ee010f0b2d9afa2a1def8e1d899c1e0afb44041545af91d227e6997e852f08cd

General

Target

ee010f0b2d9afa2a1def8e1d899c1e0afb44041545af91d227e6997e852f08cd.exe
Size

1.9MB
MD5

05be41a9d7db52cda0f3e87d2f35af10
SHA1

f6f435c45e1e859447f29763d77916c6e81b4f3e
SHA256

ee010f0b2d9afa2a1def8e1d899c1e0afb44041545af91d227e6997e852f08cd
SHA512

72c9a38fb415b61a47c4bce65ce226acbc4672bc7fa26464097fe91f50e418c7ef9ec083752455e1978fc59a688b7449c522b73f7da312ebe2f4d4de79c88eda
SSDEEP

49152:I/oSqeAryzWTIc99lvfJvK31SqyOxE3zAzLj:I/o4AryCTIc9vfM1SJ30fj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ee010f0b2d9afa2a1def8e1d899c1e0afb44041545af91d227e6997e852f08cd.exe

Loads dropped DLL 2 IoCs

pid	Process
1824	rundll32.exe
216	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	ee010f0b2d9afa2a1def8e1d899c1e0afb44041545af91d227e6997e852f08cd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 2688	5048	ee010f0b2d9afa2a1def8e1d899c1e0afb44041545af91d227e6997e852f08cd.exe	81
PID 5048 wrote to memory of 2688	5048	ee010f0b2d9afa2a1def8e1d899c1e0afb44041545af91d227e6997e852f08cd.exe	81
PID 5048 wrote to memory of 2688	5048	ee010f0b2d9afa2a1def8e1d899c1e0afb44041545af91d227e6997e852f08cd.exe	81
PID 2688 wrote to memory of 1824	2688	control.exe	83
PID 2688 wrote to memory of 1824	2688	control.exe	83
PID 2688 wrote to memory of 1824	2688	control.exe	83
PID 1824 wrote to memory of 100	1824	rundll32.exe	90
PID 1824 wrote to memory of 100	1824	rundll32.exe	90
PID 100 wrote to memory of 216	100	RunDll32.exe	91
PID 100 wrote to memory of 216	100	RunDll32.exe	91
PID 100 wrote to memory of 216	100	RunDll32.exe	91

C:\Users\Admin\AppData\Local\Temp\ee010f0b2d9afa2a1def8e1d899c1e0afb44041545af91d227e6997e852f08cd.exe
"C:\Users\Admin\AppData\Local\Temp\ee010f0b2d9afa2a1def8e1d899c1e0afb44041545af91d227e6997e852f08cd.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\LL4JAm.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\LL4JAm.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\LL4JAm.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:100
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\LL4JAm.cPl",
        5⤵
        Loads dropped DLL
        
        PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LL4JAm.cPl

Filesize
2.4MB

MD5
484d7ed949e92183e498ed3afb4ff329

SHA1
96d14ce25a24a366c8d2a7d04fb56fb585503913

SHA256
b26554e0edbf8384bd0e420444bafc925e2503372bc2719a17732160ee77eb20

SHA512
9ec28bc61bf1da2687f51f63948a83b68274f8d5efb0a820f34dbe70bf5fbcf13e78932a849b923ef6729e5344e85809f705d6780d54db0f7248e55006355dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LL4Jam.cpl

Filesize
2.4MB

MD5
484d7ed949e92183e498ed3afb4ff329

SHA1
96d14ce25a24a366c8d2a7d04fb56fb585503913

SHA256
b26554e0edbf8384bd0e420444bafc925e2503372bc2719a17732160ee77eb20

SHA512
9ec28bc61bf1da2687f51f63948a83b68274f8d5efb0a820f34dbe70bf5fbcf13e78932a849b923ef6729e5344e85809f705d6780d54db0f7248e55006355dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LL4Jam.cpl

Filesize
2.4MB

MD5
484d7ed949e92183e498ed3afb4ff329

SHA1
96d14ce25a24a366c8d2a7d04fb56fb585503913

SHA256
b26554e0edbf8384bd0e420444bafc925e2503372bc2719a17732160ee77eb20

SHA512
9ec28bc61bf1da2687f51f63948a83b68274f8d5efb0a820f34dbe70bf5fbcf13e78932a849b923ef6729e5344e85809f705d6780d54db0f7248e55006355dd1

Download Submit
memory/216-146-0x0000000002D60000-0x0000000002EFF000-memory.dmp

Filesize
1.6MB

Download
memory/216-147-0x0000000003040000-0x000000000317F000-memory.dmp

Filesize
1.2MB

Download
memory/216-148-0x0000000003180000-0x000000000323D000-memory.dmp

Filesize
756KB

Download
memory/216-149-0x0000000003240000-0x00000000032E7000-memory.dmp

Filesize
668KB

Download
memory/216-152-0x0000000003040000-0x000000000317F000-memory.dmp

Filesize
1.2MB

Download
memory/1824-137-0x0000000003390000-0x00000000034CF000-memory.dmp

Filesize
1.2MB

Download
memory/1824-138-0x0000000002E40000-0x0000000002EFD000-memory.dmp

Filesize
756KB

Download
memory/1824-139-0x00000000034E0000-0x0000000003587000-memory.dmp

Filesize
668KB

Download
memory/1824-136-0x00000000030B0000-0x000000000324F000-memory.dmp

Filesize
1.6MB

Download
memory/1824-145-0x0000000003390000-0x00000000034CF000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing