d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c

General

Target

d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe
Size

3.0MB
MD5

27135a6db76ba20123d58fb984693e58
SHA1

11393be585455865658a742fe2b5e0667a555cef
SHA256

d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c
SHA512

9e54b8326e69b40b33bed740ad78dc85bb457f432ea2f07cb279bfc4f73942de777e1a1709e0cdc18faef2fcea90cf1e54235049215e2ee950e8ad1d72dc5627
SSDEEP

49152:anGImUDdO7RNgwAFpg3eWE7dHAzXBI6+ZEfs5fHpmXCUArYsxxrguA0BwJpwP0ep:aGIDdaRNgwAuH076mEfGp3xrYMxrguRZ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4812	rundll32.exe
4056	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000_Classes\Local Settings	d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 1404	5032	d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe	74
PID 5032 wrote to memory of 1404	5032	d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe	74
PID 5032 wrote to memory of 1404	5032	d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe	74
PID 1404 wrote to memory of 4812	1404	control.exe	76
PID 1404 wrote to memory of 4812	1404	control.exe	76
PID 1404 wrote to memory of 4812	1404	control.exe	76
PID 4812 wrote to memory of 4324	4812	rundll32.exe	77
PID 4812 wrote to memory of 4324	4812	rundll32.exe	77
PID 4324 wrote to memory of 4056	4324	RunDll32.exe	78
PID 4324 wrote to memory of 4056	4324	RunDll32.exe	78
PID 4324 wrote to memory of 4056	4324	RunDll32.exe	78

C:\Users\Admin\AppData\Local\Temp\d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe
"C:\Users\Admin\AppData\Local\Temp\d70c173e0cdff573b0b5f2f399e27ace8ada4b623b06a8dde9904b752d5a3a7c.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL",
        5⤵
        Loads dropped DLL
        
        PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EPGv1V5L.cPL

Filesize
1.1MB

MD5
023dd2e0e51bbc848084e05bffe6cfa6

SHA1
f2ea8bdb65a5ea3128800dbf79e8f0054c0485e9

SHA256
c14e79928f9194241909a8c79257cc1c4168f81ebb98492941ee13b9612f2a71

SHA512
bc4570b913f2ee31d4174868483770505a7bfe3fca88a3ff4345304f02452d324c0bd4d40e4461a45a8160ab95a9e97905a73bb43f353ab9fdb97abfc4ef9e97

Download Submit
\Users\Admin\AppData\Local\Temp\ePGv1v5L.cpl

Filesize
2.8MB

MD5
d3f45a11db0366d9983929c1940bc5f6

SHA1
a53a7a65351701477fae66013bdcc86ab600a0b1

SHA256
21e2e0ae114c5303beea700aacba6699be358ba6411ad0649e13090390f03cb2

SHA512
9d60a027abc35fa1cc5a62c4622d855c0565b1c1766b768dd681356406dcac1576aabaca4a80fb38a0c3e9727a815c01b0c80c74caa5e4c4d05cda7e3a3395e3

Download Submit
memory/4056-26-0x0000000000FE0000-0x0000000000FE6000-memory.dmp

Filesize
24KB

Download
memory/4056-46-0x000000003F660000-0x000000003F6B4000-memory.dmp

Filesize
336KB

Download
memory/4056-45-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/4056-44-0x00000000054B0000-0x00000000055A6000-memory.dmp

Filesize
984KB

Download
memory/4056-41-0x00000000054B0000-0x00000000055A6000-memory.dmp

Filesize
984KB

Download
memory/4056-40-0x00000000053B0000-0x00000000054A8000-memory.dmp

Filesize
992KB

Download
memory/4056-38-0x0000000004CF0000-0x0000000004DF8000-memory.dmp

Filesize
1.0MB

Download
memory/4056-36-0x0000000004CF0000-0x0000000004DF8000-memory.dmp

Filesize
1.0MB

Download
memory/4056-34-0x0000000004CF0000-0x0000000004DF8000-memory.dmp

Filesize
1.0MB

Download
memory/4056-32-0x0000000004BC0000-0x0000000004CE4000-memory.dmp

Filesize
1.1MB

Download
memory/4812-14-0x0000000004EE0000-0x0000000004FE8000-memory.dmp

Filesize
1.0MB

Download
memory/4812-22-0x00000000056A0000-0x0000000005796000-memory.dmp

Filesize
984KB

Download
memory/4812-20-0x00000000055A0000-0x0000000005698000-memory.dmp

Filesize
992KB

Download
memory/4812-19-0x0000000004FF0000-0x0000000005592000-memory.dmp

Filesize
5.6MB

Download
memory/4812-18-0x0000000004EE0000-0x0000000004FE8000-memory.dmp

Filesize
1.0MB

Download
memory/4812-17-0x0000000004EE0000-0x0000000004FE8000-memory.dmp

Filesize
1.0MB

Download
memory/4812-15-0x0000000004EE0000-0x0000000004FE8000-memory.dmp

Filesize
1.0MB

Download
memory/4812-13-0x0000000010000000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/4812-12-0x0000000000EC0000-0x0000000000FE4000-memory.dmp

Filesize
1.1MB

Download
memory/4812-8-0x0000000010000000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/4812-7-0x0000000000DB0000-0x0000000000DB6000-memory.dmp

Filesize
24KB

Download
memory/4812-52-0x00000000056A0000-0x0000000005796000-memory.dmp

Filesize
984KB

Download
memory/4812-53-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing