ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf

General

Target

ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe
Size

2.3MB
MD5

a4dbaa2823de224f553e652fc084f6dc
SHA1

9889fb674e623d0cdfe96aeb6f464b20a0c2061f
SHA256

ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf
SHA512

5dbf389d0a37d07085e1fd2bcf51194cf723f738d9b780be7927db3df8a76f564a66de88514781a7cf2a2e947f99b50ea6dce7d38b5d2acf4e82bb2c9a81c3c3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

5056 rundll32.exe
5056 rundll32.exe
1920 rundll32.exe
1920 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5056	rundll32.exe
5056	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 396 wrote to memory of 32	396	ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe	control.exe
PID 396 wrote to memory of 32	396	ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe	control.exe
PID 396 wrote to memory of 32	396	ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe	control.exe
PID 32 wrote to memory of 5056	32	control.exe	rundll32.exe
PID 32 wrote to memory of 5056	32	control.exe	rundll32.exe
PID 32 wrote to memory of 5056	32	control.exe	rundll32.exe
PID 5056 wrote to memory of 4512	5056	rundll32.exe	RunDll32.exe
PID 5056 wrote to memory of 4512	5056	rundll32.exe	RunDll32.exe
PID 4512 wrote to memory of 1920	4512	RunDll32.exe	rundll32.exe
PID 4512 wrote to memory of 1920	4512	RunDll32.exe	rundll32.exe
PID 4512 wrote to memory of 1920	4512	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe
"C:\Users\Admin\AppData\Local\Temp\ba6b153500986e6edca9aec5602fedfaeeea6d56b9e681c5072f776264ac47bf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\1ufgQl.WY6
2⤵
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\1ufgQl.WY6
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\1ufgQl.WY6
4⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\1ufgQl.WY6
5⤵
- Loads dropped DLL
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ufgQl.WY6
Filesize
641.3MB

MD5
ae2402127ac09a2476a9982a015555cf

SHA1
4555445998c1560806c8c4b35a2eea17fe30f3cb

SHA256
f3cca8c203e5aa875845d62237c00b87ac71ac61a9b21595f281413c31bd2002

SHA512
6b9d4b26c42693c987d8a48871f1a84c72d0d65fd9443260847252dead0d1bcd1fd7e2e0d4c73f59c56143a69d7c9c68e64af87d5466529c65ebfe4744fed24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ufgQl.Wy6
Filesize
630.9MB

MD5
8208ff1e73fbe0740091a84d29583693

SHA1
a3e7495438a8f8b2f946ca74b98b7fba0eca5775

SHA256
d9f847629fec80f68929099742ebb91a486d6e7dc02aa838c9aa8ac35bc3da7d

SHA512
14d1894475fc70f83c040da76d02bf65c15d9d38b056648c9c9a3e543698e59b4f96bec6757f894efea2525c14c2f3fe266ec5e492830cdc2108b200fe8ea533

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ufgQl.Wy6
Filesize
602.5MB

MD5
551b26501b7e03b1c071abfd41ef9b5a

SHA1
2ee89f50c4e55ec1b07f804501dc349d26df0115

SHA256
d4fe0bd63a534f10382a65668931ae2ca8441c71b102ba07d662e1de3ef3d028

SHA512
bb4c212591be0b088fe5098d46d49ef0e468e964cb230614ad204f18415291866b18157c8b6cafe8728bd23e6c6c3b06750acc1ed106fdee7acc65b39089e1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ufgQl.Wy6
Filesize
37.1MB

MD5
e64f1664b6cba54ae1333eb3693b32ac

SHA1
8fa1721049bc2782a614c0d6c0ebf0473a4bee08

SHA256
22ad9fb81ceef26672cded02c5f3957ee358daa4c61744c9d52ceb1752e4dea5

SHA512
c2f7ce465ec71777ac2860552b8c58c8bc9ce45a733b39b082f0cbe42e59434537c8fb002632a9a917d821db939a97b8339439f0631384515b3c0cd32b63be8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ufgQl.Wy6
Filesize
43.6MB

MD5
2e314721c24994fe5dc05a28f3cc1e9a

SHA1
ce7f67dde833c31054a79beba793b781c52b41f9

SHA256
7f35e5a867ceadff596b2c477cf77bc0fe80ee88d1b1269a1aca327aa0f2fc04

SHA512
e7000bc736335ebbe75f9acffc11fc09a3f8ecbbd2d62a84dfab871a4c125669ec225e242d20c2bc2a4a1fd8e81d298cbcffe594853626fd6457fe0a9cee49e0

Download Submit
memory/32-130-0x0000000000000000-mapping.dmp

Download
memory/1920-143-0x0000000000000000-mapping.dmp

Download
memory/1920-148-0x000000002ED80000-0x000000002EE74000-memory.dmp

Filesize
976KB

Download
memory/1920-147-0x000000002EB50000-0x000000002EC76000-memory.dmp

Filesize
1.1MB

Download
memory/1920-146-0x0000000002860000-0x0000000003860000-memory.dmp

Filesize
16.0MB

Download
memory/4512-142-0x0000000000000000-mapping.dmp

Download
memory/5056-131-0x0000000000000000-mapping.dmp

Download
memory/5056-139-0x000000002EFC0000-0x000000002F067000-memory.dmp

Filesize
668KB

Download
memory/5056-138-0x000000002EF00000-0x000000002EFBD000-memory.dmp

Filesize
756KB

Download
memory/5056-137-0x000000002EE00000-0x000000002EEF4000-memory.dmp

Filesize
976KB

Download
memory/5056-136-0x000000002D940000-0x000000002DA66000-memory.dmp

Filesize
1.1MB

Download
memory/5056-135-0x0000000002C90000-0x0000000003C90000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing