0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627

General

Target

0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627.exe
Size

2.3MB
MD5

59d567558c6542a7602d9d67fb9b753b
SHA1

d71501e35ccac4e72a60f128096112c8d1941d4f
SHA256

0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627
SHA512

ff7e98258656fd545ac751747c54f8dce539f14a1c85290624e0b30f3a9bb25aea17a1933e6654742e1bd4d53549f3b1c8dab321571ca8f62dd42a7517f24144

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4168 rundll32.exe
4168 rundll32.exe
1232 rundll32.exe
1232 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4168	rundll32.exe
4168	rundll32.exe
1232	rundll32.exe
1232	rundll32.exe

Modifies registry class 1 IoCs

Processes:

0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings	0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 2272 wrote to memory of 2984	2272	0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627.exe	control.exe
PID 2272 wrote to memory of 2984	2272	0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627.exe	control.exe
PID 2272 wrote to memory of 2984	2272	0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627.exe	control.exe
PID 2984 wrote to memory of 4168	2984	control.exe	rundll32.exe
PID 2984 wrote to memory of 4168	2984	control.exe	rundll32.exe
PID 2984 wrote to memory of 4168	2984	control.exe	rundll32.exe
PID 4168 wrote to memory of 5020	4168	rundll32.exe	RunDll32.exe
PID 4168 wrote to memory of 5020	4168	rundll32.exe	RunDll32.exe
PID 5020 wrote to memory of 1232	5020	RunDll32.exe	rundll32.exe
PID 5020 wrote to memory of 1232	5020	RunDll32.exe	rundll32.exe
PID 5020 wrote to memory of 1232	5020	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627.exe
"C:\Users\Admin\AppData\Local\Temp\0ba5533f3ff75a681c3465af7cb0ea41e64d30bc20543c6a1abed8722274e627.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\27Yv2.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\27Yv2.CPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\27Yv2.CPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\27Yv2.CPL",
        5⤵
        Loads dropped DLL
        
        PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27Yv2.CPL

Filesize
678.6MB

MD5
8b9c2187a2968b9561d27fb74910b980

SHA1
8616600d3615d6a7caf7c5f4576be2113cf5a3c8

SHA256
747b11dd4202fa481d2cc0db9e8362ce2cc141252d89d3275cfadcf1dbea63e1

SHA512
4538cd83df9db610bc45a89703b7592487024281973e7f161e9b1d09f73eceadc690aa21e1f71c0cf0529004506b4891dff068c95bee2e429853e426ea1d6519

Download Submit
C:\Users\Admin\AppData\Local\Temp\27Yv2.cpl

Filesize
636.9MB

MD5
89f11de1fa1e18049bf259a237e7f583

SHA1
874b06a0802ff335bbd72b9a9e7859bf2307c491

SHA256
be27e17bde327c69c93b85fb32e513ac7cf50cea3d99b3c649c1bbd93c44c244

SHA512
d50c36a3e57116ed0a8e195fb5cb10a629254ee324b6daf61c8c388dffa0b32464180654584bdca498dda3d14f76754cb12d16352c7d35cf742bbc4fe976408c

Download Submit
C:\Users\Admin\AppData\Local\Temp\27Yv2.cpl

Filesize
682.1MB

MD5
ce3f76ce9d4bac0fea894f7ec2a0257c

SHA1
fe75507a895bd2208238be75de881868af5c7c0c

SHA256
6b041c9e142ea358b724d619f8e3a528107997378741bcc41700c35ca96a4488

SHA512
bac86e3a65d130dd0585a2e66241d4e8e91c4f81499c5ca2c0ec7a2b1aa1ba267137c25e62d44da0c921a76895e9d76506e6df71cdfd898f4c1d937769c2a97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\27Yv2.cpl

Filesize
252.6MB

MD5
582273675615bbb5802fcbf39d7b2c9d

SHA1
56c3a75b716ea3d5cd0ca0eee602aa92e2997668

SHA256
804584da0c432f5e7a89072cad0114ad182fddfd20a3e516540dc111583063aa

SHA512
fd72a0243aabc177dd2eab62f52d54e2ca804000d3f1e91c1ba60b7d739a4e9b284684da871e233eb7bda3633dbeafef03dd298181bde1a1fa6fbd52c29a3366

Download Submit
C:\Users\Admin\AppData\Local\Temp\27Yv2.cpl

Filesize
188.2MB

MD5
71919514e99e625136ba70fb38d3550f

SHA1
5a5128344428fa68f03b61ddc6f22b2bece890c0

SHA256
9757d4fd9d13c7835875f19a27b8b9ae1cfa605aa392c4a9c93a392a62a12a9f

SHA512
ce6aa7e69a32d601f8f151226fe6877b55e7959f8e5442f9f6eb9c53e8d3961fa9034ae492796fd0639acb36d19508fb0d0551ce39e1fb15e1498763f15bbf85

Download Submit
memory/1232-151-0x000000002ECE0000-0x000000002ED87000-memory.dmp

Filesize
668KB

Download
memory/1232-149-0x000000002EC20000-0x000000002ECDD000-memory.dmp

Filesize
756KB

Download
memory/1232-148-0x000000002EB30000-0x000000002EC16000-memory.dmp

Filesize
920KB

Download
memory/1232-147-0x000000002D660000-0x000000002D776000-memory.dmp

Filesize
1.1MB

Download
memory/1232-153-0x000000002EB30000-0x000000002EC16000-memory.dmp

Filesize
920KB

Download
memory/1232-146-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/1232-143-0x0000000000000000-mapping.dmp

Download
memory/2984-130-0x0000000000000000-mapping.dmp

Download
memory/4168-135-0x0000000002B00000-0x0000000003B00000-memory.dmp

Filesize
16.0MB

Download
memory/4168-140-0x000000002ED80000-0x000000002EE27000-memory.dmp

Filesize
668KB

Download
memory/4168-139-0x000000002ED80000-0x000000002EE27000-memory.dmp

Filesize
668KB

Download
memory/4168-138-0x0000000000E20000-0x0000000000EDD000-memory.dmp

Filesize
756KB

Download
memory/4168-136-0x000000002D7C0000-0x000000002D8D6000-memory.dmp

Filesize
1.1MB

Download
memory/4168-137-0x000000002EC90000-0x000000002ED76000-memory.dmp

Filesize
920KB

Download
memory/4168-131-0x0000000000000000-mapping.dmp

Download
memory/4168-154-0x000000002EC90000-0x000000002ED76000-memory.dmp

Filesize
920KB

Download
memory/5020-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads