9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639

General

Target

9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe
Size

2.5MB
MD5

aa5678bc524fc946aac14559ed68db35
SHA1

6571c4f749cf5f73e1dc7d93de8bff6a99f604f7
SHA256

9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639
SHA512

60dfe5af4dc254cc9cf49edbb330b64e5c733e44ff8a315345b1e7d912d74868f44bc27e9319485a0669e084f2f931ea9117415e6bf3c4bdd911c0d8ba754849
SSDEEP

49152:1monDFXSI/L+WL3WvITExBBZ4esnr9DAiVwyDS+z+/lg28lv/hg2nm:1moJS2LhWwAzBZlsnr9D/mI7z+/18lvE

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2916	rundll32.exe
2916	rundll32.exe
2916	rundll32.exe
2916	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2488	2088	9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe	28
PID 2088 wrote to memory of 2488	2088	9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe	28
PID 2088 wrote to memory of 2488	2088	9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe	28
PID 2088 wrote to memory of 2488	2088	9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe	28
PID 2488 wrote to memory of 2228	2488	control.exe	29
PID 2488 wrote to memory of 2228	2488	control.exe	29
PID 2488 wrote to memory of 2228	2488	control.exe	29
PID 2488 wrote to memory of 2228	2488	control.exe	29
PID 2488 wrote to memory of 2228	2488	control.exe	29
PID 2488 wrote to memory of 2228	2488	control.exe	29
PID 2488 wrote to memory of 2228	2488	control.exe	29
PID 2228 wrote to memory of 2728	2228	rundll32.exe	30
PID 2228 wrote to memory of 2728	2228	rundll32.exe	30
PID 2228 wrote to memory of 2728	2228	rundll32.exe	30
PID 2228 wrote to memory of 2728	2228	rundll32.exe	30
PID 2728 wrote to memory of 2916	2728	RunDll32.exe	31
PID 2728 wrote to memory of 2916	2728	RunDll32.exe	31
PID 2728 wrote to memory of 2916	2728	RunDll32.exe	31
PID 2728 wrote to memory of 2916	2728	RunDll32.exe	31
PID 2728 wrote to memory of 2916	2728	RunDll32.exe	31
PID 2728 wrote to memory of 2916	2728	RunDll32.exe	31
PID 2728 wrote to memory of 2916	2728	RunDll32.exe	31

C:\Users\Admin\AppData\Local\Temp\9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe
"C:\Users\Admin\AppData\Local\Temp\9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\QLiK7.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QLiK7.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QLiK7.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\QLiK7.CpL",
        5⤵
        Loads dropped DLL
        
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QLiK7.CpL

Filesize
640KB

MD5
065bef7d7037b31abd1543d92d7a9864

SHA1
6b50081421ea05a50be8a319326b77b1c5c2c66b

SHA256
895a9e125787b0ffe29d02096b8addcd9a4c1d1ab76589493e0bf2cbafc2ed13

SHA512
fdf61c62498c7a19213191111cc249c8b924016619e2c13a7fefecc5bc10b9fbbd9584d6c60202b93d05db278a3fc4f0c3f743a63f001fbd7e99495765702c66

Download Submit
\Users\Admin\AppData\Local\Temp\qliK7.cpl

Filesize
2.4MB

MD5
c6b3843553fe6a5a677552a4765620a7

SHA1
feb14915a0b3d846a1b9d2f7b8a7f35909bd871e

SHA256
94861ddfb9e04192cb960794af0ed6413b37a51a9cfa438ef83f1670cd2c3909

SHA512
9e495ad843b014b134381a13d7d2ebf5cb46abeeb484e3abadff1f7a834779400c46ffb60ca8a74aab8a1696eb0a20b72bc44b26ab5b6a5b8f205989b05e41b7

Download Submit
\Users\Admin\AppData\Local\Temp\qliK7.cpl

Filesize
1.7MB

MD5
f256c600ba268f562407cf21845dc6b8

SHA1
c7a2b2cbb0849673170e15f202b14ee0f5dba72b

SHA256
40c205cf76df09d68a219d0e1ceab943d7d96cc051783ff63253a4af9cade9f0

SHA512
a9ab26eef04c750283b7647a60d5f3a8731fbc70b7829bedfb5f55cb70298e8a1ba01c925f23f94fa31dbf4f3af4fad88d13c0f53d14820794d302e2d741e88f

Download Submit
\Users\Admin\AppData\Local\Temp\qliK7.cpl

Filesize
512KB

MD5
44a0f7c1ee90e3df5794ba40e344de99

SHA1
66aedddaabb2d51d0d8bbe1747a3cff78150b86d

SHA256
9e0bea35c6a9671ecb39d54079951a419b896d01aa3f5ea416cc1ca0407f4945

SHA512
f45b88fa4d2dd9f0c5c33cc25c78ac18424a6c5dbb37e160a9ff7ed060664600501da6d44263d2d8ec26a4e924b363b547a5419637fa70dc7628a252184adf4b

Download Submit
\Users\Admin\AppData\Local\Temp\qliK7.cpl

Filesize
704KB

MD5
66adc1436959d63e71c39bedc0b3b287

SHA1
19edbf8f73c041af99df97ed6af366f73b94ae03

SHA256
d55e696fcd70b34e73b10c2a37e984ce03c352b89c04412fa77e7430a91faab4

SHA512
64967987ad65714b20a65ec78360de7b2cbbf021ecafc6c7add870b5dd7b28b61cdc0ac50b7a929ad1c860aef9c73a3d52d766ccdea33de045f4d58417046952

Download Submit
\Users\Admin\AppData\Local\Temp\qliK7.cpl

Filesize
2.2MB

MD5
351f938c15c6fb6fbf17f1b2a05d7ecd

SHA1
19a7211c1f92dea47caabd2c809c90ed235124d1

SHA256
e6993091b2ab2d02f3d98f9263cde6587059c6993c92798b7b633a2943fe415a

SHA512
741c03a9857d699efb2d0b7bc977f1e4988bd90f24811749b562f4b0c86c940533c79ba1e4adf7bd7366e773629d3ec23bcaf22d01fe80f3c311d34ff0de0989

Download Submit
memory/2228-13-0x0000000000AF0000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/2228-12-0x0000000002660000-0x000000000279D000-memory.dmp

Filesize
1.2MB

Download
memory/2228-10-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2228-16-0x0000000000AF0000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/2228-17-0x0000000000AF0000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/2228-8-0x0000000010000000-0x0000000010268000-memory.dmp

Filesize
2.4MB

Download
memory/2916-22-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2916-26-0x0000000002020000-0x000000000215D000-memory.dmp

Filesize
1.2MB

Download
memory/2916-27-0x00000000026F0000-0x0000000002810000-memory.dmp

Filesize
1.1MB

Download
memory/2916-30-0x00000000026F0000-0x0000000002810000-memory.dmp

Filesize
1.1MB

Download
memory/2916-31-0x00000000026F0000-0x0000000002810000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing