006db14f

SHA512
67bb37b10857389b1db5d702ee0cbf34d3674c6e655be94d7a8000ae30331f2463854a1ad752fac865163e029ec45a91f2978a8156c962e5b68743a568aa80f7

Download Submit
memory/2252-28-0x0000000005640000-0x000000000573D000-memory.dmp

Filesize
1012KB

Download
memory/2252-27-0x0000000005640000-0x000000000573D000-memory.dmp

Filesize
1012KB

Download
memory/2252-24-0x0000000005640000-0x000000000573D000-memory.dmp

Filesize
1012KB

Download
memory/2252-23-0x0000000005520000-0x0000000005638000-memory.dmp

Filesize
1.1MB

Download
memory/2252-19-0x0000000003420000-0x0000000003426000-memory.dmp

Filesize
24KB

Download
memory/3204-9-0x0000000000C50000-0x0000000000C56000-memory.dmp

Filesize
24KB

Download
memory/3204-17-0x0000000004EF0000-0x0000000004FED000-memory.dmp

Filesize
1012KB

Download
memory/3204-16-0x0000000004EF0000-0x0000000004FED000-memory.dmp

Filesize
1012KB

Download
memory/3204-13-0x0000000004EF0000-0x0000000004FED000-memory.dmp

Filesize
1012KB

Download
memory/3204-12-0x0000000004DD0000-0x0000000004EE8000-memory.dmp

Filesize
1.1MB

Download
memory/3204-10-0x0000000010000000-0x00000000101D4000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing