03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe
Size

1.8MB
MD5

1efd9cddefa96edfdd2eaf2e2cf46ae0
SHA1

c42d1e96e741763fc75dca3cb99c8d559189d248
SHA256

03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7
SHA512

8100f4df7b50bb736d23dbad4814696546242228e37e43151350437a95dbeb7230ce02a519b6e24772fbfb4ba306782aa1680aa7845dcdabcbc1ed5bac48ba80
SSDEEP

49152:eehEJaXwNOuBMlp8ivVpWUlz4O/jO3rKuarUlHH:eehBhv8ezf/jObKrMH

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2704	rundll32.exe
2704	rundll32.exe
2704	rundll32.exe
2704	rundll32.exe
1044	rundll32.exe
1044	rundll32.exe
1044	rundll32.exe
1044	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2448	2204	03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe	28
PID 2204 wrote to memory of 2448	2204	03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe	28
PID 2204 wrote to memory of 2448	2204	03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe	28
PID 2204 wrote to memory of 2448	2204	03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe	28
PID 2448 wrote to memory of 2756	2448	cmd.exe	30
PID 2448 wrote to memory of 2756	2448	cmd.exe	30
PID 2448 wrote to memory of 2756	2448	cmd.exe	30
PID 2448 wrote to memory of 2756	2448	cmd.exe	30
PID 2756 wrote to memory of 2704	2756	control.exe	31
PID 2756 wrote to memory of 2704	2756	control.exe	31
PID 2756 wrote to memory of 2704	2756	control.exe	31
PID 2756 wrote to memory of 2704	2756	control.exe	31
PID 2756 wrote to memory of 2704	2756	control.exe	31
PID 2756 wrote to memory of 2704	2756	control.exe	31
PID 2756 wrote to memory of 2704	2756	control.exe	31
PID 2704 wrote to memory of 2472	2704	rundll32.exe	32
PID 2704 wrote to memory of 2472	2704	rundll32.exe	32
PID 2704 wrote to memory of 2472	2704	rundll32.exe	32
PID 2704 wrote to memory of 2472	2704	rundll32.exe	32
PID 2472 wrote to memory of 1044	2472	RunDll32.exe	33
PID 2472 wrote to memory of 1044	2472	RunDll32.exe	33
PID 2472 wrote to memory of 1044	2472	RunDll32.exe	33
PID 2472 wrote to memory of 1044	2472	RunDll32.exe	33
PID 2472 wrote to memory of 1044	2472	RunDll32.exe	33
PID 2472 wrote to memory of 1044	2472	RunDll32.exe	33
PID 2472 wrote to memory of 1044	2472	RunDll32.exe	33

C:\Users\Admin\AppData\Local\Temp\03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe
"C:\Users\Admin\AppData\Local\Temp\03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7z617AE89C\7~3L~eD.BaT" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL",
        6⤵
        Loads dropped DLL
        
        PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z617AE89C\7~3L~eD.BaT

Filesize
38B

MD5
f67378edef44c946e6990028ffbd0046

SHA1
8ba2846e9c2923ff51e9587982f11a8b023d8898

SHA256
9aebc93f197499012d3bcae7eba54ab5126ad8aaacdb5d901dbdb09d3785ed17

SHA512
c7eaf62e64057b86f5fe5b7f0999afacae8b8799ef5ea241063cad7be466b70676319f97e0ddfc46cc72415f66b6e22c43f050f5758e998e7269e840466a3c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z617AE89C\7~3L~eD.BaT

Filesize
38B

MD5
f67378edef44c946e6990028ffbd0046

SHA1
8ba2846e9c2923ff51e9587982f11a8b023d8898

SHA256
9aebc93f197499012d3bcae7eba54ab5126ad8aaacdb5d901dbdb09d3785ed17

SHA512
c7eaf62e64057b86f5fe5b7f0999afacae8b8799ef5ea241063cad7be466b70676319f97e0ddfc46cc72415f66b6e22c43f050f5758e998e7269e840466a3c75

Download Submit
\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
\Users\Admin\AppData\Local\Temp\7z617AE89C\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
memory/1044-76-0x0000000002720000-0x000000000283A000-memory.dmp

Filesize
1.1MB

Download
memory/1044-75-0x0000000002720000-0x000000000283A000-memory.dmp

Filesize
1.1MB

Download
memory/1044-73-0x0000000002720000-0x000000000283A000-memory.dmp

Filesize
1.1MB

Download
memory/1044-71-0x00000000025E0000-0x0000000002717000-memory.dmp

Filesize
1.2MB

Download
memory/1044-68-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/2704-62-0x0000000002620000-0x000000000273A000-memory.dmp

Filesize
1.1MB

Download
memory/2704-52-0x0000000000110000-0x0000000000116000-memory.dmp

Filesize
24KB

Download
memory/2704-53-0x0000000010000000-0x00000000101DC000-memory.dmp

Filesize
1.9MB

Download
memory/2704-63-0x0000000002620000-0x000000000273A000-memory.dmp

Filesize
1.1MB

Download
memory/2704-58-0x0000000000A20000-0x0000000000B57000-memory.dmp

Filesize
1.2MB

Download
memory/2704-60-0x0000000002620000-0x000000000273A000-memory.dmp

Filesize
1.1MB

Download
memory/2704-59-0x0000000002620000-0x000000000273A000-memory.dmp

Filesize
1.1MB

Download