6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab

General

Target

6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe
Size

468KB
MD5

35d60d2723c649c97b414b3cb701df1c
SHA1

9944ce9354fb8961826339770ffc118000058271
SHA256

6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab
SHA512

7b010b8dd4845bcfbfef66848fa0a29b987734a7adb41f07bbc025527ee33459edac7674f954016e96c3704e0ed9130104c5cf4625b78927a19c727812ca389c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

14 4820 rundll32.exe
43 4820 rundll32.exe

flow	pid	process
14	4820	rundll32.exe
43	4820	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

3300 regsvr32.exe
4820 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3300	regsvr32.exe
4820	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exeregsvr32.exe

description	pid	process	target process
PID 2380 wrote to memory of 4596	2380	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	cmd.exe
PID 2380 wrote to memory of 4596	2380	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	cmd.exe
PID 2380 wrote to memory of 4596	2380	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	cmd.exe
PID 2380 wrote to memory of 3300	2380	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	regsvr32.exe
PID 2380 wrote to memory of 3300	2380	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	regsvr32.exe
PID 2380 wrote to memory of 3300	2380	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	regsvr32.exe
PID 3300 wrote to memory of 4820	3300	regsvr32.exe	rundll32.exe
PID 3300 wrote to memory of 4820	3300	regsvr32.exe	rundll32.exe
PID 3300 wrote to memory of 4820	3300	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe
"C:\Users\Admin\AppData\Local\Temp\6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rns.bat" "
  2⤵
  PID:4596
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s /n /i NewACt.dat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Microsoft\NewACt.dat",checkdrive
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rns.bat

Filesize
296B

MD5
5fea73ccfab1fec3832408ad4c33f786

SHA1
c4aeedbf9ce66565e74d3806ad3c76282ed83fb1

SHA256
9820d84bdfde1dd8f12ec2306fdeb9089724abd7b9d4b1a0f9f26d4e41b13422

SHA512
9af2b2979beb22bd417861bc56fc4eb86635a63e93cb74437ebb7450e90b4b8c814a8ac9ccfc9cf967cafb83867a9fd7353ba5b02dedddf03ce10a5e48c1fed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\NewACt.dat

Filesize
109KB

MD5
e54b370d96ca0e2ecc083c2d42f05210

SHA1
03c35e4c6a641373db665e7d58cea421188fbc82

SHA256
1050935f6acee3afda3876478718632b968c986eb9c59fc2e27599c1515515f5

SHA512
dbdd30cd32160d716578e325a32db6822227271082ffd78daf0d9d4dad3c04445fe5a10b726bf4bb71d88382e56041ff326132c748a8139e4932e1103734e2d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\NewACt.dat

Filesize
109KB

MD5
e54b370d96ca0e2ecc083c2d42f05210

SHA1
03c35e4c6a641373db665e7d58cea421188fbc82

SHA256
1050935f6acee3afda3876478718632b968c986eb9c59fc2e27599c1515515f5

SHA512
dbdd30cd32160d716578e325a32db6822227271082ffd78daf0d9d4dad3c04445fe5a10b726bf4bb71d88382e56041ff326132c748a8139e4932e1103734e2d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\NewACt.dat

Filesize
109KB

MD5
e54b370d96ca0e2ecc083c2d42f05210

SHA1
03c35e4c6a641373db665e7d58cea421188fbc82

SHA256
1050935f6acee3afda3876478718632b968c986eb9c59fc2e27599c1515515f5

SHA512
dbdd30cd32160d716578e325a32db6822227271082ffd78daf0d9d4dad3c04445fe5a10b726bf4bb71d88382e56041ff326132c748a8139e4932e1103734e2d4

Download Submit
memory/3300-132-0x0000000000000000-mapping.dmp

Download
memory/4596-130-0x0000000000000000-mapping.dmp

Download
memory/4820-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing