560a2939888acdb2cb2c8f7685c8672f4d888cf3ebc47ea5515ba79d8553d5c0

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02-11-2023 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

560a2939888acdb2cb2c8f7685c8672f4d888cf3ebc47ea5515ba79d8553d5c0.exe
Size

1.9MB
MD5

6c9a2b414a565e9eb71b19039ccd468b
SHA1

61d8d000b3da5e78de0fe1c54b72d029fbbac7d8
SHA256

560a2939888acdb2cb2c8f7685c8672f4d888cf3ebc47ea5515ba79d8553d5c0
SHA512

3ee9cbad06b922519b1e5a266c677339fb6c8a780ed0ce50a50105c864cac622f79a7409bc1fb816cf9bc76a510018b4b9143869df48be230b5b1537d527fc33
SSDEEP

49152:IS5QkSXV6YFzwIBP2/711XuGKAAHWYZ7fc3H/+HYHiTCegHUB0ET:IS5SXV5w0PBnC0AX6TCe0UBj

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2740	rundll32.exe
2580	rundll32.exe
2580	rundll32.exe
2580	rundll32.exe
2580	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2068	2060	560a2939888acdb2cb2c8f7685c8672f4d888cf3ebc47ea5515ba79d8553d5c0.exe	28
PID 2060 wrote to memory of 2068	2060	560a2939888acdb2cb2c8f7685c8672f4d888cf3ebc47ea5515ba79d8553d5c0.exe	28
PID 2060 wrote to memory of 2068	2060	560a2939888acdb2cb2c8f7685c8672f4d888cf3ebc47ea5515ba79d8553d5c0.exe	28
PID 2060 wrote to memory of 2068	2060	560a2939888acdb2cb2c8f7685c8672f4d888cf3ebc47ea5515ba79d8553d5c0.exe	28
PID 2068 wrote to memory of 2860	2068	cmd.exe	30
PID 2068 wrote to memory of 2860	2068	cmd.exe	30
PID 2068 wrote to memory of 2860	2068	cmd.exe	30
PID 2068 wrote to memory of 2860	2068	cmd.exe	30
PID 2860 wrote to memory of 2740	2860	control.exe	31
PID 2860 wrote to memory of 2740	2860	control.exe	31
PID 2860 wrote to memory of 2740	2860	control.exe	31
PID 2860 wrote to memory of 2740	2860	control.exe	31
PID 2860 wrote to memory of 2740	2860	control.exe	31
PID 2860 wrote to memory of 2740	2860	control.exe	31
PID 2860 wrote to memory of 2740	2860	control.exe	31
PID 2740 wrote to memory of 2824	2740	rundll32.exe	32
PID 2740 wrote to memory of 2824	2740	rundll32.exe	32
PID 2740 wrote to memory of 2824	2740	rundll32.exe	32
PID 2740 wrote to memory of 2824	2740	rundll32.exe	32
PID 2824 wrote to memory of 2580	2824	RunDll32.exe	33
PID 2824 wrote to memory of 2580	2824	RunDll32.exe	33
PID 2824 wrote to memory of 2580	2824	RunDll32.exe	33
PID 2824 wrote to memory of 2580	2824	RunDll32.exe	33
PID 2824 wrote to memory of 2580	2824	RunDll32.exe	33
PID 2824 wrote to memory of 2580	2824	RunDll32.exe	33
PID 2824 wrote to memory of 2580	2824	RunDll32.exe	33

C:\Users\Admin\AppData\Local\Temp\560a2939888acdb2cb2c8f7685c8672f4d888cf3ebc47ea5515ba79d8553d5c0.exe
"C:\Users\Admin\AppData\Local\Temp\560a2939888acdb2cb2c8f7685c8672f4d888cf3ebc47ea5515ba79d8553d5c0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7z6560080C\lNp27EQ.CMd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL",
        6⤵
        Loads dropped DLL
        
        PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z6560080C\lNp27EQ.CMd

Filesize
69B

MD5
f9b495a0ceac2c8a00d1d05bf42a9ea7

SHA1
a3226117e320411a78e7d3904cd7ec95acc6511a

SHA256
eae358b0cb33082b98b12696f69434a100c7b9b2cbcf1c3affa0334ba5e3c6bc

SHA512
e007673b3ce4a78f960ed56c64a25a32cebc9046b72307e5037ac62bc77a36684d9493bbd362b75f6125c3a9f749bd57ece4d1bbe608931789cb8205676c52d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6560080C\lNp27EQ.CMd

Filesize
69B

MD5
f9b495a0ceac2c8a00d1d05bf42a9ea7

SHA1
a3226117e320411a78e7d3904cd7ec95acc6511a

SHA256
eae358b0cb33082b98b12696f69434a100c7b9b2cbcf1c3affa0334ba5e3c6bc

SHA512
e007673b3ce4a78f960ed56c64a25a32cebc9046b72307e5037ac62bc77a36684d9493bbd362b75f6125c3a9f749bd57ece4d1bbe608931789cb8205676c52d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL

Filesize
2.0MB

MD5
48477cc91fffac2fc6853a5837e13dff

SHA1
1c50e7029930b4a23a69c8ee618a0615d2c3fb80

SHA256
9170cb9b0634c733659dbd138428c09956b9a0b65eed2121caa68e9f10ead72f

SHA512
df93a23945195cc7c8e66ba7523c9a94e03849c6c9e65a43ab9bbe50ba4d558a528a2e7061b014989383be486b5423d1cc532736d719f988c3fc8ecf038a30d7

Download Submit
\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL

Filesize
2.0MB

MD5
48477cc91fffac2fc6853a5837e13dff

SHA1
1c50e7029930b4a23a69c8ee618a0615d2c3fb80

SHA256
9170cb9b0634c733659dbd138428c09956b9a0b65eed2121caa68e9f10ead72f

SHA512
df93a23945195cc7c8e66ba7523c9a94e03849c6c9e65a43ab9bbe50ba4d558a528a2e7061b014989383be486b5423d1cc532736d719f988c3fc8ecf038a30d7

Download Submit
\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL

Filesize
2.0MB

MD5
48477cc91fffac2fc6853a5837e13dff

SHA1
1c50e7029930b4a23a69c8ee618a0615d2c3fb80

SHA256
9170cb9b0634c733659dbd138428c09956b9a0b65eed2121caa68e9f10ead72f

SHA512
df93a23945195cc7c8e66ba7523c9a94e03849c6c9e65a43ab9bbe50ba4d558a528a2e7061b014989383be486b5423d1cc532736d719f988c3fc8ecf038a30d7

Download Submit
\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL

Filesize
2.0MB

MD5
48477cc91fffac2fc6853a5837e13dff

SHA1
1c50e7029930b4a23a69c8ee618a0615d2c3fb80

SHA256
9170cb9b0634c733659dbd138428c09956b9a0b65eed2121caa68e9f10ead72f

SHA512
df93a23945195cc7c8e66ba7523c9a94e03849c6c9e65a43ab9bbe50ba4d558a528a2e7061b014989383be486b5423d1cc532736d719f988c3fc8ecf038a30d7

Download Submit
\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL

Filesize
2.0MB

MD5
48477cc91fffac2fc6853a5837e13dff

SHA1
1c50e7029930b4a23a69c8ee618a0615d2c3fb80

SHA256
9170cb9b0634c733659dbd138428c09956b9a0b65eed2121caa68e9f10ead72f

SHA512
df93a23945195cc7c8e66ba7523c9a94e03849c6c9e65a43ab9bbe50ba4d558a528a2e7061b014989383be486b5423d1cc532736d719f988c3fc8ecf038a30d7

Download Submit
\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL

Filesize
2.0MB

MD5
48477cc91fffac2fc6853a5837e13dff

SHA1
1c50e7029930b4a23a69c8ee618a0615d2c3fb80

SHA256
9170cb9b0634c733659dbd138428c09956b9a0b65eed2121caa68e9f10ead72f

SHA512
df93a23945195cc7c8e66ba7523c9a94e03849c6c9e65a43ab9bbe50ba4d558a528a2e7061b014989383be486b5423d1cc532736d719f988c3fc8ecf038a30d7

Download Submit
\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL

Filesize
2.0MB

MD5
48477cc91fffac2fc6853a5837e13dff

SHA1
1c50e7029930b4a23a69c8ee618a0615d2c3fb80

SHA256
9170cb9b0634c733659dbd138428c09956b9a0b65eed2121caa68e9f10ead72f

SHA512
df93a23945195cc7c8e66ba7523c9a94e03849c6c9e65a43ab9bbe50ba4d558a528a2e7061b014989383be486b5423d1cc532736d719f988c3fc8ecf038a30d7

Download Submit
\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL

Filesize
2.0MB

MD5
48477cc91fffac2fc6853a5837e13dff

SHA1
1c50e7029930b4a23a69c8ee618a0615d2c3fb80

SHA256
9170cb9b0634c733659dbd138428c09956b9a0b65eed2121caa68e9f10ead72f

SHA512
df93a23945195cc7c8e66ba7523c9a94e03849c6c9e65a43ab9bbe50ba4d558a528a2e7061b014989383be486b5423d1cc532736d719f988c3fc8ecf038a30d7

Download Submit
\Users\Admin\AppData\Local\Temp\7z6560080C\rszSN17.cPL

Filesize
2.0MB

MD5
48477cc91fffac2fc6853a5837e13dff

SHA1
1c50e7029930b4a23a69c8ee618a0615d2c3fb80

SHA256
9170cb9b0634c733659dbd138428c09956b9a0b65eed2121caa68e9f10ead72f

SHA512
df93a23945195cc7c8e66ba7523c9a94e03849c6c9e65a43ab9bbe50ba4d558a528a2e7061b014989383be486b5423d1cc532736d719f988c3fc8ecf038a30d7

Download Submit
memory/2580-66-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2580-68-0x0000000002640000-0x000000000275E000-memory.dmp

Filesize
1.1MB

Download
memory/2580-69-0x0000000002760000-0x0000000002861000-memory.dmp

Filesize
1.0MB

Download
memory/2580-72-0x0000000002760000-0x0000000002861000-memory.dmp

Filesize
1.0MB

Download
memory/2580-73-0x0000000002760000-0x0000000002861000-memory.dmp

Filesize
1.0MB

Download
memory/2740-56-0x00000000026C0000-0x00000000027C1000-memory.dmp

Filesize
1.0MB

Download
memory/2740-59-0x00000000026C0000-0x00000000027C1000-memory.dmp

Filesize
1.0MB

Download
memory/2740-60-0x00000000026C0000-0x00000000027C1000-memory.dmp

Filesize
1.0MB

Download
memory/2740-55-0x00000000025A0000-0x00000000026BE000-memory.dmp

Filesize
1.1MB

Download
memory/2740-53-0x0000000010000000-0x000000001020A000-memory.dmp

Filesize
2.0MB

Download
memory/2740-52-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download