8d35f5806af2b59ef7307176fcd66470d6867965717b102db4441152b13af01f

Analysis

max time kernel
126s
max time network
133s
platform
windows10-1703_x64
resource
win10-20231025-en
resource tags

arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
submitted
11-12-2023 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d35f5806af2b59ef7307176fcd66470d6867965717b102db4441152b13af01f.exe
Size

2.8MB
MD5

14f3d0c73419fecbfcb0c206491f8d82
SHA1

f89d614fb87d2ac1d382ba231683eb48c2797e7e
SHA256

8d35f5806af2b59ef7307176fcd66470d6867965717b102db4441152b13af01f
SHA512

a23dad645c3e911966755b40dff2e06dabee12529595fca4515a697612d58ea81f3f9b7b0c0b833da2da287583afd9a4d77e8d3bcee2341237f5ad22349112b6
SSDEEP

49152:yelWO9JpB/77oPV5esepwa+6PLbYrZth37CMNbN3+NcHeciKiUaC2z+6EqrA0:yelW2pBzMbesqH/PLbYFRbRzHecvaPES

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4504	rundll32.exe
3716	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 220	1444	8d35f5806af2b59ef7307176fcd66470d6867965717b102db4441152b13af01f.exe	71
PID 1444 wrote to memory of 220	1444	8d35f5806af2b59ef7307176fcd66470d6867965717b102db4441152b13af01f.exe	71
PID 1444 wrote to memory of 220	1444	8d35f5806af2b59ef7307176fcd66470d6867965717b102db4441152b13af01f.exe	71
PID 220 wrote to memory of 532	220	cmd.exe	74
PID 220 wrote to memory of 532	220	cmd.exe	74
PID 220 wrote to memory of 532	220	cmd.exe	74
PID 532 wrote to memory of 4504	532	control.exe	75
PID 532 wrote to memory of 4504	532	control.exe	75
PID 532 wrote to memory of 4504	532	control.exe	75
PID 4504 wrote to memory of 3228	4504	rundll32.exe	76
PID 4504 wrote to memory of 3228	4504	rundll32.exe	76
PID 3228 wrote to memory of 3716	3228	RunDll32.exe	77
PID 3228 wrote to memory of 3716	3228	RunDll32.exe	77
PID 3228 wrote to memory of 3716	3228	RunDll32.exe	77

C:\Users\Admin\AppData\Local\Temp\8d35f5806af2b59ef7307176fcd66470d6867965717b102db4441152b13af01f.exe
"C:\Users\Admin\AppData\Local\Temp\8d35f5806af2b59ef7307176fcd66470d6867965717b102db4441152b13af01f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z7D9435A4\AvLyUF.bAt" "
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7z7D9435A4\OKPGC.cPl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7D9435A4\OKPGC.cPl",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7D9435A4\OKPGC.cPl",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3228
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z7D9435A4\OKPGC.cPl",
        6⤵
        Loads dropped DLL
        
        PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z7D9435A4\AvLyUF.bAt

Filesize
69B

MD5
1a8e1e9927a4460a7b56d0c44a73abc9

SHA1
7c6c42dc4f0350267474e88acfc82a1cc300bcbd

SHA256
d521f3da07f5dfe734669219b7bc8d7bebb46345eac2a1d1dbd19c6ae30ff871

SHA512
41b5d148bc8d43e5cc477fb2d3c3f6ad97e118837abd4846bb7c40316724dfa6c1f897d2adad5c26e1100d626fad3468a339ad90864ae42fa240b5c49e7a6c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7D9435A4\OKPGC.cPl

Filesize
2.9MB

MD5
ad429e7b9f0985b2ac2ece700c47c0aa

SHA1
20fca887224aa6cc2b3be105b19bea1d5b107660

SHA256
a12f12ab9c1aa972061c41fa654295c0b4e4a65f021391f1f9e20f62e32a760a

SHA512
548b2bc08e9438340de449f951ef4397ffc06ed1af82c21b57f9e42ef6e38110dbfd5847728c8cad2031d3625d1e6fb3fe2b33ddd11d5394d2c8fd2b0d4e69d3

Download Submit
\Users\Admin\AppData\Local\Temp\7z7D9435A4\OKPGC.cPl

Filesize
3.2MB

MD5
bcfecc83db65466f604fda1fac12f8e8

SHA1
2929dc6e420a71ea44b6a77edf39e7e326978501

SHA256
8b12a7dfa2ef46c924425b47027bd1bed9f35a08375eed0c866fbd337c4e20b7

SHA512
153663904a3ef5dbe764d254069ac6c8d7362591a7b1aec9958d2717cb60a3fad1773177f0a496c81eca92e4d1bf37805195c793e1425812ed7e4dc5f8f36b15

Download Submit
memory/3716-19-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/3716-27-0x00000000048D0000-0x00000000049E7000-memory.dmp

Filesize
1.1MB

Download
memory/4504-9-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/4504-10-0x0000000010000000-0x0000000010334000-memory.dmp

Filesize
3.2MB

Download
memory/4504-12-0x0000000004790000-0x00000000048C6000-memory.dmp

Filesize
1.2MB

Download
memory/4504-13-0x00000000048D0000-0x00000000049E7000-memory.dmp

Filesize
1.1MB

Download
memory/4504-16-0x00000000048D0000-0x00000000049E7000-memory.dmp

Filesize
1.1MB

Download
memory/4504-17-0x00000000048D0000-0x00000000049E7000-memory.dmp

Filesize
1.1MB

Download