015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f

General

Target

015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe
Size

2.3MB
MD5

f14b54c6e41545c8ba51629183431d1d
SHA1

758aa4668d2206d3a80308ecd2fecae459fed07e
SHA256

015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f
SHA512

d25744c0a1185205641d3f0199bea923d4224e43ea91f371782424339c4d56bd92efe41de3c3f026bf72f5d1e6d324aff3a1d737fade6ae56d2aa3632f899fee
SSDEEP

49152:anGImUlx7X/pQ2P6p6rVzCOKPec313JYbcBKUd+IAWgLqGWQy:aGIfXha29COKWc31ZkcBuIA/Li

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2600 rundll32.exe
2600 rundll32.exe
2600 rundll32.exe
2600 rundll32.exe
2576 rundll32.exe
2576 rundll32.exe
2576 rundll32.exe
2576 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
2600	rundll32.exe
2576	rundll32.exe
2576	rundll32.exe
2576	rundll32.exe
2576	rundll32.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 3008 wrote to memory of 2972	3008	015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe	control.exe
PID 3008 wrote to memory of 2972	3008	015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe	control.exe
PID 3008 wrote to memory of 2972	3008	015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe	control.exe
PID 3008 wrote to memory of 2972	3008	015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe	control.exe
PID 2972 wrote to memory of 2600	2972	control.exe	rundll32.exe
PID 2972 wrote to memory of 2600	2972	control.exe	rundll32.exe
PID 2972 wrote to memory of 2600	2972	control.exe	rundll32.exe
PID 2972 wrote to memory of 2600	2972	control.exe	rundll32.exe
PID 2972 wrote to memory of 2600	2972	control.exe	rundll32.exe
PID 2972 wrote to memory of 2600	2972	control.exe	rundll32.exe
PID 2972 wrote to memory of 2600	2972	control.exe	rundll32.exe
PID 2600 wrote to memory of 3004	2600	rundll32.exe	RunDll32.exe
PID 2600 wrote to memory of 3004	2600	rundll32.exe	RunDll32.exe
PID 2600 wrote to memory of 3004	2600	rundll32.exe	RunDll32.exe
PID 2600 wrote to memory of 3004	2600	rundll32.exe	RunDll32.exe
PID 3004 wrote to memory of 2576	3004	RunDll32.exe	rundll32.exe
PID 3004 wrote to memory of 2576	3004	RunDll32.exe	rundll32.exe
PID 3004 wrote to memory of 2576	3004	RunDll32.exe	rundll32.exe
PID 3004 wrote to memory of 2576	3004	RunDll32.exe	rundll32.exe
PID 3004 wrote to memory of 2576	3004	RunDll32.exe	rundll32.exe
PID 3004 wrote to memory of 2576	3004	RunDll32.exe	rundll32.exe
PID 3004 wrote to memory of 2576	3004	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe
"C:\Users\Admin\AppData\Local\Temp\015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
2⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
4⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
5⤵
- Loads dropped DLL
PID:2576

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL
Filesize
1.8MB

MD5
8eef672e83482bb034938cc84e9d4865

SHA1
6c600d6b953febf4197e7a008e65b26786b23317

SHA256
069c2a3d601547af6d67cbda2b62e048fd50f2a22f68fcc12a369115d71f9050

SHA512
257e9d8c6e193d7eaae80d596190ffefce5715998d3fd5aafc68934c4f30dba111994d0ac54acde2ea64494eaf8dc38113fa018bf69a9af39b29e519de7c1239

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl
Filesize
2.0MB

MD5
4516fffb265c3011e2750a255b382363

SHA1
cd74ae4c5424e4f529e29bbd22c4bddadcbdf7dd

SHA256
3dddf9d138c67c29b932605e99bcfbb712e5dc219df9d845c5aaf25bbbc6ba08

SHA512
3c9a4fda5d7a52b660a05d2a82f9f00332aa5bee545d8668653260ae257a608d1b2ff11bc4ffbd16797e6246b3fa02a222c183f0556e797273e19b037b7c47c3

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl
Filesize
433KB

MD5
fbc59e3025014f4e1e6d328fd9f41e9f

SHA1
d14910e64fbb7c07a2c212a534847f257825a20d

SHA256
675f0ee2bb065775ecdf6b149d7d352b583031435f9144863975a49491e6d04f

SHA512
9952bdc97236ca51dd89699b1fbc5416323889a6efa4d875bb5d1d833dba4950f45c0f23f8c1777206ba3cc325a051616ad82428e8d73e140abdff6dd9625664

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl
Filesize
192KB

MD5
c4bee1b891e726ebb017aa824c12ae75

SHA1
d7caf50c47160f27591bc44a7b3c46eee308c36b

SHA256
a0cc4361eaa6e3fb9ecb48294fda8e388530a000e486327265d95c035ba678c4

SHA512
5e103acc7e7c903ce76456cc7530c0ba9ce61b3775aebbd4f02a7ac4ce71bcedcd2b0d606afbb3603e6a8134e2812112cc9bc32b8dd6ffbb4696183ec99b9aa3

Download Submit
\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl
Filesize
128KB

MD5
5bfbd53fa45b305ed4fd0626bcf7800f

SHA1
ee42a2a3e2ff4dbca74adff891c34e5b2a22b2b1

SHA256
9417c119a3e5bbbc487d7a00f2abc34fa4fe88a491e1ed988b791080f05959db

SHA512
163d61abb001fae6fb6414bb8dfa5264e92cb680f2a65413362a3feb214a8643d6c278575041f8249d96f77fd0d36cf01422f47e9ab21f9f5ac721e1c88fdd7f

Download Submit
memory/2576-31-0x0000000002910000-0x0000000002A19000-memory.dmp

Filesize
1.0MB

Download
memory/2576-30-0x0000000002910000-0x0000000002A19000-memory.dmp

Filesize
1.0MB

Download
memory/2576-29-0x0000000002910000-0x0000000002A19000-memory.dmp

Filesize
1.0MB

Download
memory/2576-27-0x0000000002910000-0x0000000002A19000-memory.dmp

Filesize
1.0MB

Download
memory/2576-26-0x00000000027E0000-0x0000000002907000-memory.dmp

Filesize
1.2MB

Download
memory/2576-22-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/2600-9-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/2600-17-0x0000000002790000-0x0000000002899000-memory.dmp

Filesize
1.0MB

Download
memory/2600-16-0x0000000002790000-0x0000000002899000-memory.dmp

Filesize
1.0MB

Download
memory/2600-15-0x0000000002790000-0x0000000002899000-memory.dmp

Filesize
1.0MB

Download
memory/2600-13-0x0000000002790000-0x0000000002899000-memory.dmp

Filesize
1.0MB

Download
memory/2600-12-0x0000000002660000-0x0000000002787000-memory.dmp

Filesize
1.2MB

Download
memory/2600-8-0x0000000010000000-0x000000001020A000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing