9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639

General

Target

9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe
Size

2.5MB
MD5

aa5678bc524fc946aac14559ed68db35
SHA1

6571c4f749cf5f73e1dc7d93de8bff6a99f604f7
SHA256

9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639
SHA512

60dfe5af4dc254cc9cf49edbb330b64e5c733e44ff8a315345b1e7d912d74868f44bc27e9319485a0669e084f2f931ea9117415e6bf3c4bdd911c0d8ba754849
SSDEEP

49152:1monDFXSI/L+WL3WvITExBBZ4esnr9DAiVwyDS+z+/lg28lv/hg2nm:1moJS2LhWwAzBZlsnr9D/mI7z+/18lvE

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3028	rundll32.exe
4188	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1380226425-3283293370-545244236-1000_Classes\Local Settings	9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 300 wrote to memory of 3412	300	9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe	73
PID 300 wrote to memory of 3412	300	9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe	73
PID 300 wrote to memory of 3412	300	9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe	73
PID 3412 wrote to memory of 3028	3412	control.exe	75
PID 3412 wrote to memory of 3028	3412	control.exe	75
PID 3412 wrote to memory of 3028	3412	control.exe	75
PID 3028 wrote to memory of 416	3028	rundll32.exe	76
PID 3028 wrote to memory of 416	3028	rundll32.exe	76
PID 416 wrote to memory of 4188	416	RunDll32.exe	77
PID 416 wrote to memory of 4188	416	RunDll32.exe	77
PID 416 wrote to memory of 4188	416	RunDll32.exe	77

C:\Users\Admin\AppData\Local\Temp\9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe
"C:\Users\Admin\AppData\Local\Temp\9f8836e1132f03e94ff151910c2dc6517c4a7190f91aec0b26750472a1fc4639.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:300
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\QLiK7.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QLiK7.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QLiK7.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:416
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\QLiK7.CpL",
        5⤵
        Loads dropped DLL
        
        PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QLiK7.CpL

Filesize
2.4MB

MD5
c6b3843553fe6a5a677552a4765620a7

SHA1
feb14915a0b3d846a1b9d2f7b8a7f35909bd871e

SHA256
94861ddfb9e04192cb960794af0ed6413b37a51a9cfa438ef83f1670cd2c3909

SHA512
9e495ad843b014b134381a13d7d2ebf5cb46abeeb484e3abadff1f7a834779400c46ffb60ca8a74aab8a1696eb0a20b72bc44b26ab5b6a5b8f205989b05e41b7

Download Submit
\Users\Admin\AppData\Local\Temp\qliK7.cpl

Filesize
771KB

MD5
fc3588a1e3fce070058efbb00743e9d1

SHA1
14f88b6dc834ed4aa4891a66ec2607a4746d5e71

SHA256
878f9409f4668123a7a5db14cea9541285a895d0532d1f1b2852d88faf8b7500

SHA512
be71234b70b2d6468efe70cd2fdbb07eb45805bd3aa5552be8b1b11e60c335829264392ce64f07900f18898a6c2c48c2b306c670d928c6537cc090c54dbecb1a

Download Submit
memory/3028-16-0x0000000010000000-0x0000000010268000-memory.dmp

Filesize
2.4MB

Download
memory/3028-24-0x0000000005B70000-0x0000000005C88000-memory.dmp

Filesize
1.1MB

Download
memory/3028-12-0x0000000004C80000-0x0000000004DA0000-memory.dmp

Filesize
1.1MB

Download
memory/3028-15-0x0000000004C80000-0x0000000004DA0000-memory.dmp

Filesize
1.1MB

Download
memory/3028-8-0x0000000010000000-0x0000000010268000-memory.dmp

Filesize
2.4MB

Download
memory/3028-22-0x0000000004DA0000-0x0000000005A5F000-memory.dmp

Filesize
12.7MB

Download
memory/3028-21-0x0000000004C80000-0x0000000004DA0000-memory.dmp

Filesize
1.1MB

Download
memory/3028-57-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/3028-56-0x0000000005B70000-0x0000000005C88000-memory.dmp

Filesize
1.1MB

Download
memory/3028-25-0x0000000005B70000-0x0000000005C88000-memory.dmp

Filesize
1.1MB

Download
memory/3028-11-0x0000000004B40000-0x0000000004C7D000-memory.dmp

Filesize
1.2MB

Download
memory/3028-7-0x0000000000D90000-0x0000000000D96000-memory.dmp

Filesize
24KB

Download
memory/3028-23-0x0000000005A60000-0x0000000005B6F000-memory.dmp

Filesize
1.1MB

Download
memory/4188-32-0x00000000055C0000-0x00000000056E0000-memory.dmp

Filesize
1.1MB

Download
memory/4188-36-0x00000000055C0000-0x00000000056E0000-memory.dmp

Filesize
1.1MB

Download
memory/4188-42-0x00000000055C0000-0x00000000056E0000-memory.dmp

Filesize
1.1MB

Download
memory/4188-44-0x00000000063A0000-0x00000000064AF000-memory.dmp

Filesize
1.1MB

Download
memory/4188-46-0x00000000064B0000-0x00000000065C8000-memory.dmp

Filesize
1.1MB

Download
memory/4188-48-0x00000000064B0000-0x00000000065C8000-memory.dmp

Filesize
1.1MB

Download
memory/4188-49-0x0000000002F50000-0x0000000002F62000-memory.dmp

Filesize
72KB

Download
memory/4188-50-0x0000000036360000-0x00000000363B1000-memory.dmp

Filesize
324KB

Download
memory/4188-28-0x0000000003390000-0x0000000003396000-memory.dmp

Filesize
24KB

Download
memory/4188-31-0x0000000005480000-0x00000000055BD000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing