490963523b6e992ed1d7801f08171f6f698989fbca873fd6031ec684169c711d

General

Target

490963523b6e992ed1d7801f08171f6f698989fbca873fd6031ec684169c711d.exe
Size

2.3MB
MD5

12b9044ccedca31c840fe1634bb89ffb
SHA1

b2c0dfce10c3a481d21abb67889551a985bb24ae
SHA256

490963523b6e992ed1d7801f08171f6f698989fbca873fd6031ec684169c711d
SHA512

68693782c96b8aecf09f78d7abfd86418fafdcf09984b25a5deef68696420a70ff3d67997250fa23b1111a446de5aa35bd163b7aed696d299094fabc38178c09
SSDEEP

49152:UJGiNiM7N8IF7pttnHmPZO+6t+mKndI0TdjDHwpc2l+AsGVhjg/1GXPa:UIiNi08IF7pttHmPZDjtdjR2vDVhM/1L

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4288	rundll32.exe
4268	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 5096	3484	490963523b6e992ed1d7801f08171f6f698989fbca873fd6031ec684169c711d.exe	70
PID 3484 wrote to memory of 5096	3484	490963523b6e992ed1d7801f08171f6f698989fbca873fd6031ec684169c711d.exe	70
PID 3484 wrote to memory of 5096	3484	490963523b6e992ed1d7801f08171f6f698989fbca873fd6031ec684169c711d.exe	70
PID 5096 wrote to memory of 4436	5096	cmd.exe	72
PID 5096 wrote to memory of 4436	5096	cmd.exe	72
PID 5096 wrote to memory of 4436	5096	cmd.exe	72
PID 4436 wrote to memory of 4288	4436	control.exe	74
PID 4436 wrote to memory of 4288	4436	control.exe	74
PID 4436 wrote to memory of 4288	4436	control.exe	74
PID 4288 wrote to memory of 3832	4288	rundll32.exe	75
PID 4288 wrote to memory of 3832	4288	rundll32.exe	75
PID 3832 wrote to memory of 4268	3832	RunDll32.exe	76
PID 3832 wrote to memory of 4268	3832	RunDll32.exe	76
PID 3832 wrote to memory of 4268	3832	RunDll32.exe	76

C:\Users\Admin\AppData\Local\Temp\490963523b6e992ed1d7801f08171f6f698989fbca873fd6031ec684169c711d.exe
"C:\Users\Admin\AppData\Local\Temp\490963523b6e992ed1d7801f08171f6f698989fbca873fd6031ec684169c711d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c .\2tkk5_.bat
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7zSC9D964C7\33EcgdrO.CPL",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSC9D964C7\33EcgdrO.CPL",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSC9D964C7\33EcgdrO.CPL",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3832
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zSC9D964C7\33EcgdrO.CPL",
        6⤵
        Loads dropped DLL
        
        PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC9D964C7\2tKk5_.bat

Filesize
41B

MD5
b66b9ca31c048e96a01e20b3150a83f3

SHA1
1d461b08d55d82fed7e4203de6729ef807021ecc

SHA256
28dad89c3042411ab49821c3615ab5c187485ffd6692e5204a9f570009f36a4d

SHA512
8f765c4dd5e41f5dde53c3352f0fd6b69b70aee582240283c5a9831847380e45b07b40f1f2307d5d1155939c19641f158f36dedd49e519c73a90d40f0c577fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC9D964C7\33EcgdrO.CPL

Filesize
2.8MB

MD5
cb33fda46dff1f4fa24ff29c5e71eb67

SHA1
39edd16958fd08a8a1ae7ef8ad133c5b2bed143a

SHA256
e6e8945ed2a012b9e8e9f5774377addbd9dae998a26f8b86a9b6358029790a65

SHA512
94391f10c5f8b43e32e89ef8be745e9eb081508aa227764477c72412afca900913b6a719ffa94d03ff524298802cb59c29e9f4399ea43c01a28ac97f0d241afc

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC9D964C7\33EcgdrO.CPL

Filesize
2.8MB

MD5
cb33fda46dff1f4fa24ff29c5e71eb67

SHA1
39edd16958fd08a8a1ae7ef8ad133c5b2bed143a

SHA256
e6e8945ed2a012b9e8e9f5774377addbd9dae998a26f8b86a9b6358029790a65

SHA512
94391f10c5f8b43e32e89ef8be745e9eb081508aa227764477c72412afca900913b6a719ffa94d03ff524298802cb59c29e9f4399ea43c01a28ac97f0d241afc

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC9D964C7\33EcgdrO.CPL

Filesize
2.8MB

MD5
cb33fda46dff1f4fa24ff29c5e71eb67

SHA1
39edd16958fd08a8a1ae7ef8ad133c5b2bed143a

SHA256
e6e8945ed2a012b9e8e9f5774377addbd9dae998a26f8b86a9b6358029790a65

SHA512
94391f10c5f8b43e32e89ef8be745e9eb081508aa227764477c72412afca900913b6a719ffa94d03ff524298802cb59c29e9f4399ea43c01a28ac97f0d241afc

Download Submit
memory/4268-26-0x0000000004950000-0x0000000004A55000-memory.dmp

Filesize
1.0MB

Download
memory/4268-25-0x0000000004950000-0x0000000004A55000-memory.dmp

Filesize
1.0MB

Download
memory/4268-22-0x0000000004950000-0x0000000004A55000-memory.dmp

Filesize
1.0MB

Download
memory/4268-21-0x00000000044B0000-0x00000000045D1000-memory.dmp

Filesize
1.1MB

Download
memory/4268-18-0x0000000004060000-0x0000000004066000-memory.dmp

Filesize
24KB

Download
memory/4288-9-0x0000000010000000-0x00000000102C7000-memory.dmp

Filesize
2.8MB

Download
memory/4288-16-0x0000000005390000-0x0000000005495000-memory.dmp

Filesize
1.0MB

Download
memory/4288-15-0x0000000005390000-0x0000000005495000-memory.dmp

Filesize
1.0MB

Download
memory/4288-12-0x0000000005390000-0x0000000005495000-memory.dmp

Filesize
1.0MB

Download
memory/4288-11-0x0000000005260000-0x0000000005381000-memory.dmp

Filesize
1.1MB

Download
memory/4288-8-0x0000000004E20000-0x0000000004E26000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing