b7802a48689e336caf45d7ce0f44f988451a4e1870f1c78fac07d64aa801a8a4

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c92b98879a595e47fc6280e906c190b9b029de7a0b0c189fdec319b07b8bd13.exe
Size

2.0MB
MD5

75dec2cd433400145dbd3211c6ad34ee
SHA1

016e812aa0dfaa383e5bf82e3eb820b4260b2fc7
SHA256

3c92b98879a595e47fc6280e906c190b9b029de7a0b0c189fdec319b07b8bd13
SHA512

bcf09159928335c1f3844953f34e32d3314496fd5a41fb9912ce6b258bd87924b29d13fd3312aa0d80d5c6e89595e4e265f35960f87d5aa4e1a1c817bf13dc89
SSDEEP

49152:anGImU6mVe0sxttXGKPipSMNPHkzoVBVR4Qee:aGI6mVKXnPbMNP1BVqRe

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2780	rundll32.exe
2780	rundll32.exe
2780	rundll32.exe
2780	rundll32.exe
2656	rundll32.exe
2656	rundll32.exe
2656	rundll32.exe
2656	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2720	3012	3c92b98879a595e47fc6280e906c190b9b029de7a0b0c189fdec319b07b8bd13.exe	28
PID 3012 wrote to memory of 2720	3012	3c92b98879a595e47fc6280e906c190b9b029de7a0b0c189fdec319b07b8bd13.exe	28
PID 3012 wrote to memory of 2720	3012	3c92b98879a595e47fc6280e906c190b9b029de7a0b0c189fdec319b07b8bd13.exe	28
PID 3012 wrote to memory of 2720	3012	3c92b98879a595e47fc6280e906c190b9b029de7a0b0c189fdec319b07b8bd13.exe	28
PID 2720 wrote to memory of 2780	2720	control.exe	29
PID 2720 wrote to memory of 2780	2720	control.exe	29
PID 2720 wrote to memory of 2780	2720	control.exe	29
PID 2720 wrote to memory of 2780	2720	control.exe	29
PID 2720 wrote to memory of 2780	2720	control.exe	29
PID 2720 wrote to memory of 2780	2720	control.exe	29
PID 2720 wrote to memory of 2780	2720	control.exe	29
PID 2780 wrote to memory of 3024	2780	rundll32.exe	33
PID 2780 wrote to memory of 3024	2780	rundll32.exe	33
PID 2780 wrote to memory of 3024	2780	rundll32.exe	33
PID 2780 wrote to memory of 3024	2780	rundll32.exe	33
PID 3024 wrote to memory of 2656	3024	RunDll32.exe	32
PID 3024 wrote to memory of 2656	3024	RunDll32.exe	32
PID 3024 wrote to memory of 2656	3024	RunDll32.exe	32
PID 3024 wrote to memory of 2656	3024	RunDll32.exe	32
PID 3024 wrote to memory of 2656	3024	RunDll32.exe	32
PID 3024 wrote to memory of 2656	3024	RunDll32.exe	32
PID 3024 wrote to memory of 2656	3024	RunDll32.exe	32

C:\Users\Admin\AppData\Local\Temp\3c92b98879a595e47fc6280e906c190b9b029de7a0b0c189fdec319b07b8bd13.exe
"C:\Users\Admin\AppData\Local\Temp\3c92b98879a595e47fc6280e906c190b9b029de7a0b0c189fdec319b07b8bd13.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\HpFkcO.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\HpFkcO.Cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\HpFkcO.Cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3024

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\HpFkcO.Cpl",
1⤵
- Loads dropped DLL
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HpFkcO.Cpl

Filesize
321KB

MD5
6f76a6bfae69e0f7ce8b68a5ee4bb9a7

SHA1
f5957b600370b8214925cdd9038b033b5ad83cfd

SHA256
b91247b021687226a4ce585cb8fc196714144f68610479a06d91eb6dafc63f8c

SHA512
ad809531086e2eacd3bff8580c5e4b87217085992b172cad712d2a2f5b74cfc672ac16a99f07a902afa21e3ab3cca269b47519caf0ef171914fd790008a11a26

Download Submit
\Users\Admin\AppData\Local\Temp\HpfkcO.cpl

Filesize
56KB

MD5
0480373ece67119c2decf87911dae719

SHA1
3b42c974c6b9fe87112228a7cfae1a914a5dcb93

SHA256
97c6576e10efefd0ded73a9e6baae2ba8310143e1c420f9c3533ba8c2468312c

SHA512
aeb33dfd412a50d11a75ca45afd5d8cd82e55b547be34d1fdd9d69a060cd0e7ed2823f192bd132592a5101c479124edbc86dbed383dde38e03eb6ec0cb5398b3

Download Submit
\Users\Admin\AppData\Local\Temp\HpfkcO.cpl

Filesize
33KB

MD5
b5293dd85a63d4b70a44c81bb4511843

SHA1
1205519a3d4a376b8ce342e7258a95c20411caf8

SHA256
218d7da9132944e6cab2f81933f63904ad12c2faf7100b10cb76f35f6edf33b6

SHA512
b218425284e9922c840ae82d421eb7d7b0922a389efa6169b30121c056b951cf57c87d8eb0f235b253040fdfc4bf04b72f20bac8783694de331b31955212353d

Download Submit
\Users\Admin\AppData\Local\Temp\HpfkcO.cpl

Filesize
31KB

MD5
dcae3d7aeee45d4d463c587dfce02530

SHA1
ce3b4f3572fed1515ce30487a51a8b89d41e0b88

SHA256
7548455c4d99ecfea84ba1ad1b30b6301560aa207b404d5930c0dee55225cf59

SHA512
39fd8d6103f851d19b6110dd03f2f0736f51e472d7a5c45a6b001b273fac9ad4cb002cfcad9b9ad9000069494e9b7688d2871ea3995ef9e976fc213ff46ebeb2

Download Submit
\Users\Admin\AppData\Local\Temp\HpfkcO.cpl

Filesize
56KB

MD5
efc6533456526674db445010b1cbf6b5

SHA1
62a9feebe7723d8436179568167e0152fcad4734

SHA256
421265dd7ce5a84b88a75cd3c7a43e2aa705ef8b5da083a1346463593a5632b7

SHA512
60ee9d51e922d5f6ac7d713995866e4ca46b4583319231c1a0fc22bffcdacd054428c6cc9d84bc16ba8b22bea0326de73add102ed273c46f784a3ad36eccf16e

Download Submit
\Users\Admin\AppData\Local\Temp\HpfkcO.cpl

Filesize
585KB

MD5
ba1b294b7dafde3774e690d07e53fbaf

SHA1
126cebabc69297c75b9eaf3bd58c9ba7e63e461f

SHA256
d6fde5dbbd2d2ea19e14b232ad2495dbc36efb5a639a44630e94ea92022d0360

SHA512
7d6c0a7b0a638a085ee67110e607cf4147a7afd9a956699f679565b8ebb46ebb9326abed7f21ad788b8d19c3df05364adcd952a7a67f57432f2d55685555fbbf

Download Submit
\Users\Admin\AppData\Local\Temp\HpfkcO.cpl

Filesize
825KB

MD5
7a217247c7f26b200573cd97d39a4195

SHA1
8ddeec3e1e8264f6650439b7a0799353f54628bc

SHA256
e28db3d4d0152ed9abe1c578d93497b709fbd624bec8fac8b83460dfa1f65fff

SHA512
e51808e5857195ef872c34585e820900fb32765a15c00a3dc0c493a2b9fdc44dee7221fb86de4345493659e11fc7cfb594bb8965127192ec75996058e8d39c7e

Download Submit
\Users\Admin\AppData\Local\Temp\HpfkcO.cpl

Filesize
660KB

MD5
42c0a17a75c8ce7d280c565e4cad4e3e

SHA1
96e7c507fa7796d9b61d679a9a535267ccae92b7

SHA256
52b9b2278774db4d8df0422b2357d10635ac225a87a8448134e35ebc28e893e7

SHA512
87397cdbe20bda978544669b21af9d7fd92c84de64d4c4a7564f94713d71c648dda7ce9e41674b08e35e87a58ba33e645a8f42dcd69c44cb61d1f5ded5315f4c

Download Submit
\Users\Admin\AppData\Local\Temp\HpfkcO.cpl

Filesize
678KB

MD5
cd0b14d5ae1858452124e91804ffbe68

SHA1
431c24a4fe3be6d94ed8f6fd95c3049917a2450d

SHA256
1e0dd2c3c86669e24f673d54568bc869ae86addad8689a06edfadff4e634211a

SHA512
24adf5d3c43f5d7af2f67a36f05ca41de00a74016e3ceaec79748d41a36912d658c024c93088e48c7c91a6c7ce2df519071d79c5ee9d13a4db8776c7002a716b

Download Submit
memory/2656-33-0x0000000002770000-0x0000000002874000-memory.dmp

Filesize
1.0MB

Download
memory/2656-28-0x0000000002650000-0x0000000002770000-memory.dmp

Filesize
1.1MB

Download
memory/2656-30-0x0000000002770000-0x0000000002874000-memory.dmp

Filesize
1.0MB

Download
memory/2656-32-0x0000000002770000-0x0000000002874000-memory.dmp

Filesize
1.0MB

Download
memory/2656-23-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2780-9-0x0000000010000000-0x00000000101AD000-memory.dmp

Filesize
1.7MB

Download
memory/2780-18-0x0000000002680000-0x0000000002784000-memory.dmp

Filesize
1.0MB

Download
memory/2780-17-0x0000000002680000-0x0000000002784000-memory.dmp

Filesize
1.0MB

Download
memory/2780-15-0x0000000002680000-0x0000000002784000-memory.dmp

Filesize
1.0MB

Download
memory/2780-14-0x0000000002680000-0x0000000002784000-memory.dmp

Filesize
1.0MB

Download
memory/2780-13-0x0000000002560000-0x0000000002680000-memory.dmp

Filesize
1.1MB

Download
memory/2780-8-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download