4fc59da25697b98d53f7bcd45f3770c9ab97be40e183bd08565a7dd6e8ab409a

Analysis

max time kernel
136s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 03:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4fc59da25697b98d53f7bcd45f3770c9ab97be40e183bd08565a7dd6e8ab409a.exe
Size

1.8MB
MD5

cdcc0278c1494afd914ce7bbe69dcd0f
SHA1

dbb27f4b11180d1d78a938a8eb7ad44cd8e5e6d8
SHA256

4fc59da25697b98d53f7bcd45f3770c9ab97be40e183bd08565a7dd6e8ab409a
SHA512

b4f9767317c49afcd12430b82b9f2e9a726c7666195eacba74898e19f5e02fd88fda3e6c563d0aaf57aa2ce2623b135f2c2e87e8a165248cdbf06b32b6c26cd8
SSDEEP

49152:ye2YXTdywxc/oLyfW2OH1a7u1fGY4Pa+M+jvzKhIeg:yeRRyw+bfW2eJGYobMQz2Ip

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 876	1680	4fc59da25697b98d53f7bcd45f3770c9ab97be40e183bd08565a7dd6e8ab409a.exe	28
PID 1680 wrote to memory of 876	1680	4fc59da25697b98d53f7bcd45f3770c9ab97be40e183bd08565a7dd6e8ab409a.exe	28
PID 1680 wrote to memory of 876	1680	4fc59da25697b98d53f7bcd45f3770c9ab97be40e183bd08565a7dd6e8ab409a.exe	28
PID 1680 wrote to memory of 876	1680	4fc59da25697b98d53f7bcd45f3770c9ab97be40e183bd08565a7dd6e8ab409a.exe	28
PID 876 wrote to memory of 2704	876	cmd.exe	30
PID 876 wrote to memory of 2704	876	cmd.exe	30
PID 876 wrote to memory of 2704	876	cmd.exe	30
PID 876 wrote to memory of 2704	876	cmd.exe	30
PID 2704 wrote to memory of 2632	2704	control.exe	31
PID 2704 wrote to memory of 2632	2704	control.exe	31
PID 2704 wrote to memory of 2632	2704	control.exe	31
PID 2704 wrote to memory of 2632	2704	control.exe	31
PID 2704 wrote to memory of 2632	2704	control.exe	31
PID 2704 wrote to memory of 2632	2704	control.exe	31
PID 2704 wrote to memory of 2632	2704	control.exe	31
PID 2632 wrote to memory of 976	2632	rundll32.exe	32
PID 2632 wrote to memory of 976	2632	rundll32.exe	32
PID 2632 wrote to memory of 976	2632	rundll32.exe	32
PID 2632 wrote to memory of 976	2632	rundll32.exe	32
PID 976 wrote to memory of 832	976	RunDll32.exe	33
PID 976 wrote to memory of 832	976	RunDll32.exe	33
PID 976 wrote to memory of 832	976	RunDll32.exe	33
PID 976 wrote to memory of 832	976	RunDll32.exe	33
PID 976 wrote to memory of 832	976	RunDll32.exe	33
PID 976 wrote to memory of 832	976	RunDll32.exe	33
PID 976 wrote to memory of 832	976	RunDll32.exe	33

C:\Users\Admin\AppData\Local\Temp\4fc59da25697b98d53f7bcd45f3770c9ab97be40e183bd08565a7dd6e8ab409a.exe
"C:\Users\Admin\AppData\Local\Temp\4fc59da25697b98d53f7bcd45f3770c9ab97be40e183bd08565a7dd6e8ab409a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7z608AB690\K3SBB.CMd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl",
        6⤵
        Loads dropped DLL
        
        PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z608AB690\K3SBB.CMd

Filesize
96B

MD5
3128f6eb6310b4e355efd6b5db9ee666

SHA1
7d5437849f01f1b73bab71ab9880492ec7ba3e70

SHA256
347d8e9e5613514d9f1d2c5d79fc69ba5454b0e66389ae2bf250275c33abbbce

SHA512
2c2711731be4f3939151d6d02a51d23a74c376b3b105a72dd6a42506b2d3dbc415bca487e1a1cec9bddadef10aa1dd134a1ca0a84b016165c9e4a6848b9b10a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl

Filesize
1.2MB

MD5
13bd4f620e45cce309be7cf2391130cb

SHA1
b34ffa24a87db654d46142e9cd641955ea6564b5

SHA256
2ede42e997a327d5fed28d4b53d3ebb06445ed6c460e407a48b2e2d409a6cd64

SHA512
b23667023c0d2361173870267824741eadadd0a96349272e50960851dc96de251273eead3aafb82791dae232f3dc02e95502f81a135bd7e229ec230f78a917b7

Download Submit
\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl

Filesize
14KB

MD5
1efd47da4e14074c2b5ee2fbc2d1b9cf

SHA1
69a5ce25e33219f9f5fe8d176240387c2eb46aca

SHA256
ee9ae5e4791a0c5f904ed928bcfd9cc4a36534eef635a03a93aee074faa878aa

SHA512
4ba2d1bada01288db04a4dfa8e198e7245361b53300f462334344c072fb73b1c9c37b823e560e4f536efa810a1b97c15d9b319897571f54383542eab9dca9fb8

Download Submit
\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl

Filesize
24KB

MD5
75e6b044b9c2269c755090a2493761c5

SHA1
f3317b28083f125dbe356146dfdae6e0e5b4f70a

SHA256
bc929590854e2c2a338b2057281586fb6eeadaec1d7de2c38b1ca4a8d87bc41f

SHA512
aec733f2d2b015406cff90f951bd8b6580b16ae094ee15c1bdfd2298f3d693813ff246b18aa5207b66d2b6a845b31c61bcf8fcc3e19f964ce90e5d405b114b8e

Download Submit
\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl

Filesize
1KB

MD5
8de337d72508e89f72660846ef8f0353

SHA1
c0dcfef94579f5b87ab9a699b709ac3e84b2abcb

SHA256
03cc77a1ca5c171248e7177ace8ee82277571be0b8df4d39560cfd7d2b2aed6c

SHA512
4dc13d795028afcdddebbda11be003a749befaf15456d1b9d543fcc97ab88f5547d0005e97698c7bae784274e7374ad4330df9504ad3a591a3a33da5b60052b1

Download Submit
\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl

Filesize
154KB

MD5
17f93644252043ed1af56a86e56bd2ef

SHA1
3dc625e85453c65f183c8b9198df8f84e3ed81ec

SHA256
1a689caed7cfe4ef1533580b877f54e279f93762ed56c4a2f3e449b9268f6982

SHA512
b72b686b3a8fc77cbe1b142309d1f78246dfafe471ff123f57c27e62e4b587ef998f65e0c1bfc23e99c2f5a46c894bbc7c47fcddce003bab83a5110d484d1116

Download Submit
\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl

Filesize
323KB

MD5
9e06c62235d7a7400dc45f32a7332284

SHA1
d11d41e46c5eaba644fb9536a4037bfe822f1319

SHA256
36b8443d1dbc7aa9d42de05a899a87c42965649c5f6531fba534a2fad71ede46

SHA512
644e9cd9281db756a3b921e888a6dffac8526c8b7e1572b30431ad22ab35aac63e8a820c5b99f8bffcaf5ec3c284ae85a3fdf4cf54585606f73a5849ff2225bf

Download Submit
\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl

Filesize
78KB

MD5
9c5177cb6bb9ec1c65cd16bc9105113b

SHA1
90e7b04c23288f0ee7dc59bac0eda3f8696d2c93

SHA256
df4ed982aed2defab28864f6f7f17a038880b64b7305bf725d9a6927981dc182

SHA512
8fd00e3ab54724cb64cc61f5b486f97ab18620c605bed7698b70bed5c9ec22b16bd93950dc07a39840e6c7022d5ee202268eff2196330ee58697e54be4572601

Download Submit
\Users\Admin\AppData\Local\Temp\7z608AB690\YjY.cPl

Filesize
78KB

MD5
502cdb8718134587cfed178ee75970f8

SHA1
d1a0d8247e69f87e3714cc3705614e89bd03fa66

SHA256
2a5ab785034e634e74c46a332a5da1455eef5070eb735cf07d115150c3f18ca4

SHA512
f3e5127e4072e15c044ebeeb068a33290c9eee6a9d7813d32c1a8cdb174b0c3fd026b606c6d96c03bbd04c223cad24c99c5e6742e98aaf9e0e8cc2c26a08e774

Download Submit
memory/832-84-0x0000000002B30000-0x0000000002C48000-memory.dmp

Filesize
1.1MB

Download
memory/832-74-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download
memory/832-92-0x0000000036380000-0x00000000363CE000-memory.dmp

Filesize
312KB

Download
memory/832-91-0x0000000000070000-0x0000000000082000-memory.dmp

Filesize
72KB

Download
memory/832-90-0x0000000003420000-0x0000000003532000-memory.dmp

Filesize
1.1MB

Download
memory/832-88-0x0000000003420000-0x0000000003532000-memory.dmp

Filesize
1.1MB

Download
memory/832-86-0x0000000003310000-0x000000000341A000-memory.dmp

Filesize
1.0MB

Download
memory/832-81-0x0000000002B30000-0x0000000002C48000-memory.dmp

Filesize
1.1MB

Download
memory/832-78-0x0000000002B30000-0x0000000002C48000-memory.dmp

Filesize
1.1MB

Download
memory/832-77-0x0000000000DD0000-0x0000000000F07000-memory.dmp

Filesize
1.2MB

Download
memory/2632-68-0x0000000003720000-0x0000000003832000-memory.dmp

Filesize
1.1MB

Download
memory/2632-54-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2632-56-0x0000000002CF0000-0x0000000002E27000-memory.dmp

Filesize
1.2MB

Download
memory/2632-57-0x0000000002E30000-0x0000000002F48000-memory.dmp

Filesize
1.1MB

Download
memory/2632-60-0x0000000002E30000-0x0000000002F48000-memory.dmp

Filesize
1.1MB

Download
memory/2632-52-0x0000000010000000-0x00000000101E1000-memory.dmp

Filesize
1.9MB

Download
memory/2632-61-0x0000000010000000-0x00000000101E1000-memory.dmp

Filesize
1.9MB

Download
memory/2632-67-0x0000000003720000-0x0000000003832000-memory.dmp

Filesize
1.1MB

Download
memory/2632-66-0x0000000003610000-0x000000000371A000-memory.dmp

Filesize
1.0MB

Download
memory/2632-65-0x0000000002F50000-0x000000000360A000-memory.dmp

Filesize
6.7MB

Download
memory/2632-64-0x0000000002E30000-0x0000000002F48000-memory.dmp

Filesize
1.1MB

Download
memory/2632-98-0x0000000003720000-0x0000000003832000-memory.dmp

Filesize
1.1MB

Download
memory/2632-99-0x0000000000130000-0x0000000000142000-memory.dmp

Filesize
72KB

Download