126c28a384755ca7d55b558a8ac91ea0b50c4128d51b310e2ee55b481aa0571a

General

Target

SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe
Size

2.6MB
MD5

808149e0981d14d747f5cfd8516fa74f
SHA1

e11502647f3d0dcbe3e2c2b67fb26f57c1474032
SHA256

126c28a384755ca7d55b558a8ac91ea0b50c4128d51b310e2ee55b481aa0571a
SHA512

bfe71446f332744be5bebc5a54bdfad79cfd9c77c2352e3e6876ee911e318511741705171220d8ddcdd7aec7a85c5d2629eb62720c8a0f077753d41c544f4481
SSDEEP

49152:xWhlkLBfJXAEXvUlFWYhdN5Bb3WVIOrIIWUNfGneJ4d7ZLInQyKCXPAM:xWhl0BfKE/MDdltIImG7ZmKgD

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
1272	rundll32.exe
1272	rundll32.exe
1272	rundll32.exe
1272	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1412	1772	SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe	19
PID 1772 wrote to memory of 1412	1772	SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe	19
PID 1772 wrote to memory of 1412	1772	SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe	19
PID 1772 wrote to memory of 1412	1772	SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe	19
PID 1412 wrote to memory of 1272	1412	control.exe	18
PID 1412 wrote to memory of 1272	1412	control.exe	18
PID 1412 wrote to memory of 1272	1412	control.exe	18
PID 1412 wrote to memory of 1272	1412	control.exe	18
PID 1412 wrote to memory of 1272	1412	control.exe	18
PID 1412 wrote to memory of 1272	1412	control.exe	18
PID 1412 wrote to memory of 1272	1412	control.exe	18
PID 1272 wrote to memory of 1796	1272	rundll32.exe	32
PID 1272 wrote to memory of 1796	1272	rundll32.exe	32
PID 1272 wrote to memory of 1796	1272	rundll32.exe	32
PID 1272 wrote to memory of 1796	1272	rundll32.exe	32
PID 1796 wrote to memory of 2560	1796	RunDll32.exe	33
PID 1796 wrote to memory of 2560	1796	RunDll32.exe	33
PID 1796 wrote to memory of 2560	1796	RunDll32.exe	33
PID 1796 wrote to memory of 2560	1796	RunDll32.exe	33
PID 1796 wrote to memory of 2560	1796	RunDll32.exe	33
PID 1796 wrote to memory of 2560	1796	RunDll32.exe	33
PID 1796 wrote to memory of 2560	1796	RunDll32.exe	33

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\OZPPek.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OZPPek.Cpl",
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system32\RunDll32.exe
  C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OZPPek.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\OZPPek.Cpl",
    3⤵
    - Loads dropped DLL
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\OZpPek.cpl

Filesize
92KB

MD5
6cccfba9baa25547231081111d7a35d7

SHA1
e6ae0126d376b9a5f3db4ed265e9842b200a4b4b

SHA256
08983be81c255754c647f18e9c09f410690016af30d06cde845fc048ce44f293

SHA512
17aa29f5ecc4ce5d60d83f85cb71d4270718e510d80b1fa469f94c7e3f22543a435fd0fd184af8f21171bd86a25db5b2748b55459e9f35b12a3b4ba4d5ed79ca

Download Submit
memory/1272-23-0x00000000040B0000-0x00000000041C9000-memory.dmp

Filesize
1.1MB

Download
memory/1272-55-0x00000000040B0000-0x00000000041C9000-memory.dmp

Filesize
1.1MB

Download
memory/1272-12-0x00000000021D0000-0x000000000230B000-memory.dmp

Filesize
1.2MB

Download
memory/1272-13-0x0000000002880000-0x000000000299B000-memory.dmp

Filesize
1.1MB

Download
memory/1272-16-0x0000000002880000-0x000000000299B000-memory.dmp

Filesize
1.1MB

Download
memory/1272-17-0x0000000010000000-0x000000001027A000-memory.dmp

Filesize
2.5MB

Download
memory/1272-20-0x0000000002880000-0x000000000299B000-memory.dmp

Filesize
1.1MB

Download
memory/1272-21-0x00000000029A0000-0x0000000003F93000-memory.dmp

Filesize
21.9MB

Download
memory/1272-22-0x0000000003FA0000-0x00000000040AE000-memory.dmp

Filesize
1.1MB

Download
memory/1272-8-0x0000000010000000-0x000000001027A000-memory.dmp

Filesize
2.5MB

Download
memory/1272-10-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/1272-56-0x00000000000D0000-0x00000000000E1000-memory.dmp

Filesize
68KB

Download
memory/2560-34-0x0000000002980000-0x0000000002A9B000-memory.dmp

Filesize
1.1MB

Download
memory/2560-41-0x0000000002980000-0x0000000002A9B000-memory.dmp

Filesize
1.1MB

Download
memory/2560-43-0x00000000040A0000-0x00000000041AE000-memory.dmp

Filesize
1.1MB

Download
memory/2560-44-0x00000000041B0000-0x00000000042C9000-memory.dmp

Filesize
1.1MB

Download
memory/2560-47-0x00000000041B0000-0x00000000042C9000-memory.dmp

Filesize
1.1MB

Download
memory/2560-48-0x0000000000130000-0x0000000000141000-memory.dmp

Filesize
68KB

Download
memory/2560-49-0x000000003B230000-0x000000003B283000-memory.dmp

Filesize
332KB

Download
memory/2560-33-0x0000000002840000-0x000000000297B000-memory.dmp

Filesize
1.2MB

Download
memory/2560-37-0x0000000002980000-0x0000000002A9B000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing