cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51

General

Target

cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe
Size

40KB
MD5

444656a8293a50d964e3eecc3d952a96
SHA1

df4c98d6298dcc07f474e589a5261b774aa5b589
SHA256

cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51
SHA512

ccf774aed10e785b26f415ef813234ad77d36e1fce6aad7f5f3ceba9436abf375bb62c3d57f657506a5c7ac3edcb852e3623fbecdbc4bff801ffaa83aecf515a
SSDEEP

768:hLFnz6CDBBpUSlxoxUkiLRl3R3WLOsyd:hL19DroORf0asyd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5040	rund1l32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system\rund1l32.exe	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe
File opened for modification	C:\Windows\system\rund1l32.exe	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe
File opened for modification	C:\Windows\SysWOW64	rund1l32.exe
File opened for modification	C:\Windows\SysWOW64	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe
File opened for modification	C:\Windows\system.ini	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1844	5040	WerFault.exe	82

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3324	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe
5040	rund1l32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 4296	3324	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe	80
PID 3324 wrote to memory of 4296	3324	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe	80
PID 3324 wrote to memory of 4296	3324	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe	80
PID 3324 wrote to memory of 5040	3324	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe	82
PID 3324 wrote to memory of 5040	3324	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe	82
PID 3324 wrote to memory of 5040	3324	cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe	82
PID 5040 wrote to memory of 4272	5040	rund1l32.exe	83
PID 5040 wrote to memory of 4272	5040	rund1l32.exe	83
PID 5040 wrote to memory of 4272	5040	rund1l32.exe	83

C:\Users\Admin\AppData\Local\Temp\cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe
"C:\Users\Admin\AppData\Local\Temp\cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Del2395.tmp.bat
  2⤵
  PID:4296
- C:\Windows\system\rund1l32.exe
  "C:\Windows\system\rund1l32.exe" -s
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Del3894.tmp.bat
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 928
    3⤵
    - Program crash
    PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Del2395.tmp.bat

Filesize
261B

MD5
3f3625f6a070d9813d4bf5826daaf40a

SHA1
e0e284ed249f3973a611a365ff15b3b13964c361

SHA256
dac09e7eff05b5b952945773b95d406f2d15e2517ad45721b1b45be7c4880afa

SHA512
5c0dbd4902a44d7ebf89b3469fe7d61e42725c5812830ef185266c9ea5fe7acc2c8ca4523523b7577e9b341511059c9171c140a42915509bf539026ffff8855c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Del3894.tmp.bat

Filesize
117B

MD5
4f486954b6e2769c3883edb474b6105c

SHA1
00f58e04bf82f931d4de627d1a1318a064f575d1

SHA256
04d5d6a0a1a75a626cce1a224ac8f330d5b15f58348ef121f3e53bab8e95e713

SHA512
478bb1b7d02c26ce7cec198418ae6a7878095c9dac4442ea5571741a860729fe15f1b811d0f3aad81cc98283dda94efdb870132229230216b247aa3dc5334494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Æô¶¯ Internet Explorer ä¯ÀÀÆ÷.lnk

Filesize
933B

MD5
0e562386b49608efc9f79686db21ff35

SHA1
808705236c6e347577861c4efbfd0e49251440b4

SHA256
307aba9af11ab88f6555c2a8713880e4ff972dea212ee64578bb46aecfce74ed

SHA512
8d85d465606d8d53ece7dcb7671f2c533d93f9b3c08f8718ffa2402758ac32e6670fab35e595ed525c0a5d115631ba45062c5de63d183005cbf2fb345962a0b4

Download Submit
C:\Windows\System\rund1l32.exe

Filesize
40KB

MD5
444656a8293a50d964e3eecc3d952a96

SHA1
df4c98d6298dcc07f474e589a5261b774aa5b589

SHA256
cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51

SHA512
ccf774aed10e785b26f415ef813234ad77d36e1fce6aad7f5f3ceba9436abf375bb62c3d57f657506a5c7ac3edcb852e3623fbecdbc4bff801ffaa83aecf515a

Download Submit
C:\Windows\system\rund1l32.exe

Filesize
40KB

MD5
444656a8293a50d964e3eecc3d952a96

SHA1
df4c98d6298dcc07f474e589a5261b774aa5b589

SHA256
cff8240679fda8a70450fcf911e9fa1625f56a2784e71cdb3bfe64b8d3a10c51

SHA512
ccf774aed10e785b26f415ef813234ad77d36e1fce6aad7f5f3ceba9436abf375bb62c3d57f657506a5c7ac3edcb852e3623fbecdbc4bff801ffaa83aecf515a

Download Submit

Analysis

Sharing