03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7

General

Target

03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe
Size

1.8MB
MD5

1efd9cddefa96edfdd2eaf2e2cf46ae0
SHA1

c42d1e96e741763fc75dca3cb99c8d559189d248
SHA256

03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7
SHA512

8100f4df7b50bb736d23dbad4814696546242228e37e43151350437a95dbeb7230ce02a519b6e24772fbfb4ba306782aa1680aa7845dcdabcbc1ed5bac48ba80
SSDEEP

49152:eehEJaXwNOuBMlp8ivVpWUlz4O/jO3rKuarUlHH:eehBhv8ezf/jObKrMH

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2948	rundll32.exe
3512	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2256	4800	03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe	71
PID 4800 wrote to memory of 2256	4800	03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe	71
PID 4800 wrote to memory of 2256	4800	03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe	71
PID 2256 wrote to memory of 1496	2256	cmd.exe	74
PID 2256 wrote to memory of 1496	2256	cmd.exe	74
PID 2256 wrote to memory of 1496	2256	cmd.exe	74
PID 1496 wrote to memory of 2948	1496	control.exe	75
PID 1496 wrote to memory of 2948	1496	control.exe	75
PID 1496 wrote to memory of 2948	1496	control.exe	75
PID 2948 wrote to memory of 2748	2948	rundll32.exe	76
PID 2948 wrote to memory of 2748	2948	rundll32.exe	76
PID 2748 wrote to memory of 3512	2748	RunDll32.exe	77
PID 2748 wrote to memory of 3512	2748	RunDll32.exe	77
PID 2748 wrote to memory of 3512	2748	RunDll32.exe	77

C:\Users\Admin\AppData\Local\Temp\03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe
"C:\Users\Admin\AppData\Local\Temp\03f23189ab039f75b3f63d3e08dc11fe3fae67806e5c3d638b9d714806e55ce7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z8253E2C0\7~3L~eD.BaT" "
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7z8253E2C0\01ZHG.cPL",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z8253E2C0\01ZHG.cPL",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z8253E2C0\01ZHG.cPL",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z8253E2C0\01ZHG.cPL",
        6⤵
        Loads dropped DLL
        
        PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z8253E2C0\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z8253E2C0\7~3L~eD.BaT

Filesize
38B

MD5
f67378edef44c946e6990028ffbd0046

SHA1
8ba2846e9c2923ff51e9587982f11a8b023d8898

SHA256
9aebc93f197499012d3bcae7eba54ab5126ad8aaacdb5d901dbdb09d3785ed17

SHA512
c7eaf62e64057b86f5fe5b7f0999afacae8b8799ef5ea241063cad7be466b70676319f97e0ddfc46cc72415f66b6e22c43f050f5758e998e7269e840466a3c75

Download Submit
\Users\Admin\AppData\Local\Temp\7z8253E2C0\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
\Users\Admin\AppData\Local\Temp\7z8253E2C0\01ZHG.cPL

Filesize
1.9MB

MD5
9e999248a83cad4b85bbe1d4b70cd117

SHA1
b5f255b135c9c748fcd00b920c3ce3218ca90c87

SHA256
1f47248bf806a1fc5fdf18f658a653285ac6cf7d111c54cdd4b900b35c0e120b

SHA512
ea5ca6e50b6ab70acd01596fc5d21a6fd0113bdf509bc08158f9a7e0e2229d7051d801a85d8d4a1de1ca1d631faa0b6b557e17fed6070f9904b71a05ff9da26a

Download Submit
memory/2948-18-0x00000000047B0000-0x00000000048CA000-memory.dmp

Filesize
1.1MB

Download
memory/2948-14-0x0000000004670000-0x00000000047A7000-memory.dmp

Filesize
1.2MB

Download
memory/2948-15-0x00000000047B0000-0x00000000048CA000-memory.dmp

Filesize
1.1MB

Download
memory/2948-16-0x00000000047B0000-0x00000000048CA000-memory.dmp

Filesize
1.1MB

Download
memory/2948-10-0x0000000010000000-0x00000000101DC000-memory.dmp

Filesize
1.9MB

Download
memory/2948-19-0x00000000047B0000-0x00000000048CA000-memory.dmp

Filesize
1.1MB

Download
memory/2948-9-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/3512-21-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

Filesize
24KB

Download
memory/3512-26-0x0000000005120000-0x0000000005257000-memory.dmp

Filesize
1.2MB

Download
memory/3512-28-0x0000000005260000-0x000000000537A000-memory.dmp

Filesize
1.1MB

Download
memory/3512-30-0x0000000005260000-0x000000000537A000-memory.dmp

Filesize
1.1MB

Download
memory/3512-31-0x0000000005260000-0x000000000537A000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing