5dea67a7ae76a61080b0f3efd40259a1c1b2f812e1d41c0be5ea68872aa8e79b

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 11:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

setup294.exe
Size

2.1MB
MD5

8a801eb9b1657c89be1d55d84ba5800f
SHA1

84bd1da8db515a639a0e03267fa0ec0a328aa79b
SHA256

aac2efad045c899de727c277bfd267153dee32ea196d30768422c6fffbca72e0
SHA512

d6ce0bcbebf74a9e8b52e5168b7bdc3a4517e4cf8966ed8bf17f90ab85102aed5a155629bc667db03a6bc75ebb87d143cb3e20ed47fdbe46fa06f778934ec7b3
SSDEEP

49152:B86D3zYWjS5xaxJ2oPykY4C20QuHBDmDvdpYyG5yuc5h5Qw5dh9srJu2NfloTA8p:B803z+x6wp28H1ecyGuf5Q0dgrJuRiBo

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2776	rundll32.exe
2776	rundll32.exe
2776	rundll32.exe
2776	rundll32.exe
2652	rundll32.exe
2652	rundll32.exe
2652	rundll32.exe
2652	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2336	2432	setup294.exe	28
PID 2432 wrote to memory of 2336	2432	setup294.exe	28
PID 2432 wrote to memory of 2336	2432	setup294.exe	28
PID 2432 wrote to memory of 2336	2432	setup294.exe	28
PID 2336 wrote to memory of 2776	2336	control.exe	29
PID 2336 wrote to memory of 2776	2336	control.exe	29
PID 2336 wrote to memory of 2776	2336	control.exe	29
PID 2336 wrote to memory of 2776	2336	control.exe	29
PID 2336 wrote to memory of 2776	2336	control.exe	29
PID 2336 wrote to memory of 2776	2336	control.exe	29
PID 2336 wrote to memory of 2776	2336	control.exe	29
PID 2776 wrote to memory of 2664	2776	rundll32.exe	30
PID 2776 wrote to memory of 2664	2776	rundll32.exe	30
PID 2776 wrote to memory of 2664	2776	rundll32.exe	30
PID 2776 wrote to memory of 2664	2776	rundll32.exe	30
PID 2664 wrote to memory of 2652	2664	RunDll32.exe	31
PID 2664 wrote to memory of 2652	2664	RunDll32.exe	31
PID 2664 wrote to memory of 2652	2664	RunDll32.exe	31
PID 2664 wrote to memory of 2652	2664	RunDll32.exe	31
PID 2664 wrote to memory of 2652	2664	RunDll32.exe	31
PID 2664 wrote to memory of 2652	2664	RunDll32.exe	31
PID 2664 wrote to memory of 2652	2664	RunDll32.exe	31

C:\Users\Admin\AppData\Local\Temp\setup294.exe
"C:\Users\Admin\AppData\Local\Temp\setup294.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7zS089849A6\JORVqsm.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS089849A6\JORVqsm.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS089849A6\JORVqsm.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zS089849A6\JORVqsm.CpL",
        5⤵
        Loads dropped DLL
        
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS089849A6\JORVqsm.CpL

Filesize
2.1MB

MD5
cec689ae4f282b74949be7cd4e70fd8f

SHA1
68aa0ce1e9dc668a850202e88d66399b26e3559a

SHA256
b40c000e3d3699780f58436a818f286e01238d1f8768636709540cc8d7365cb7

SHA512
77dcb56843d74035cfa7c7b1c0d679e2fec9bd979389f07c27ceab5954441f7bf339a3e4d540a5da7a4dce8816c43a7c39c908ae39519190c5fa4bfcf667668b

Download Submit
memory/2652-22-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2652-25-0x0000000002580000-0x00000000026B2000-memory.dmp

Filesize
1.2MB

Download
memory/2652-26-0x00000000026C0000-0x00000000027D7000-memory.dmp

Filesize
1.1MB

Download
memory/2652-29-0x00000000026C0000-0x00000000027D7000-memory.dmp

Filesize
1.1MB

Download
memory/2652-30-0x00000000026C0000-0x00000000027D7000-memory.dmp

Filesize
1.1MB

Download
memory/2776-9-0x00000000000E0000-0x00000000000E6000-memory.dmp

Filesize
24KB

Download
memory/2776-8-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/2776-12-0x00000000027A0000-0x00000000028D2000-memory.dmp

Filesize
1.2MB

Download
memory/2776-13-0x00000000028E0000-0x00000000029F7000-memory.dmp

Filesize
1.1MB

Download
memory/2776-16-0x00000000028E0000-0x00000000029F7000-memory.dmp

Filesize
1.1MB

Download
memory/2776-17-0x00000000028E0000-0x00000000029F7000-memory.dmp

Filesize
1.1MB

Download