9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e

General

Target

9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe
Size

2.2MB
MD5

c7479887c886ef76ed7b8575af13a195
SHA1

c22469922530d32d2bdcead0893e47dfaad450c4
SHA256

9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e
SHA512

eff2e134ddcec6c8870d33f347d8ecef7681284ab4f4acde340fb60be944a495297d876476ce1dc22d991116fdb126e31e356b11f639d2094e9c8da19f5eece6
SSDEEP

49152:anGImUMrowwcBcU/ONGXQdGv+so3KVNTK/XBimV+8YKip+iAn3emc:aGIwobbU/OsXQdGWeNTK/Rima1mc

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2884	rundll32.exe
2884	rundll32.exe
2884	rundll32.exe
2884	rundll32.exe
1324	rundll32.exe
1324	rundll32.exe
1324	rundll32.exe
1324	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1924	1656	9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe	28
PID 1656 wrote to memory of 1924	1656	9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe	28
PID 1656 wrote to memory of 1924	1656	9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe	28
PID 1656 wrote to memory of 1924	1656	9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe	28
PID 1924 wrote to memory of 2884	1924	control.exe	29
PID 1924 wrote to memory of 2884	1924	control.exe	29
PID 1924 wrote to memory of 2884	1924	control.exe	29
PID 1924 wrote to memory of 2884	1924	control.exe	29
PID 1924 wrote to memory of 2884	1924	control.exe	29
PID 1924 wrote to memory of 2884	1924	control.exe	29
PID 1924 wrote to memory of 2884	1924	control.exe	29
PID 2884 wrote to memory of 1364	2884	rundll32.exe	32
PID 2884 wrote to memory of 1364	2884	rundll32.exe	32
PID 2884 wrote to memory of 1364	2884	rundll32.exe	32
PID 2884 wrote to memory of 1364	2884	rundll32.exe	32
PID 1364 wrote to memory of 1324	1364	RunDll32.exe	33
PID 1364 wrote to memory of 1324	1364	RunDll32.exe	33
PID 1364 wrote to memory of 1324	1364	RunDll32.exe	33
PID 1364 wrote to memory of 1324	1364	RunDll32.exe	33
PID 1364 wrote to memory of 1324	1364	RunDll32.exe	33
PID 1364 wrote to memory of 1324	1364	RunDll32.exe	33
PID 1364 wrote to memory of 1324	1364	RunDll32.exe	33

C:\Users\Admin\AppData\Local\Temp\9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe
"C:\Users\Admin\AppData\Local\Temp\9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\FJ9p.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\FJ9p.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\FJ9p.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\FJ9p.CpL",
        5⤵
        Loads dropped DLL
        
        PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FJ9p.CpL

Filesize
2.0MB

MD5
263a94488b0ebebf4e5ff3c273e837fe

SHA1
ccd165f60dd8abc1955f48935f318ec0ac822c12

SHA256
77577bdfdd9141cfdbc7d35af51e8754c426940b1aa12594ae3f443971b436a5

SHA512
34fc40e4b2308525dcd45b31265fa5c36b649947e3a1245a468e5f4463437acc73dbaf8954ed1fb1a0031e93c357f5e344482a6db60ddf45992ef65af4ff3410

Download Submit
memory/1324-32-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1324-51-0x000000005FE40000-0x000000005FE95000-memory.dmp

Filesize
340KB

Download
memory/1324-50-0x00000000000D0000-0x00000000000E2000-memory.dmp

Filesize
72KB

Download
memory/1324-49-0x0000000004400000-0x00000000044FF000-memory.dmp

Filesize
1020KB

Download
memory/1324-46-0x0000000004400000-0x00000000044FF000-memory.dmp

Filesize
1020KB

Download
memory/1324-45-0x0000000004300000-0x00000000043FE000-memory.dmp

Filesize
1016KB

Download
memory/1324-43-0x0000000002860000-0x000000000296D000-memory.dmp

Filesize
1.1MB

Download
memory/1324-38-0x0000000002860000-0x000000000296D000-memory.dmp

Filesize
1.1MB

Download
memory/1324-35-0x0000000002860000-0x000000000296D000-memory.dmp

Filesize
1.1MB

Download
memory/1324-34-0x0000000002730000-0x000000000285A000-memory.dmp

Filesize
1.2MB

Download
memory/2884-15-0x0000000002B40000-0x0000000002C4D000-memory.dmp

Filesize
1.1MB

Download
memory/2884-24-0x00000000046E0000-0x00000000047DF000-memory.dmp

Filesize
1020KB

Download
memory/2884-23-0x00000000045E0000-0x00000000046DE000-memory.dmp

Filesize
1016KB

Download
memory/2884-22-0x0000000002C50000-0x00000000045D6000-memory.dmp

Filesize
25.5MB

Download
memory/2884-21-0x0000000002B40000-0x0000000002C4D000-memory.dmp

Filesize
1.1MB

Download
memory/2884-16-0x0000000010000000-0x0000000010204000-memory.dmp

Filesize
2.0MB

Download
memory/2884-12-0x0000000002B40000-0x0000000002C4D000-memory.dmp

Filesize
1.1MB

Download
memory/2884-11-0x0000000002A10000-0x0000000002B3A000-memory.dmp

Filesize
1.2MB

Download
memory/2884-8-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2884-9-0x0000000010000000-0x0000000010204000-memory.dmp

Filesize
2.0MB

Download
memory/2884-57-0x00000000046E0000-0x00000000047DF000-memory.dmp

Filesize
1020KB

Download
memory/2884-58-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing