d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe
Size

3.0MB
MD5

27135a6db76ba20123d58fb984693e58
SHA1

11393be585455865658a742fe2b5e0667a555cef
SHA256

d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c
SHA512

9e54b8326e69b40b33bed740ad78dc85bb457f432ea2f07cb279bfc4f73942de777e1a1709e0cdc18faef2fcea90cf1e54235049215e2ee950e8ad1d72dc5627
SSDEEP

49152:anGImUDdO7RNgwAFpg3eWE7dHAzXBI6+ZEfs5fHpmXCUArYsxxrguA0BwJpwP0ep:aGIDdaRNgwAuH076mEfGp3xrYMxrguRZ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
3068	rundll32.exe
3068	rundll32.exe
3068	rundll32.exe
3068	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2112	2360	d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe	28
PID 2360 wrote to memory of 2112	2360	d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe	28
PID 2360 wrote to memory of 2112	2360	d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe	28
PID 2360 wrote to memory of 2112	2360	d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe	28
PID 2112 wrote to memory of 3068	2112	control.exe	29
PID 2112 wrote to memory of 3068	2112	control.exe	29
PID 2112 wrote to memory of 3068	2112	control.exe	29
PID 2112 wrote to memory of 3068	2112	control.exe	29
PID 2112 wrote to memory of 3068	2112	control.exe	29
PID 2112 wrote to memory of 3068	2112	control.exe	29
PID 2112 wrote to memory of 3068	2112	control.exe	29
PID 3068 wrote to memory of 1140	3068	rundll32.exe	32
PID 3068 wrote to memory of 1140	3068	rundll32.exe	32
PID 3068 wrote to memory of 1140	3068	rundll32.exe	32
PID 3068 wrote to memory of 1140	3068	rundll32.exe	32
PID 1140 wrote to memory of 1920	1140	RunDll32.exe	33
PID 1140 wrote to memory of 1920	1140	RunDll32.exe	33
PID 1140 wrote to memory of 1920	1140	RunDll32.exe	33
PID 1140 wrote to memory of 1920	1140	RunDll32.exe	33
PID 1140 wrote to memory of 1920	1140	RunDll32.exe	33
PID 1140 wrote to memory of 1920	1140	RunDll32.exe	33
PID 1140 wrote to memory of 1920	1140	RunDll32.exe	33

C:\Users\Admin\AppData\Local\Temp\d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe
"C:\Users\Admin\AppData\Local\Temp\d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
        5⤵
        Loads dropped DLL
        
        PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL

Filesize
2.8MB

MD5
d3f45a11db0366d9983929c1940bc5f6

SHA1
a53a7a65351701477fae66013bdcc86ab600a0b1

SHA256
21e2e0ae114c5303beea700aacba6699be358ba6411ad0649e13090390f03cb2

SHA512
9d60a027abc35fa1cc5a62c4622d855c0565b1c1766b768dd681356406dcac1576aabaca4a80fb38a0c3e9727a815c01b0c80c74caa5e4c4d05cda7e3a3395e3

Download Submit
memory/1920-25-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/1920-36-0x00000000027A0000-0x00000000028A8000-memory.dmp

Filesize
1.0MB

Download
memory/1920-35-0x00000000027A0000-0x00000000028A8000-memory.dmp

Filesize
1.0MB

Download
memory/1920-33-0x00000000027A0000-0x00000000028A8000-memory.dmp

Filesize
1.0MB

Download
memory/1920-31-0x0000000002670000-0x0000000002794000-memory.dmp

Filesize
1.1MB

Download
memory/3068-14-0x00000000025D0000-0x00000000026F4000-memory.dmp

Filesize
1.1MB

Download
memory/3068-19-0x0000000002700000-0x0000000002808000-memory.dmp

Filesize
1.0MB

Download
memory/3068-18-0x0000000002700000-0x0000000002808000-memory.dmp

Filesize
1.0MB

Download
memory/3068-16-0x0000000002700000-0x0000000002808000-memory.dmp

Filesize
1.0MB

Download
memory/3068-15-0x0000000002700000-0x0000000002808000-memory.dmp

Filesize
1.0MB

Download
memory/3068-9-0x0000000010000000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/3068-8-0x0000000000110000-0x0000000000116000-memory.dmp

Filesize
24KB

Download