8be250e4e06d0d1d6e51cc2675f4c3639fa52fbc594099df3c0e98635d299188

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b071f9ef45cabd0294a31549339dd55.exe
Size

2.2MB
MD5

5b071f9ef45cabd0294a31549339dd55
SHA1

f9fda92882daaec185b79b05fd840e1525fddab9
SHA256

8be250e4e06d0d1d6e51cc2675f4c3639fa52fbc594099df3c0e98635d299188
SHA512

2afa20c6f5e2179cdb39fa88b55f8637898387c3294d79718f76af85aee2129b46e9d10f230931cd3da9cb7d4719a3df48ec42bffecee9d80ef1becfa1b2ad55
SSDEEP

49152:ufbjKpwf1OdBT+103W8dlcK8999tgstw7ruaLUeu9UdL7:9UOfu03ffcK87IP7ruHN90

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe
2464	rundll32.exe
2464	rundll32.exe
2464	rundll32.exe
2464	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2772	2140	5b071f9ef45cabd0294a31549339dd55.exe	28
PID 2140 wrote to memory of 2772	2140	5b071f9ef45cabd0294a31549339dd55.exe	28
PID 2140 wrote to memory of 2772	2140	5b071f9ef45cabd0294a31549339dd55.exe	28
PID 2140 wrote to memory of 2772	2140	5b071f9ef45cabd0294a31549339dd55.exe	28
PID 2772 wrote to memory of 2700	2772	control.exe	29
PID 2772 wrote to memory of 2700	2772	control.exe	29
PID 2772 wrote to memory of 2700	2772	control.exe	29
PID 2772 wrote to memory of 2700	2772	control.exe	29
PID 2772 wrote to memory of 2700	2772	control.exe	29
PID 2772 wrote to memory of 2700	2772	control.exe	29
PID 2772 wrote to memory of 2700	2772	control.exe	29
PID 2700 wrote to memory of 1240	2700	rundll32.exe	30
PID 2700 wrote to memory of 1240	2700	rundll32.exe	30
PID 2700 wrote to memory of 1240	2700	rundll32.exe	30
PID 2700 wrote to memory of 1240	2700	rundll32.exe	30
PID 1240 wrote to memory of 2464	1240	RunDll32.exe	32
PID 1240 wrote to memory of 2464	1240	RunDll32.exe	32
PID 1240 wrote to memory of 2464	1240	RunDll32.exe	32
PID 1240 wrote to memory of 2464	1240	RunDll32.exe	32
PID 1240 wrote to memory of 2464	1240	RunDll32.exe	32
PID 1240 wrote to memory of 2464	1240	RunDll32.exe	32
PID 1240 wrote to memory of 2464	1240	RunDll32.exe	32

C:\Users\Admin\AppData\Local\Temp\5b071f9ef45cabd0294a31549339dd55.exe
"C:\Users\Admin\AppData\Local\Temp\5b071f9ef45cabd0294a31549339dd55.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7zSC58DD576\2.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSC58DD576\2.Cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zSC58DD576\2.Cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1240
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zSC58DD576\2.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC58DD576\2.Cpl

Filesize
2.1MB

MD5
0b3a02cb25e6fc8efd73337e64211da3

SHA1
95270c02e43833898abb6726ef849acb7a795376

SHA256
ebe18a6cf799adcc905b28cb725a7f19049a5e3ea9601ced01caea8b2be50eda

SHA512
2a17e9beaa7d7d0d8e4ca6c83bd10937bd93d56e152758f8d41b4774fc92f0b8f8a2970df65e64dcf544dc3e46db23c9c5e4415492794646fa0392900f7bb676

Download Submit
memory/2464-23-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2464-26-0x00000000026F0000-0x0000000002818000-memory.dmp

Filesize
1.2MB

Download
memory/2464-27-0x0000000002820000-0x000000000292C000-memory.dmp

Filesize
1.0MB

Download
memory/2464-30-0x0000000002820000-0x000000000292C000-memory.dmp

Filesize
1.0MB

Download
memory/2464-31-0x0000000002820000-0x000000000292C000-memory.dmp

Filesize
1.0MB

Download
memory/2700-8-0x0000000010000000-0x0000000010227000-memory.dmp

Filesize
2.2MB

Download
memory/2700-9-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/2700-13-0x00000000025A0000-0x00000000026C8000-memory.dmp

Filesize
1.2MB

Download
memory/2700-14-0x00000000026D0000-0x00000000027DC000-memory.dmp

Filesize
1.0MB

Download
memory/2700-17-0x00000000026D0000-0x00000000027DC000-memory.dmp

Filesize
1.0MB

Download
memory/2700-18-0x00000000026D0000-0x00000000027DC000-memory.dmp

Filesize
1.0MB

Download