9fda81ba97540482ec6a3864bbf98510802497313c0cfb56c9bcdf6a2d722e27

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27/11/2023, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fda81ba97540482ec6a3864bbf98510802497313c0cfb56c9bcdf6a2d722e27.exe
Size

2.3MB
MD5

845f727b97df8c66eacd2979e5d77d6c
SHA1

64806429a0b03e4967846c78ee8e79f040dfacb2
SHA256

9fda81ba97540482ec6a3864bbf98510802497313c0cfb56c9bcdf6a2d722e27
SHA512

2fd3a365e7de2bcc2167cf9f1e8970e4f08257772a91664f92fe50fc3bea40e660abac9ab5683618def5b2e12a3e2e15b32933da03110925cec661974d15316d
SSDEEP

49152:UJGish3lbasS4xwI0Gz6ut12UXGF5kznZaI7N2/94KhM1b:UIish3let4xw2OutoUWF5kEIUFW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
2236	rundll32.exe
2236	rundll32.exe
2236	rundll32.exe
2236	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2916	2096	9fda81ba97540482ec6a3864bbf98510802497313c0cfb56c9bcdf6a2d722e27.exe	28
PID 2096 wrote to memory of 2916	2096	9fda81ba97540482ec6a3864bbf98510802497313c0cfb56c9bcdf6a2d722e27.exe	28
PID 2096 wrote to memory of 2916	2096	9fda81ba97540482ec6a3864bbf98510802497313c0cfb56c9bcdf6a2d722e27.exe	28
PID 2096 wrote to memory of 2916	2096	9fda81ba97540482ec6a3864bbf98510802497313c0cfb56c9bcdf6a2d722e27.exe	28
PID 2916 wrote to memory of 2648	2916	cmd.exe	30
PID 2916 wrote to memory of 2648	2916	cmd.exe	30
PID 2916 wrote to memory of 2648	2916	cmd.exe	30
PID 2916 wrote to memory of 2648	2916	cmd.exe	30
PID 2648 wrote to memory of 2668	2648	control.exe	31
PID 2648 wrote to memory of 2668	2648	control.exe	31
PID 2648 wrote to memory of 2668	2648	control.exe	31
PID 2648 wrote to memory of 2668	2648	control.exe	31
PID 2648 wrote to memory of 2668	2648	control.exe	31
PID 2648 wrote to memory of 2668	2648	control.exe	31
PID 2648 wrote to memory of 2668	2648	control.exe	31
PID 2668 wrote to memory of 2512	2668	rundll32.exe	34
PID 2668 wrote to memory of 2512	2668	rundll32.exe	34
PID 2668 wrote to memory of 2512	2668	rundll32.exe	34
PID 2668 wrote to memory of 2512	2668	rundll32.exe	34
PID 2512 wrote to memory of 2236	2512	RunDll32.exe	35
PID 2512 wrote to memory of 2236	2512	RunDll32.exe	35
PID 2512 wrote to memory of 2236	2512	RunDll32.exe	35
PID 2512 wrote to memory of 2236	2512	RunDll32.exe	35
PID 2512 wrote to memory of 2236	2512	RunDll32.exe	35
PID 2512 wrote to memory of 2236	2512	RunDll32.exe	35
PID 2512 wrote to memory of 2236	2512	RunDll32.exe	35

C:\Users\Admin\AppData\Local\Temp\9fda81ba97540482ec6a3864bbf98510802497313c0cfb56c9bcdf6a2d722e27.exe
"C:\Users\Admin\AppData\Local\Temp\9fda81ba97540482ec6a3864bbf98510802497313c0cfb56c9bcdf6a2d722e27.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c .\t.cMd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL",
        6⤵
        Loads dropped DLL
        
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL

Filesize
2.3MB

MD5
21914b9fb40f9ccdd6c93c04c81e5828

SHA1
a882aed9e2ca45be4816b2740476943ccbd015e9

SHA256
38de9c12a1850e7a90e9c70ccb67473454be4d7e3b6c649b3688206bb76a93a1

SHA512
82b3076ccf2f2a77d8965b7cde3ac4631c7a5d5f519306ad4082598ed41c91c59089c74806fcb36ce55827a489e974164031226316cf4487cc9c9561c7f3dbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS038B7EB6\t.CmD

Filesize
43B

MD5
7d19e0ba3537acd37b609af2c57a63c8

SHA1
8eb5e04f137b4124430f555a3a288adfc0539578

SHA256
83ff6b9509f527b3c0fa427089cfda6f9401d1f54e416b2ce13c488a7da25797

SHA512
bd2db5753da011b87874ed4808ad0ecd49d609c4ac8abc4e14bb96a4825b7b8b6742d84b66247050ec54c6d60703a5f37d0da3f4d5db932680dd1ce856f1f454

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS038B7EB6\t.CmD

Filesize
43B

MD5
7d19e0ba3537acd37b609af2c57a63c8

SHA1
8eb5e04f137b4124430f555a3a288adfc0539578

SHA256
83ff6b9509f527b3c0fa427089cfda6f9401d1f54e416b2ce13c488a7da25797

SHA512
bd2db5753da011b87874ed4808ad0ecd49d609c4ac8abc4e14bb96a4825b7b8b6742d84b66247050ec54c6d60703a5f37d0da3f4d5db932680dd1ce856f1f454

Download Submit
\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL

Filesize
2.3MB

MD5
21914b9fb40f9ccdd6c93c04c81e5828

SHA1
a882aed9e2ca45be4816b2740476943ccbd015e9

SHA256
38de9c12a1850e7a90e9c70ccb67473454be4d7e3b6c649b3688206bb76a93a1

SHA512
82b3076ccf2f2a77d8965b7cde3ac4631c7a5d5f519306ad4082598ed41c91c59089c74806fcb36ce55827a489e974164031226316cf4487cc9c9561c7f3dbb2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL

Filesize
2.3MB

MD5
21914b9fb40f9ccdd6c93c04c81e5828

SHA1
a882aed9e2ca45be4816b2740476943ccbd015e9

SHA256
38de9c12a1850e7a90e9c70ccb67473454be4d7e3b6c649b3688206bb76a93a1

SHA512
82b3076ccf2f2a77d8965b7cde3ac4631c7a5d5f519306ad4082598ed41c91c59089c74806fcb36ce55827a489e974164031226316cf4487cc9c9561c7f3dbb2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL

Filesize
2.3MB

MD5
21914b9fb40f9ccdd6c93c04c81e5828

SHA1
a882aed9e2ca45be4816b2740476943ccbd015e9

SHA256
38de9c12a1850e7a90e9c70ccb67473454be4d7e3b6c649b3688206bb76a93a1

SHA512
82b3076ccf2f2a77d8965b7cde3ac4631c7a5d5f519306ad4082598ed41c91c59089c74806fcb36ce55827a489e974164031226316cf4487cc9c9561c7f3dbb2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL

Filesize
2.3MB

MD5
21914b9fb40f9ccdd6c93c04c81e5828

SHA1
a882aed9e2ca45be4816b2740476943ccbd015e9

SHA256
38de9c12a1850e7a90e9c70ccb67473454be4d7e3b6c649b3688206bb76a93a1

SHA512
82b3076ccf2f2a77d8965b7cde3ac4631c7a5d5f519306ad4082598ed41c91c59089c74806fcb36ce55827a489e974164031226316cf4487cc9c9561c7f3dbb2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL

Filesize
2.3MB

MD5
21914b9fb40f9ccdd6c93c04c81e5828

SHA1
a882aed9e2ca45be4816b2740476943ccbd015e9

SHA256
38de9c12a1850e7a90e9c70ccb67473454be4d7e3b6c649b3688206bb76a93a1

SHA512
82b3076ccf2f2a77d8965b7cde3ac4631c7a5d5f519306ad4082598ed41c91c59089c74806fcb36ce55827a489e974164031226316cf4487cc9c9561c7f3dbb2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL

Filesize
2.3MB

MD5
21914b9fb40f9ccdd6c93c04c81e5828

SHA1
a882aed9e2ca45be4816b2740476943ccbd015e9

SHA256
38de9c12a1850e7a90e9c70ccb67473454be4d7e3b6c649b3688206bb76a93a1

SHA512
82b3076ccf2f2a77d8965b7cde3ac4631c7a5d5f519306ad4082598ed41c91c59089c74806fcb36ce55827a489e974164031226316cf4487cc9c9561c7f3dbb2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL

Filesize
2.3MB

MD5
21914b9fb40f9ccdd6c93c04c81e5828

SHA1
a882aed9e2ca45be4816b2740476943ccbd015e9

SHA256
38de9c12a1850e7a90e9c70ccb67473454be4d7e3b6c649b3688206bb76a93a1

SHA512
82b3076ccf2f2a77d8965b7cde3ac4631c7a5d5f519306ad4082598ed41c91c59089c74806fcb36ce55827a489e974164031226316cf4487cc9c9561c7f3dbb2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS038B7EB6\bYe.CPL

Filesize
2.3MB

MD5
21914b9fb40f9ccdd6c93c04c81e5828

SHA1
a882aed9e2ca45be4816b2740476943ccbd015e9

SHA256
38de9c12a1850e7a90e9c70ccb67473454be4d7e3b6c649b3688206bb76a93a1

SHA512
82b3076ccf2f2a77d8965b7cde3ac4631c7a5d5f519306ad4082598ed41c91c59089c74806fcb36ce55827a489e974164031226316cf4487cc9c9561c7f3dbb2

Download Submit
memory/2236-68-0x0000000002760000-0x0000000002873000-memory.dmp

Filesize
1.1MB

Download
memory/2236-67-0x0000000002760000-0x0000000002873000-memory.dmp

Filesize
1.1MB

Download
memory/2236-65-0x0000000002760000-0x0000000002873000-memory.dmp

Filesize
1.1MB

Download
memory/2236-63-0x0000000002630000-0x0000000002760000-memory.dmp

Filesize
1.2MB

Download
memory/2236-59-0x0000000000160000-0x0000000000166000-memory.dmp

Filesize
24KB

Download
memory/2668-53-0x00000000027C0000-0x00000000028D3000-memory.dmp

Filesize
1.1MB

Download
memory/2668-45-0x0000000000110000-0x0000000000116000-memory.dmp

Filesize
24KB

Download
memory/2668-46-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2668-54-0x00000000027C0000-0x00000000028D3000-memory.dmp

Filesize
1.1MB

Download
memory/2668-49-0x0000000002690000-0x00000000027C0000-memory.dmp

Filesize
1.2MB

Download
memory/2668-51-0x00000000027C0000-0x00000000028D3000-memory.dmp

Filesize
1.1MB

Download
memory/2668-50-0x00000000027C0000-0x00000000028D3000-memory.dmp

Filesize
1.1MB

Download