93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640

General

Target

93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe
Size

2.7MB
MD5

53f70c63e11b5b2592cc2760fa9f7ee0
SHA1

cd2c69037ce17669d30db004a4723b49d652735a
SHA256

93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640
SHA512

8ba0a65d0cbae880818d3f6d3a24c3448066cf9fcdb3e1b754881f2cea650f489ca0b573a9b2622b8129e0f18994a7590a9471e5d933dee506779e01c9235e99
SSDEEP

49152:jmoGDAgI3W2saAWO9aYB74+pK7CB1x4IF+A5iD9A1TK36A85v8:jmoaI3sa4O+oCSj/sO6A8i

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2872	rundll32.exe
916	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\Local Settings	93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 4312	3000	93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe	80
PID 3000 wrote to memory of 4312	3000	93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe	80
PID 3000 wrote to memory of 4312	3000	93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe	80
PID 4312 wrote to memory of 2872	4312	control.exe	83
PID 4312 wrote to memory of 2872	4312	control.exe	83
PID 4312 wrote to memory of 2872	4312	control.exe	83
PID 2872 wrote to memory of 2116	2872	rundll32.exe	84
PID 2872 wrote to memory of 2116	2872	rundll32.exe	84
PID 2116 wrote to memory of 916	2116	RunDll32.exe	85
PID 2116 wrote to memory of 916	2116	RunDll32.exe	85
PID 2116 wrote to memory of 916	2116	RunDll32.exe	85

C:\Users\Admin\AppData\Local\Temp\93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe
"C:\Users\Admin\AppData\Local\Temp\93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",
        5⤵
        Loads dropped DLL
        
        PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DsVk3.cpl

Filesize
2.8MB

MD5
dd67d27c548f4a84fffa7ef1dfd05cf6

SHA1
1e5b28747eb11a0d1b3486a97f0b66066222c3d2

SHA256
044bde60642d879badd2b050ced2227c474d72c53bb88a43fb12424f97581ad9

SHA512
a25775c112c34c0edcb82319ca19ea22572827870780137376b324e191877e6c827f44ada4fa3eabf5c34339ade78933a2430b8192a12ec2f7d69a68741de8d3

Download Submit
memory/916-33-0x00000000023C0000-0x00000000023C6000-memory.dmp

Filesize
24KB

Download
memory/916-53-0x0000000028190000-0x0000000028194000-memory.dmp

Filesize
16KB

Download
memory/916-52-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/916-51-0x00000000043D0000-0x00000000044C1000-memory.dmp

Filesize
964KB

Download
memory/916-49-0x00000000043D0000-0x00000000044C1000-memory.dmp

Filesize
964KB

Download
memory/916-47-0x00000000042E0000-0x00000000043CC000-memory.dmp

Filesize
944KB

Download
memory/916-45-0x0000000002C30000-0x0000000002D2A000-memory.dmp

Filesize
1000KB

Download
memory/916-39-0x0000000002C30000-0x0000000002D2A000-memory.dmp

Filesize
1000KB

Download
memory/916-37-0x0000000002C30000-0x0000000002D2A000-memory.dmp

Filesize
1000KB

Download
memory/916-35-0x0000000002B10000-0x0000000002C25000-memory.dmp

Filesize
1.1MB

Download
memory/2872-15-0x00000000034D0000-0x00000000035CA000-memory.dmp

Filesize
1000KB

Download
memory/2872-28-0x0000000004C70000-0x0000000004D61000-memory.dmp

Filesize
964KB

Download
memory/2872-27-0x0000000004C70000-0x0000000004D61000-memory.dmp

Filesize
964KB

Download
memory/2872-26-0x0000000004B80000-0x0000000004C6C000-memory.dmp

Filesize
944KB

Download
memory/2872-25-0x00000000035D0000-0x0000000004B80000-memory.dmp

Filesize
21.7MB

Download
memory/2872-24-0x00000000034D0000-0x00000000035CA000-memory.dmp

Filesize
1000KB

Download
memory/2872-19-0x0000000010000000-0x00000000102D9000-memory.dmp

Filesize
2.8MB

Download
memory/2872-18-0x00000000034D0000-0x00000000035CA000-memory.dmp

Filesize
1000KB

Download
memory/2872-16-0x00000000034D0000-0x00000000035CA000-memory.dmp

Filesize
1000KB

Download
memory/2872-14-0x00000000033B0000-0x00000000034C5000-memory.dmp

Filesize
1.1MB

Download
memory/2872-12-0x0000000010000000-0x00000000102D9000-memory.dmp

Filesize
2.8MB

Download
memory/2872-11-0x0000000001340000-0x0000000001346000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing