336ac35f2f093039d91daf6ccd9661a2ed5bcf3ddfbd84e5b5ee680e99443a94

General

Target

336ac35f2f093039d91daf6ccd9661a2ed5bcf3ddfbd84e5b5ee680e99443a94.exe
Size

1.9MB
MD5

64af03328c64e55600d79b3751afeb98
SHA1

fd2aa540f01e58083732a207216decf92dde7068
SHA256

336ac35f2f093039d91daf6ccd9661a2ed5bcf3ddfbd84e5b5ee680e99443a94
SHA512

b1438b20dbf15f3c750927a4680c5acb1878a0b69c42525c126c47fa908e8d373736269cfa913cfb0acb10e4ebb8675e923f577f6c066a7fc430e5da44a861b1
SSDEEP

49152:anGImUl9Ljt8+fC0uRjKPjL/g6EYUuBnrURHPvqqx306:aGIl93JfC9RjKPg6jBU1306

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4992	rundll32.exe
5072	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000_Classes\Local Settings	336ac35f2f093039d91daf6ccd9661a2ed5bcf3ddfbd84e5b5ee680e99443a94.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 1632	4500	336ac35f2f093039d91daf6ccd9661a2ed5bcf3ddfbd84e5b5ee680e99443a94.exe	24
PID 4500 wrote to memory of 1632	4500	336ac35f2f093039d91daf6ccd9661a2ed5bcf3ddfbd84e5b5ee680e99443a94.exe	24
PID 4500 wrote to memory of 1632	4500	336ac35f2f093039d91daf6ccd9661a2ed5bcf3ddfbd84e5b5ee680e99443a94.exe	24
PID 1632 wrote to memory of 4992	1632	control.exe	30
PID 1632 wrote to memory of 4992	1632	control.exe	30
PID 1632 wrote to memory of 4992	1632	control.exe	30
PID 4992 wrote to memory of 60	4992	rundll32.exe	77
PID 4992 wrote to memory of 60	4992	rundll32.exe	77
PID 60 wrote to memory of 5072	60	RunDll32.exe	78
PID 60 wrote to memory of 5072	60	RunDll32.exe	78
PID 60 wrote to memory of 5072	60	RunDll32.exe	78

C:\Users\Admin\AppData\Local\Temp\336ac35f2f093039d91daf6ccd9661a2ed5bcf3ddfbd84e5b5ee680e99443a94.exe
"C:\Users\Admin\AppData\Local\Temp\336ac35f2f093039d91daf6ccd9661a2ed5bcf3ddfbd84e5b5ee680e99443a94.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\1KiT02.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\1KiT02.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\1KiT02.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\1KiT02.cpL",
        5⤵
        Loads dropped DLL
        
        PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1KiT02.cpL

Filesize
1.6MB

MD5
6f6ff941eda5d41adb41a8b42c72feed

SHA1
9184a818aa952429ff0671f066be21ba1c4b0efd

SHA256
35d1e14d9e6e82039c12385e70ab55ed140830c17a9208f7343e423eaae2ef14

SHA512
15c0782ec5f37120cf7b12625a34a4c7135c06f6c84a930cd96cd6197d92376238bb5a9f02fd20de0cd9f261fb96b36d6cc37e7f90654d641ed967be3adaa828

Download Submit
\Users\Admin\AppData\Local\Temp\1Kit02.cpl

Filesize
1.7MB

MD5
07797b22d86bff5157b07451faa19ae8

SHA1
df054a961c55dcb131ee7bb7dd5eb4447883f282

SHA256
226debb930fc1deb43f6159995eefdef15eeebf7bd86bd9c482a521399f5336b

SHA512
810e5161ba440e88c70e8392efcdfbadbc0926bc9a4f4c7e5ff68e3e85363c327bc87a2a37cabea3dd8b27d8c67608e3d7c8bdded0296d52f3a3250958cc15e7

Download Submit
\Users\Admin\AppData\Local\Temp\1Kit02.cpl

Filesize
737KB

MD5
7e3358b680ff5370a3ecaf6007db60cf

SHA1
6811f6585a6ca4a6fbefdc9ed7344b5acfe63be7

SHA256
a669011bc93f4ff35871604c92aa67002b9adb14d4f865c2b2016f288b085a5a

SHA512
0ac15419f96a5a019dd5ca2edaa84d7ed181cb44cf223e760f88d21947389737fe2dcac19645f9c7fe79dccd6eaa51196a77ea9b302c0b3cc52f6da5e195d61b

Download Submit
memory/4992-18-0x0000000004970000-0x0000000004A85000-memory.dmp

Filesize
1.1MB

Download
memory/4992-20-0x0000000005070000-0x0000000005178000-memory.dmp

Filesize
1.0MB

Download
memory/4992-14-0x0000000004970000-0x0000000004A85000-memory.dmp

Filesize
1.1MB

Download
memory/4992-11-0x0000000004970000-0x0000000004A85000-memory.dmp

Filesize
1.1MB

Download
memory/4992-15-0x0000000010000000-0x00000000101B7000-memory.dmp

Filesize
1.7MB

Download
memory/4992-69-0x0000000005180000-0x000000000528F000-memory.dmp

Filesize
1.1MB

Download
memory/4992-19-0x0000000004A90000-0x000000000506D000-memory.dmp

Filesize
5.9MB

Download
memory/4992-10-0x0000000004830000-0x0000000004963000-memory.dmp

Filesize
1.2MB

Download
memory/4992-21-0x0000000005180000-0x000000000528F000-memory.dmp

Filesize
1.1MB

Download
memory/4992-22-0x0000000005180000-0x000000000528F000-memory.dmp

Filesize
1.1MB

Download
memory/4992-8-0x0000000000790000-0x0000000000796000-memory.dmp

Filesize
24KB

Download
memory/4992-7-0x0000000010000000-0x00000000101B7000-memory.dmp

Filesize
1.7MB

Download
memory/4992-71-0x0000000000420000-0x000000000046E000-memory.dmp

Filesize
312KB

Download
memory/4992-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5072-44-0x0000000003010000-0x0000000003016000-memory.dmp

Filesize
24KB

Download
memory/5072-54-0x0000000005200000-0x0000000005315000-memory.dmp

Filesize
1.1MB

Download
memory/5072-56-0x0000000005900000-0x0000000005A08000-memory.dmp

Filesize
1.0MB

Download
memory/5072-57-0x0000000005A10000-0x0000000005B1F000-memory.dmp

Filesize
1.1MB

Download
memory/5072-59-0x0000000005A10000-0x0000000005B1F000-memory.dmp

Filesize
1.1MB

Download
memory/5072-61-0x0000000005A10000-0x0000000005B1F000-memory.dmp

Filesize
1.1MB

Download
memory/5072-62-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/5072-63-0x0000000000B80000-0x0000000000BCE000-memory.dmp

Filesize
312KB

Download
memory/5072-51-0x0000000005200000-0x0000000005315000-memory.dmp

Filesize
1.1MB

Download
memory/5072-47-0x0000000005200000-0x0000000005315000-memory.dmp

Filesize
1.1MB

Download
memory/5072-46-0x0000000004A80000-0x0000000004BB3000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing