015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.3MB
MD5

f14b54c6e41545c8ba51629183431d1d
SHA1

758aa4668d2206d3a80308ecd2fecae459fed07e
SHA256

015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f
SHA512

d25744c0a1185205641d3f0199bea923d4224e43ea91f371782424339c4d56bd92efe41de3c3f026bf72f5d1e6d324aff3a1d737fade6ae56d2aa3632f899fee
SSDEEP

49152:anGImUlx7X/pQ2P6p6rVzCOKPec313JYbcBKUd+IAWgLqGWQy:aGIfXha29COKWc31ZkcBuIA/Li

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3016 rundll32.exe
3016 rundll32.exe
3016 rundll32.exe
3016 rundll32.exe
2600 rundll32.exe
2600 rundll32.exe
2600 rundll32.exe
2600 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

file.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 2492 wrote to memory of 2892	2492	file.exe	control.exe
PID 2492 wrote to memory of 2892	2492	file.exe	control.exe
PID 2492 wrote to memory of 2892	2492	file.exe	control.exe
PID 2492 wrote to memory of 2892	2492	file.exe	control.exe
PID 2892 wrote to memory of 3016	2892	control.exe	rundll32.exe
PID 2892 wrote to memory of 3016	2892	control.exe	rundll32.exe
PID 2892 wrote to memory of 3016	2892	control.exe	rundll32.exe
PID 2892 wrote to memory of 3016	2892	control.exe	rundll32.exe
PID 2892 wrote to memory of 3016	2892	control.exe	rundll32.exe
PID 2892 wrote to memory of 3016	2892	control.exe	rundll32.exe
PID 2892 wrote to memory of 3016	2892	control.exe	rundll32.exe
PID 3016 wrote to memory of 1932	3016	rundll32.exe	RunDll32.exe
PID 3016 wrote to memory of 1932	3016	rundll32.exe	RunDll32.exe
PID 3016 wrote to memory of 1932	3016	rundll32.exe	RunDll32.exe
PID 3016 wrote to memory of 1932	3016	rundll32.exe	RunDll32.exe
PID 1932 wrote to memory of 2600	1932	RunDll32.exe	rundll32.exe
PID 1932 wrote to memory of 2600	1932	RunDll32.exe	rundll32.exe
PID 1932 wrote to memory of 2600	1932	RunDll32.exe	rundll32.exe
PID 1932 wrote to memory of 2600	1932	RunDll32.exe	rundll32.exe
PID 1932 wrote to memory of 2600	1932	RunDll32.exe	rundll32.exe
PID 1932 wrote to memory of 2600	1932	RunDll32.exe	rundll32.exe
PID 1932 wrote to memory of 2600	1932	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
2⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
4⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
5⤵
- Loads dropped DLL
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL

Filesize
1.3MB

MD5
8566eb7ac000da9b6dc4f1443a2a6d38

SHA1
4c514322a2a9b95fd8cede87ad4b9a39b316c350

SHA256
69bb268f2bd70a74a08f5d7e68dd81b19b12fe85752d889ea1d809b873f2555b

SHA512
03668331800a4b735606da89c1660da579380e87a0fad2d555579057fd1512af88d8f87c117a90e4d98353e28cdd4c3910d01e36003ebe9cd2bcb7b6535eadf7

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl

Filesize
960KB

MD5
2cfee859fcefe2c8b0b97a1a0207970b

SHA1
3af6e06d8ad5d8e77d6fe81883a193d58460be50

SHA256
f08e470ca01c1c3b80ae4ea22a59777c3b1c5a48b35c20a0edaa43baccdf6344

SHA512
d05a11a9f80c307ab0915aa62e8dc21977216f848a4c31fcecbccc91be30cf0f67b70de319ebe521f6b0c432b93e0d0dd0edd668be2d536356246b0e6169cf1f

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl

Filesize
640KB

MD5
afca946ab375200aa1c93c069cae9f36

SHA1
e5ae94d762302c98ba2e70334d5c2c38e0829ad3

SHA256
b3cab42097229ded335399e83112e00cec919498353bfafbde9653d38a5178be

SHA512
60aaa2c9df0d4b4d79fdae75f1186b1abc16267760583f73af6389e21ea82d931a982db3e6f4d125d1ed251f228c52bbb5253c3a1f5e7a4a93d4c1078ba32221

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl

Filesize
931KB

MD5
84fc8b48bab2ce9516a36c31880748dd

SHA1
7dee8a9c200233c277b429979a9bcdd373193c9a

SHA256
a241fdfb37287fbf06264a208e70ac14bf46a88b75e6cf55dc265befa220a3ef

SHA512
46e76bc341d873329efdcd6b2ea2a07aa5f93e6f4bb22cee3803034253f0f0382a101049d4dc833bdaa2ea864973208ac36008ca35d0246017c19c988a574f9f

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl

Filesize
448KB

MD5
f8b3c49156e605bfa807193739d13607

SHA1
3777bb3c1993bf28fc9c5148ae492503258b2b5b

SHA256
d5b66549e95565258e8f2ed99de9600c0287268d226db0bc4809fc917f0cd06b

SHA512
8c7e34c8813a06db8eed00e8360dbfa140aecb454e64aa8d35c4ac3d64af086930e15a7652a3fbc60da1eb4dc7955987ca4072969456e66f40554a3079a9fdcd

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl

Filesize
958KB

MD5
332404c6d80167322cbd552730dd297d

SHA1
56de57b3f0688daf6fb37145fb837f11283c5abd

SHA256
da9008c9ecfbef7c39d9caae54c510173726a3f20555fd4a68478fd9f0329d6e

SHA512
d53a467ff76f4a0e085fe740223e3200e338a90dbc19396457897738b107780e234d995049e041c6ac338a8a1f10526e96869eb31f5fb5620afdef36121d6beb

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl

Filesize
1012KB

MD5
a27043e2d67d980d27863ffac51492c0

SHA1
d27f55240fde49a2a450ba25f47de9d507d2f834

SHA256
c0be0b269184d881a64801d3fc89b151ea8027957d16ee5af39879ba22066388

SHA512
eb7c7f31d864b7a39d220fcb3e0c4e79a283e92e3beeadeadc2ece2bff895ccd1fd976829b46bf20e3e2ec9ec1af2d47bf90903266103ca6d5593706cd427039

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl

Filesize
989KB

MD5
455b189c3d9911e8bfd7f5954fcd7e5c

SHA1
dcb15f81138cf52a54d8a5a6066857a96c1f9328

SHA256
1073062b235070928a9307f3171d234e02b8886656724206420aebf1c41a6afe

SHA512
0cf1c3137b5739b095dee889221da7d26ac7ad85790ec5b74c9030c6c39dd02b79b94dd19b5e9fadc8414a0dda876bc732bf53adeef22ba6945ccaac692da625

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl

Filesize
789KB

MD5
ef9207196b6b55cc53d8b7f5a3437923

SHA1
ac10554a59d93ea2c59e396566801e5d49520419

SHA256
254021f269bf8d67bde3f1618b03d06a1127ec2e4d0342e95bcfed34cc912a19

SHA512
69907765761b7afa0e186b2e22c8b28bfeb981787d288682fa3efd1df161c9a06b0912809fab7d3370d9afc51158670b74591aab0f0d66b572ba8afe1b7c6d29

Download Submit
memory/2600-31-0x0000000002910000-0x0000000002A19000-memory.dmp

Filesize
1.0MB

Download
memory/2600-25-0x00000000027E0000-0x0000000002907000-memory.dmp

Filesize
1.2MB

Download
memory/2600-23-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/2600-26-0x0000000002910000-0x0000000002A19000-memory.dmp

Filesize
1.0MB

Download
memory/2600-30-0x0000000002910000-0x0000000002A19000-memory.dmp

Filesize
1.0MB

Download
memory/2600-29-0x0000000002910000-0x0000000002A19000-memory.dmp

Filesize
1.0MB

Download
memory/3016-9-0x00000000000C0000-0x00000000000C6000-memory.dmp

Filesize
24KB

Download
memory/3016-17-0x0000000002740000-0x0000000002849000-memory.dmp

Filesize
1.0MB

Download
memory/3016-15-0x0000000002740000-0x0000000002849000-memory.dmp

Filesize
1.0MB

Download
memory/3016-16-0x0000000010000000-0x000000001020A000-memory.dmp

Filesize
2.0MB

Download
memory/3016-14-0x0000000002740000-0x0000000002849000-memory.dmp

Filesize
1.0MB

Download
memory/3016-12-0x0000000002740000-0x0000000002849000-memory.dmp

Filesize
1.0MB

Download
memory/3016-11-0x0000000002610000-0x0000000002737000-memory.dmp

Filesize
1.2MB

Download
memory/3016-8-0x0000000010000000-0x000000001020A000-memory.dmp

Filesize
2.0MB

Download