d95e8ad729b8958f8576decddb5bcf2ca25743ef9f70ea00f8fc22029b038ec4

General

Target

d95e8ad729b8958f8576decddb5bcf2ca25743ef9f70ea00f8fc22029b038ec4.exe
Size

1.7MB
MD5

86aa7ee03ba50ab9852b19f1843f4c72
SHA1

e7c452bf8051691497afe6d821379bc31de5f2a0
SHA256

d95e8ad729b8958f8576decddb5bcf2ca25743ef9f70ea00f8fc22029b038ec4
SHA512

9d19081442e9501ab9dbf6f1939c42b2e589ea4c4f5627c015333028ca85525e1b2519ba0628412cab0fa4a131f07229b946e995dbe0e2265ce4196cb8d922c8
SSDEEP

49152:ISOnr8cXDzI+Ft+fnHrKV/59cZKiM5no4Gnyce6nf3WR4Ak:ISOnr8czzI+F2nHrUB9F5n9Pce6nf3P

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1276	rundll32.exe
3088	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 3116	4276	d95e8ad729b8958f8576decddb5bcf2ca25743ef9f70ea00f8fc22029b038ec4.exe	71
PID 4276 wrote to memory of 3116	4276	d95e8ad729b8958f8576decddb5bcf2ca25743ef9f70ea00f8fc22029b038ec4.exe	71
PID 4276 wrote to memory of 3116	4276	d95e8ad729b8958f8576decddb5bcf2ca25743ef9f70ea00f8fc22029b038ec4.exe	71
PID 3116 wrote to memory of 4004	3116	cmd.exe	74
PID 3116 wrote to memory of 4004	3116	cmd.exe	74
PID 3116 wrote to memory of 4004	3116	cmd.exe	74
PID 4004 wrote to memory of 1276	4004	control.exe	75
PID 4004 wrote to memory of 1276	4004	control.exe	75
PID 4004 wrote to memory of 1276	4004	control.exe	75
PID 1276 wrote to memory of 4616	1276	rundll32.exe	76
PID 1276 wrote to memory of 4616	1276	rundll32.exe	76
PID 4616 wrote to memory of 3088	4616	RunDll32.exe	77
PID 4616 wrote to memory of 3088	4616	RunDll32.exe	77
PID 4616 wrote to memory of 3088	4616	RunDll32.exe	77

C:\Users\Admin\AppData\Local\Temp\d95e8ad729b8958f8576decddb5bcf2ca25743ef9f70ea00f8fc22029b038ec4.exe
"C:\Users\Admin\AppData\Local\Temp\d95e8ad729b8958f8576decddb5bcf2ca25743ef9f70ea00f8fc22029b038ec4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z7E67E0B4\zJ~.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\SysWOW64\control.exe
    coNTROl "C:\Users\Admin\AppData\Local\Temp\7z7E67E0B4\N7VS3.Xq"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7E67E0B4\N7VS3.Xq"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7E67E0B4\N7VS3.Xq"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4616
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z7E67E0B4\N7VS3.Xq"
        6⤵
        Loads dropped DLL
        
        PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z7E67E0B4\N7VS3.Xq

Filesize
1.8MB

MD5
db5491c824d3b36346cbcbaef6df7415

SHA1
52dcfd272022c0fb412fa1cce39fd85f19843904

SHA256
8ebd5ca6da6e7a2e78b30c0aaca942a6076bf0f48016e717d468417c43f8c7e6

SHA512
85ffdb497ea0f39a858ad755b9f0ccbf88cdd8bb60a313a771627fefacec02e395ec4599516ed49f1cf7518b47bfdce2e15b915eb88b0104372bfe4b16790889

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7E67E0B4\zJ~.bat

Filesize
30B

MD5
373176d41906318423798a0c1f9a1fee

SHA1
84a3311ca22fc010a2e9d5d98463d7ed979e9365

SHA256
d72c01b60447e6dace9b297e7b5acd94ce924c29ddfed7e4749093c7e42d94b3

SHA512
2bd08ed20714b6d521725a27894e1331dcc616182a887ae2d1e82fe9d95c611716904af87c28c0debc28dd2039704b7233de6a3d6d440901e1e2fb9df311570f

Download Submit
\Users\Admin\AppData\Local\Temp\7z7E67E0B4\N7vS3.Xq

Filesize
1.8MB

MD5
db5491c824d3b36346cbcbaef6df7415

SHA1
52dcfd272022c0fb412fa1cce39fd85f19843904

SHA256
8ebd5ca6da6e7a2e78b30c0aaca942a6076bf0f48016e717d468417c43f8c7e6

SHA512
85ffdb497ea0f39a858ad755b9f0ccbf88cdd8bb60a313a771627fefacec02e395ec4599516ed49f1cf7518b47bfdce2e15b915eb88b0104372bfe4b16790889

Download Submit
\Users\Admin\AppData\Local\Temp\7z7E67E0B4\N7vS3.Xq

Filesize
1.8MB

MD5
db5491c824d3b36346cbcbaef6df7415

SHA1
52dcfd272022c0fb412fa1cce39fd85f19843904

SHA256
8ebd5ca6da6e7a2e78b30c0aaca942a6076bf0f48016e717d468417c43f8c7e6

SHA512
85ffdb497ea0f39a858ad755b9f0ccbf88cdd8bb60a313a771627fefacec02e395ec4599516ed49f1cf7518b47bfdce2e15b915eb88b0104372bfe4b16790889

Download Submit
memory/1276-17-0x0000000004B20000-0x0000000004C22000-memory.dmp

Filesize
1.0MB

Download
memory/1276-12-0x00000000049F0000-0x0000000004B0C000-memory.dmp

Filesize
1.1MB

Download
memory/1276-13-0x0000000010000000-0x00000000101C4000-memory.dmp

Filesize
1.8MB

Download
memory/1276-14-0x0000000004B20000-0x0000000004C22000-memory.dmp

Filesize
1.0MB

Download
memory/1276-10-0x0000000010000000-0x00000000101C4000-memory.dmp

Filesize
1.8MB

Download
memory/1276-18-0x0000000004B20000-0x0000000004C22000-memory.dmp

Filesize
1.0MB

Download
memory/1276-9-0x0000000002AD0000-0x0000000002AD6000-memory.dmp

Filesize
24KB

Download
memory/3088-20-0x0000000002B20000-0x0000000002B26000-memory.dmp

Filesize
24KB

Download
memory/3088-24-0x0000000004B60000-0x0000000004C7C000-memory.dmp

Filesize
1.1MB

Download
memory/3088-25-0x0000000004C80000-0x0000000004D82000-memory.dmp

Filesize
1.0MB

Download
memory/3088-28-0x0000000004C80000-0x0000000004D82000-memory.dmp

Filesize
1.0MB

Download
memory/3088-29-0x0000000004C80000-0x0000000004D82000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing