9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e

General

Target

9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe
Size

2.2MB
MD5

c7479887c886ef76ed7b8575af13a195
SHA1

c22469922530d32d2bdcead0893e47dfaad450c4
SHA256

9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e
SHA512

eff2e134ddcec6c8870d33f347d8ecef7681284ab4f4acde340fb60be944a495297d876476ce1dc22d991116fdb126e31e356b11f639d2094e9c8da19f5eece6
SSDEEP

49152:anGImUMrowwcBcU/ONGXQdGv+so3KVNTK/XBimV+8YKip+iAn3emc:aGIwobbU/OsXQdGWeNTK/Rima1mc

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
948	rundll32.exe
4636	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings	9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 5084	4824	9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe	75
PID 4824 wrote to memory of 5084	4824	9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe	75
PID 4824 wrote to memory of 5084	4824	9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe	75
PID 5084 wrote to memory of 948	5084	control.exe	77
PID 5084 wrote to memory of 948	5084	control.exe	77
PID 5084 wrote to memory of 948	5084	control.exe	77
PID 948 wrote to memory of 2100	948	rundll32.exe	78
PID 948 wrote to memory of 2100	948	rundll32.exe	78
PID 2100 wrote to memory of 4636	2100	RunDll32.exe	79
PID 2100 wrote to memory of 4636	2100	RunDll32.exe	79
PID 2100 wrote to memory of 4636	2100	RunDll32.exe	79

C:\Users\Admin\AppData\Local\Temp\9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe
"C:\Users\Admin\AppData\Local\Temp\9de4e64928cd34bd3ee257647bcc17d3f836331a9d43d5209732d467c2bdb32e.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\FJ9p.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\FJ9p.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\FJ9p.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\FJ9p.CpL",
        5⤵
        Loads dropped DLL
        
        PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FJ9p.CpL

Filesize
2.0MB

MD5
263a94488b0ebebf4e5ff3c273e837fe

SHA1
ccd165f60dd8abc1955f48935f318ec0ac822c12

SHA256
77577bdfdd9141cfdbc7d35af51e8754c426940b1aa12594ae3f443971b436a5

SHA512
34fc40e4b2308525dcd45b31265fa5c36b649947e3a1245a468e5f4463437acc73dbaf8954ed1fb1a0031e93c357f5e344482a6db60ddf45992ef65af4ff3410

Download Submit
memory/948-22-0x00000000066B0000-0x00000000067AF000-memory.dmp

Filesize
1020KB

Download
memory/948-10-0x00000000049E0000-0x0000000004B0A000-memory.dmp

Filesize
1.2MB

Download
memory/948-53-0x00000000066B0000-0x00000000067AF000-memory.dmp

Filesize
1020KB

Download
memory/948-11-0x0000000004B10000-0x0000000004C1D000-memory.dmp

Filesize
1.1MB

Download
memory/948-14-0x0000000004B10000-0x0000000004C1D000-memory.dmp

Filesize
1.1MB

Download
memory/948-15-0x0000000010000000-0x0000000010204000-memory.dmp

Filesize
2.0MB

Download
memory/948-19-0x0000000004B10000-0x0000000004C1D000-memory.dmp

Filesize
1.1MB

Download
memory/948-20-0x0000000004C20000-0x00000000065A6000-memory.dmp

Filesize
25.5MB

Download
memory/948-21-0x00000000065B0000-0x00000000066AE000-memory.dmp

Filesize
1016KB

Download
memory/948-7-0x0000000000990000-0x0000000000996000-memory.dmp

Filesize
24KB

Download
memory/948-54-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/948-8-0x0000000010000000-0x0000000010204000-memory.dmp

Filesize
2.0MB

Download
memory/4636-30-0x0000000004F10000-0x000000000501D000-memory.dmp

Filesize
1.1MB

Download
memory/4636-33-0x0000000004F10000-0x000000000501D000-memory.dmp

Filesize
1.1MB

Download
memory/4636-39-0x0000000004F10000-0x000000000501D000-memory.dmp

Filesize
1.1MB

Download
memory/4636-41-0x00000000069B0000-0x0000000006AAE000-memory.dmp

Filesize
1016KB

Download
memory/4636-42-0x0000000006AB0000-0x0000000006BAF000-memory.dmp

Filesize
1020KB

Download
memory/4636-45-0x0000000006AB0000-0x0000000006BAF000-memory.dmp

Filesize
1020KB

Download
memory/4636-46-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/4636-47-0x000000005FE40000-0x000000005FE95000-memory.dmp

Filesize
340KB

Download
memory/4636-29-0x0000000004DE0000-0x0000000004F0A000-memory.dmp

Filesize
1.2MB

Download
memory/4636-27-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing