57540a7007a39c06399af9b7cab286808a8d237d1dc533f91844b0fdf6b030e1

General

Target

57540a7007a39c06399af9b7cab286808a8d237d1dc533f91844b0fdf6b030e1.exe
Size

1.9MB
MD5

ec1166763b8bd5ce88381c2518356490
SHA1

c427bbef3c2b2ad35ca8ced18fea10b1376ed47d
SHA256

57540a7007a39c06399af9b7cab286808a8d237d1dc533f91844b0fdf6b030e1
SHA512

759c1e86a081a866a98c566ab1f12f82511c67720980c2baccc30fb177047cbfb12c1f922dd14167937da5bb1f30c4624a16e3d8e9f698b91966cbd0b50b84e2
SSDEEP

49152:ISuLuHmuBiFLbFDzb5JU2dFN8lF8Cm7//uit7c/SzafBbn5mpgKBFm:IS+uGgiFZbXSlF8B7/WitwnfBbnkQ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1424	rundll32.exe
4436	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 500 wrote to memory of 2664	500	57540a7007a39c06399af9b7cab286808a8d237d1dc533f91844b0fdf6b030e1.exe	71
PID 500 wrote to memory of 2664	500	57540a7007a39c06399af9b7cab286808a8d237d1dc533f91844b0fdf6b030e1.exe	71
PID 500 wrote to memory of 2664	500	57540a7007a39c06399af9b7cab286808a8d237d1dc533f91844b0fdf6b030e1.exe	71
PID 2664 wrote to memory of 1260	2664	cmd.exe	74
PID 2664 wrote to memory of 1260	2664	cmd.exe	74
PID 2664 wrote to memory of 1260	2664	cmd.exe	74
PID 1260 wrote to memory of 1424	1260	control.exe	75
PID 1260 wrote to memory of 1424	1260	control.exe	75
PID 1260 wrote to memory of 1424	1260	control.exe	75
PID 1424 wrote to memory of 2636	1424	rundll32.exe	76
PID 1424 wrote to memory of 2636	1424	rundll32.exe	76
PID 2636 wrote to memory of 4436	2636	RunDll32.exe	77
PID 2636 wrote to memory of 4436	2636	RunDll32.exe	77
PID 2636 wrote to memory of 4436	2636	RunDll32.exe	77

C:\Users\Admin\AppData\Local\Temp\57540a7007a39c06399af9b7cab286808a8d237d1dc533f91844b0fdf6b030e1.exe
"C:\Users\Admin\AppData\Local\Temp\57540a7007a39c06399af9b7cab286808a8d237d1dc533f91844b0fdf6b030e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z7BED71F4\hfv.cMD" "
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7z7BED71F4\yk4du.cPL",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7BED71F4\yk4du.cPL",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7BED71F4\yk4du.cPL",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z7BED71F4\yk4du.cPL",
        6⤵
        Loads dropped DLL
        
        PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z7BED71F4\hfv.cMD

Filesize
63B

MD5
68b571dcf0f83cef68c231f43b9cfc99

SHA1
5be26a60255c838d4b263ff30ce5fc1d93e9ab38

SHA256
4420fd38ca8d03741b361bb123b719cacbe207d0f9b6b4dff45a82c3b94d93ef

SHA512
9e99325a7ce8ea88f1008fa4f5af80384436fcdc735271edbe8551965e96292cdb099d15508a909b0ec51afc0e7f9aa0ca3223d2063744e2b9bfd08a1d2eca1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7BED71F4\yk4du.cPL

Filesize
2.0MB

MD5
4a7928994328eb7436331e77767317fd

SHA1
084c42ed3840b511ade0450a7720e49b1b6107ce

SHA256
f20f723aab058c1a96b008413aa2c48ad7680b57b94e501f797bee2b1273b466

SHA512
a205ff1a2c23cd0f2ddeb7aa4022791cd3bdd61d6620272e4201c1ecd8ce63d1429d338ea263fb5b15583d5a2f28922fc783e285df947f514aa288b6c276431e

Download Submit
\Users\Admin\AppData\Local\Temp\7z7BED71F4\yk4du.cPL

Filesize
2.0MB

MD5
4a7928994328eb7436331e77767317fd

SHA1
084c42ed3840b511ade0450a7720e49b1b6107ce

SHA256
f20f723aab058c1a96b008413aa2c48ad7680b57b94e501f797bee2b1273b466

SHA512
a205ff1a2c23cd0f2ddeb7aa4022791cd3bdd61d6620272e4201c1ecd8ce63d1429d338ea263fb5b15583d5a2f28922fc783e285df947f514aa288b6c276431e

Download Submit
\Users\Admin\AppData\Local\Temp\7z7BED71F4\yk4du.cPL

Filesize
2.0MB

MD5
4a7928994328eb7436331e77767317fd

SHA1
084c42ed3840b511ade0450a7720e49b1b6107ce

SHA256
f20f723aab058c1a96b008413aa2c48ad7680b57b94e501f797bee2b1273b466

SHA512
a205ff1a2c23cd0f2ddeb7aa4022791cd3bdd61d6620272e4201c1ecd8ce63d1429d338ea263fb5b15583d5a2f28922fc783e285df947f514aa288b6c276431e

Download Submit
memory/1424-9-0x0000000004AC0000-0x0000000004AC6000-memory.dmp

Filesize
24KB

Download
memory/1424-14-0x00000000051E0000-0x00000000052FD000-memory.dmp

Filesize
1.1MB

Download
memory/1424-15-0x0000000005300000-0x0000000005400000-memory.dmp

Filesize
1024KB

Download
memory/1424-18-0x0000000005300000-0x0000000005400000-memory.dmp

Filesize
1024KB

Download
memory/1424-19-0x0000000005300000-0x0000000005400000-memory.dmp

Filesize
1024KB

Download
memory/1424-10-0x0000000010000000-0x00000000101F5000-memory.dmp

Filesize
2.0MB

Download
memory/4436-21-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/4436-26-0x0000000004750000-0x000000000486D000-memory.dmp

Filesize
1.1MB

Download
memory/4436-27-0x0000000004870000-0x0000000004970000-memory.dmp

Filesize
1024KB

Download
memory/4436-30-0x0000000004870000-0x0000000004970000-memory.dmp

Filesize
1024KB

Download
memory/4436-31-0x0000000004870000-0x0000000004970000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing