10620e39cc7a12b760435cc8b1dc9b8a8624c7752c960103befe06317b1130b6

General

Target

10620e39cc7a12b760435cc8b1dc9b8a8624c7752c960103befe06317b1130b6.exe
Size

1.8MB
MD5

cd88007995e130ca596cdcfc4d383d0a
SHA1

eb052b80b9cd6d6f57a967d5e93c40e6e14e1583
SHA256

10620e39cc7a12b760435cc8b1dc9b8a8624c7752c960103befe06317b1130b6
SHA512

a9eaeb0a804deb77ec76ba310eb26c03ae98eb959174b6df9399402aaf65c4411fdd3eba28f9fdef11271bad4734869d6847b3204768e8b5d8392b9e5b090e9f
SSDEEP

49152:gJ4NmV0YmWKbS07aW/k9c/PSLexX5rMFTN6BSRu1:gJ4zZS0eAk9c5xXeFcBt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	10620e39cc7a12b760435cc8b1dc9b8a8624c7752c960103befe06317b1130b6.exe

Loads dropped DLL 2 IoCs

pid	Process
2912	rundll32.exe
1968	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	10620e39cc7a12b760435cc8b1dc9b8a8624c7752c960103befe06317b1130b6.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2076	5036	10620e39cc7a12b760435cc8b1dc9b8a8624c7752c960103befe06317b1130b6.exe	80
PID 5036 wrote to memory of 2076	5036	10620e39cc7a12b760435cc8b1dc9b8a8624c7752c960103befe06317b1130b6.exe	80
PID 5036 wrote to memory of 2076	5036	10620e39cc7a12b760435cc8b1dc9b8a8624c7752c960103befe06317b1130b6.exe	80
PID 2076 wrote to memory of 2912	2076	control.exe	82
PID 2076 wrote to memory of 2912	2076	control.exe	82
PID 2076 wrote to memory of 2912	2076	control.exe	82
PID 2912 wrote to memory of 2380	2912	rundll32.exe	90
PID 2912 wrote to memory of 2380	2912	rundll32.exe	90
PID 2380 wrote to memory of 1968	2380	RunDll32.exe	91
PID 2380 wrote to memory of 1968	2380	RunDll32.exe	91
PID 2380 wrote to memory of 1968	2380	RunDll32.exe	91

C:\Users\Admin\AppData\Local\Temp\10620e39cc7a12b760435cc8b1dc9b8a8624c7752c960103befe06317b1130b6.exe
"C:\Users\Admin\AppData\Local\Temp\10620e39cc7a12b760435cc8b1dc9b8a8624c7752c960103befe06317b1130b6.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\S8FcU.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\S8FcU.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\S8FcU.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\S8FcU.cpL",
        5⤵
        Loads dropped DLL
        
        PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\S8FcU.cpL

Filesize
1.9MB

MD5
e3a5d972b3626c8ada2910c5b17b0034

SHA1
12652f235c81fc68509f11be09357814b82a41d0

SHA256
8f693dea41ff2b5c9649b2231d227e5141911fe6d5ce6ccb0a377f1c0a7efa59

SHA512
7a0a77346c3a7085d0e19e9fb208ffd3b3f3b9ba5f9039be98ad4f322a12dd08c1044c3ca22064eb6660254c694b2e9d7453f0f8ffbfe5f31a71fd2ca7ab5502

Download Submit
C:\Users\Admin\AppData\Local\Temp\S8FcU.cpl

Filesize
1.9MB

MD5
e3a5d972b3626c8ada2910c5b17b0034

SHA1
12652f235c81fc68509f11be09357814b82a41d0

SHA256
8f693dea41ff2b5c9649b2231d227e5141911fe6d5ce6ccb0a377f1c0a7efa59

SHA512
7a0a77346c3a7085d0e19e9fb208ffd3b3f3b9ba5f9039be98ad4f322a12dd08c1044c3ca22064eb6660254c694b2e9d7453f0f8ffbfe5f31a71fd2ca7ab5502

Download Submit
C:\Users\Admin\AppData\Local\Temp\S8FcU.cpl

Filesize
1.9MB

MD5
e3a5d972b3626c8ada2910c5b17b0034

SHA1
12652f235c81fc68509f11be09357814b82a41d0

SHA256
8f693dea41ff2b5c9649b2231d227e5141911fe6d5ce6ccb0a377f1c0a7efa59

SHA512
7a0a77346c3a7085d0e19e9fb208ffd3b3f3b9ba5f9039be98ad4f322a12dd08c1044c3ca22064eb6660254c694b2e9d7453f0f8ffbfe5f31a71fd2ca7ab5502

Download Submit
memory/1968-152-0x0000000002F80000-0x00000000030BC000-memory.dmp

Filesize
1.2MB

Download
memory/1968-149-0x0000000003190000-0x0000000003242000-memory.dmp

Filesize
712KB

Download
memory/1968-148-0x00000000030C0000-0x0000000003188000-memory.dmp

Filesize
800KB

Download
memory/1968-146-0x0000000002CC0000-0x0000000002E40000-memory.dmp

Filesize
1.5MB

Download
memory/1968-147-0x0000000002F80000-0x00000000030BC000-memory.dmp

Filesize
1.2MB

Download
memory/2912-145-0x00000000037C0000-0x00000000038FC000-memory.dmp

Filesize
1.2MB

Download
memory/2912-139-0x0000000003900000-0x00000000039B2000-memory.dmp

Filesize
712KB

Download
memory/2912-138-0x00000000032A0000-0x0000000003368000-memory.dmp

Filesize
800KB

Download
memory/2912-137-0x00000000037C0000-0x00000000038FC000-memory.dmp

Filesize
1.2MB

Download
memory/2912-136-0x0000000003500000-0x0000000003680000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing