bb330cb65796d9bdefe8c2e81651f639e3de9bdbca20b68fb1db57fd7f9e2938

Analysis

max time kernel
219s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 07:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bb330cb65796d9bdefe8c2e81651f639e3de9bdbca20b68fb1db57fd7f9e2938.exe
Size

3.1MB
MD5

00f7d424988fdf1ed2d04905d90fe256
SHA1

ee53d07b3098a60bdb15813caa4276e32a80718f
SHA256

bb330cb65796d9bdefe8c2e81651f639e3de9bdbca20b68fb1db57fd7f9e2938
SHA512

0fc5af193d711b035097e81cc3153f509c74e5b1e07e2aca2b605995b544efc0163ce003d20df0e5904308007ed4937bab5dc984e9ed85c1d2b1935e2db9cf77
SSDEEP

49152:anGImUjB32I4AX4hnFNYcJES0jV48gx1SrnYIw3OFB8Ax+AIONL4zu74IPsnzZKa:aGIjB6AohnFKyG4JvS7rw38B+AIHElPC

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2212	rundll32.exe
2212	rundll32.exe
2212	rundll32.exe
2212	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2784	2916	bb330cb65796d9bdefe8c2e81651f639e3de9bdbca20b68fb1db57fd7f9e2938.exe	28
PID 2916 wrote to memory of 2784	2916	bb330cb65796d9bdefe8c2e81651f639e3de9bdbca20b68fb1db57fd7f9e2938.exe	28
PID 2916 wrote to memory of 2784	2916	bb330cb65796d9bdefe8c2e81651f639e3de9bdbca20b68fb1db57fd7f9e2938.exe	28
PID 2916 wrote to memory of 2784	2916	bb330cb65796d9bdefe8c2e81651f639e3de9bdbca20b68fb1db57fd7f9e2938.exe	28
PID 2784 wrote to memory of 2796	2784	control.exe	29
PID 2784 wrote to memory of 2796	2784	control.exe	29
PID 2784 wrote to memory of 2796	2784	control.exe	29
PID 2784 wrote to memory of 2796	2784	control.exe	29
PID 2784 wrote to memory of 2796	2784	control.exe	29
PID 2784 wrote to memory of 2796	2784	control.exe	29
PID 2784 wrote to memory of 2796	2784	control.exe	29
PID 2796 wrote to memory of 2040	2796	rundll32.exe	32
PID 2796 wrote to memory of 2040	2796	rundll32.exe	32
PID 2796 wrote to memory of 2040	2796	rundll32.exe	32
PID 2796 wrote to memory of 2040	2796	rundll32.exe	32
PID 2040 wrote to memory of 2212	2040	RunDll32.exe	33
PID 2040 wrote to memory of 2212	2040	RunDll32.exe	33
PID 2040 wrote to memory of 2212	2040	RunDll32.exe	33
PID 2040 wrote to memory of 2212	2040	RunDll32.exe	33
PID 2040 wrote to memory of 2212	2040	RunDll32.exe	33
PID 2040 wrote to memory of 2212	2040	RunDll32.exe	33
PID 2040 wrote to memory of 2212	2040	RunDll32.exe	33

C:\Users\Admin\AppData\Local\Temp\bb330cb65796d9bdefe8c2e81651f639e3de9bdbca20b68fb1db57fd7f9e2938.exe
"C:\Users\Admin\AppData\Local\Temp\bb330cb65796d9bdefe8c2e81651f639e3de9bdbca20b68fb1db57fd7f9e2938.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\__NTPNP.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\__NTPNP.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\__NTPNP.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\__NTPNP.cpL",
        5⤵
        Loads dropped DLL
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__NTPNP.cpL

Filesize
2.2MB

MD5
a6ca7ec7b9b2c4542bd0864d73e56ac8

SHA1
69453e475ceff974d5b594eaa831a75f5a3b3c66

SHA256
d5984f348eaec4509032410ccf091602c353d014fe9edd3477e54d41bd25ba67

SHA512
4710e56e3e69a962001544770b767b10afa8ddbda4e1b0d4c1166c5ed735119b8b717db573a9f43768e223ee1d0026907e37ee7aa4c3a17db5f061171aa3fd3f

Download Submit
\Users\Admin\AppData\Local\Temp\__NTPNP.cpl

Filesize
362KB

MD5
e5fd62d8b78cff821c54a20104e5a074

SHA1
fbfb2f43ef2ff548e31cc28a288f3b74c210a633

SHA256
c68e8a72a732da7c96e7a77269e4b13c489c7abaa6ac0d51e534784183fba9c3

SHA512
27d034c0cea5bd86576fa9e9e252d605a5cc3f1aa2398c00c7f9b64ca9cb18d9ccdfe90f91b9c0226165ad01ef674df8e092c8778f961ddd26f3d79212bfc321

Download Submit
\Users\Admin\AppData\Local\Temp\__NTPNP.cpl

Filesize
233KB

MD5
825f8bda9a4575584d4323d2d04e1b0e

SHA1
eba348418d64d69451a6180704feb147b164ce73

SHA256
aed6d597cae2b5c550ae6b4cd2cd09143074f33d4dcda8d05f143b96cf164e87

SHA512
cd32ed3d000bbdb6f2538797962a457c9152c8b95407e8fec920fc943b75b20bc0749213ef500d53697438dcdf52cfadd711f124b8b936ef0543157d3db2d501

Download Submit
\Users\Admin\AppData\Local\Temp\__NTPNP.cpl

Filesize
241KB

MD5
69dd9c4295d603ed16e6c1a7f8ee1d01

SHA1
ba4cbd8895330f665bb0a45d3e3aaad22e9e5500

SHA256
077237a0380390494b2373f233ecbcb89bdadc8937a7c44f4db25d40d8f7bb0e

SHA512
34dca6231e51c7eaa495ba8bd922863628285dd39741ad4147af32404415c997f8180b86e37f78c3d01a8568e3f0d4d3d9f7db9e0e4d2daec8f433626f1a2385

Download Submit
\Users\Admin\AppData\Local\Temp\__NTPNP.cpl

Filesize
254KB

MD5
b1d2c0f2f21426c7fea14ce01b7336ef

SHA1
df35aa920dc49834e2131641db604e405d071de8

SHA256
d389ed8777d604578508e56b20551be9a57d20c08e856c0e9f2c2ce5bbb613e2

SHA512
44b03f85c44144580d859c6ce313db995699b68cfeb5536c24a58c27d6e42d77cabec9b7e3b6a711d1059904aa5a57b1b91106ed08db153ede4a3fdb98bba04a

Download Submit
\Users\Admin\AppData\Local\Temp\__NTPNP.cpl

Filesize
1.4MB

MD5
875dc25913cbcb5413331aaee6b2eb52

SHA1
be13b5e70f76ded1f19cec600b254670828fe331

SHA256
1cf1b9cf923ef25f7a46bff78e3edd79045efe86e92d264ad63542c38aac6f6e

SHA512
43294a4e200eb3de451411eb58b48225e3bf1b92b07ad71a90c9d94acb6c18654bf30e8f05893cfeea56e208e04d526282a8b9dedc2a8d783a21e39e82f603e9

Download Submit
\Users\Admin\AppData\Local\Temp\__NTPNP.cpl

Filesize
2.1MB

MD5
db6e36f04ccb50b83ee10604f078b969

SHA1
3fe5e8179094fa754b784b28ac84116087f6d2c4

SHA256
3a0a18d09c76f003680e7dcfe964ec42ed76e7c2a5c828529bf7ec82067674c2

SHA512
592e17713d35b26328c152bfb07cbd3fe25a3047c404392f3d02d9bb9a1450e9b9ac76eac49a6a90f762258e23ffd85a4a488cd177a1a8088cd9ee98a391c271

Download Submit
\Users\Admin\AppData\Local\Temp\__NTPNP.cpl

Filesize
2.7MB

MD5
7cb50c2345291eb9f59e50b06309235c

SHA1
b2a7a5d56284c3fdf5686bed3b57ca65bb147406

SHA256
46b7c07baf45daccc69f2b2827dc5514190d7dd913333adfe0f23a9ab6ba25ff

SHA512
4748ee2a47e888c7d95cf64bce9c6e2a749b2cfaa03c2263a6e4413f5894a86f2fbe785fd8fa6a8e02e839713b7149e7e6998a05a3ff7f8264e26223db90f8ef

Download Submit
\Users\Admin\AppData\Local\Temp\__NTPNP.cpl

Filesize
2.7MB

MD5
a77eb8620acf3c72da6c41013a7789a0

SHA1
ca67d228eebcb3d93dba7e8803324be7a8260803

SHA256
4c2ee239026806bd8f03db69be64696cace21e0a2c120071c1f2a6cdc08fb9f4

SHA512
577d61a9ff0607f4cb2b3307ff5b9fbbd9b4591fcefde1504d5bdf8e3e05334aad04aec6fdc97bf97c1aca41c143ed83025d8fe12a6b64bdc6f34fa858c41569

Download Submit
memory/2212-46-0x00000000023A0000-0x00000000026A1000-memory.dmp

Filesize
3.0MB

Download
memory/2212-41-0x0000000002AA0000-0x0000000002BB5000-memory.dmp

Filesize
1.1MB

Download
memory/2212-58-0x0000000056290000-0x00000000562D8000-memory.dmp

Filesize
288KB

Download
memory/2212-57-0x00000000000F0000-0x0000000000102000-memory.dmp

Filesize
72KB

Download
memory/2212-56-0x0000000004960000-0x0000000004A49000-memory.dmp

Filesize
932KB

Download
memory/2212-54-0x0000000004960000-0x0000000004A49000-memory.dmp

Filesize
932KB

Download
memory/2212-53-0x0000000004960000-0x0000000004A49000-memory.dmp

Filesize
932KB

Download
memory/2212-52-0x0000000004870000-0x000000000495C000-memory.dmp

Filesize
944KB

Download
memory/2212-34-0x00000000023A0000-0x00000000026A1000-memory.dmp

Filesize
3.0MB

Download
memory/2212-51-0x0000000002CC0000-0x0000000004862000-memory.dmp

Filesize
27.6MB

Download
memory/2212-35-0x00000000023A0000-0x00000000026A1000-memory.dmp

Filesize
3.0MB

Download
memory/2212-36-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/2212-49-0x0000000002BC0000-0x0000000002CB9000-memory.dmp

Filesize
996KB

Download
memory/2212-45-0x0000000002BC0000-0x0000000002CB9000-memory.dmp

Filesize
996KB

Download
memory/2212-42-0x0000000002BC0000-0x0000000002CB9000-memory.dmp

Filesize
996KB

Download
memory/2796-28-0x0000000004A70000-0x0000000004B59000-memory.dmp

Filesize
932KB

Download
memory/2796-64-0x0000000004A70000-0x0000000004B59000-memory.dmp

Filesize
932KB

Download
memory/2796-11-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2796-8-0x00000000025E0000-0x00000000028E1000-memory.dmp

Filesize
3.0MB

Download
memory/2796-14-0x0000000002BB0000-0x0000000002CC5000-memory.dmp

Filesize
1.1MB

Download
memory/2796-15-0x0000000002CD0000-0x0000000002DC9000-memory.dmp

Filesize
996KB

Download
memory/2796-26-0x0000000004980000-0x0000000004A6C000-memory.dmp

Filesize
944KB

Download
memory/2796-18-0x0000000002CD0000-0x0000000002DC9000-memory.dmp

Filesize
996KB

Download
memory/2796-9-0x00000000025E0000-0x00000000028E1000-memory.dmp

Filesize
3.0MB

Download
memory/2796-25-0x0000000002DD0000-0x0000000004972000-memory.dmp

Filesize
27.6MB

Download
memory/2796-24-0x0000000002CD0000-0x0000000002DC9000-memory.dmp

Filesize
996KB

Download
memory/2796-19-0x00000000025E0000-0x00000000028E1000-memory.dmp

Filesize
3.0MB

Download
memory/2796-27-0x0000000004A70000-0x0000000004B59000-memory.dmp

Filesize
932KB

Download
memory/2796-65-0x00000000000D0000-0x00000000000E2000-memory.dmp

Filesize
72KB

Download