29ae5698c0e51879e966206654f67c663c87786dfdaed530af17bf34ba345358

General

Target

29ae5698c0e51879e966206654f67c663c87786dfdaed530af17bf34ba345358.exe
Size

1.9MB
MD5

f1cdf220537bd3c314d7d9c197fa886a
SHA1

6489ba218491d90083aa9dbcf32b05fc3908b40d
SHA256

29ae5698c0e51879e966206654f67c663c87786dfdaed530af17bf34ba345358
SHA512

972ce9d4d9b1a88117f16ae6ed71957776179f6fb85c92eee7fa68f355eb0aa6f0e74715158aab7f4cfea846595d9363324da82ad75dfb3913e8310b322927fd
SSDEEP

49152:EuWxZYw7Vwkj+rGqeGPFQVb956VLrmvZ4Wg:EuW/FV2rGqeAQtr6VLrUw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	29ae5698c0e51879e966206654f67c663c87786dfdaed530af17bf34ba345358.exe

Loads dropped DLL 2 IoCs

pid	Process
4976	rundll32.exe
4816	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	29ae5698c0e51879e966206654f67c663c87786dfdaed530af17bf34ba345358.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 4076	2900	29ae5698c0e51879e966206654f67c663c87786dfdaed530af17bf34ba345358.exe	85
PID 2900 wrote to memory of 4076	2900	29ae5698c0e51879e966206654f67c663c87786dfdaed530af17bf34ba345358.exe	85
PID 2900 wrote to memory of 4076	2900	29ae5698c0e51879e966206654f67c663c87786dfdaed530af17bf34ba345358.exe	85
PID 4076 wrote to memory of 4976	4076	control.exe	87
PID 4076 wrote to memory of 4976	4076	control.exe	87
PID 4076 wrote to memory of 4976	4076	control.exe	87
PID 4976 wrote to memory of 2096	4976	rundll32.exe	98
PID 4976 wrote to memory of 2096	4976	rundll32.exe	98
PID 2096 wrote to memory of 4816	2096	RunDll32.exe	99
PID 2096 wrote to memory of 4816	2096	RunDll32.exe	99
PID 2096 wrote to memory of 4816	2096	RunDll32.exe	99

C:\Users\Admin\AppData\Local\Temp\29ae5698c0e51879e966206654f67c663c87786dfdaed530af17bf34ba345358.exe
"C:\Users\Admin\AppData\Local\Temp\29ae5698c0e51879e966206654f67c663c87786dfdaed530af17bf34ba345358.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\8EUiNQ.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\8EUiNQ.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\8EUiNQ.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\8EUiNQ.cPl",
        5⤵
        Loads dropped DLL
        
        PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8EUiNQ.cPl

Filesize
1.7MB

MD5
3bb5081487d975b667b441e50539316a

SHA1
64bc5a07a41c24f539043e444c086e821dc7e08a

SHA256
5f83974a32efe4bce31646e4367060a016d5e7e06abfb5808c3ef1c06360eb86

SHA512
552140ffd2d4b4262135773dababd98ca8425d52e06fbb97b23dcb6dcc7ffca3dcd1ee4ab0f862437b8b26a1300f2271fe7ed638df8f59c163088d24331e6e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EuiNq.cpl

Filesize
1.7MB

MD5
3bb5081487d975b667b441e50539316a

SHA1
64bc5a07a41c24f539043e444c086e821dc7e08a

SHA256
5f83974a32efe4bce31646e4367060a016d5e7e06abfb5808c3ef1c06360eb86

SHA512
552140ffd2d4b4262135773dababd98ca8425d52e06fbb97b23dcb6dcc7ffca3dcd1ee4ab0f862437b8b26a1300f2271fe7ed638df8f59c163088d24331e6e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EuiNq.cpl

Filesize
1.7MB

MD5
3bb5081487d975b667b441e50539316a

SHA1
64bc5a07a41c24f539043e444c086e821dc7e08a

SHA256
5f83974a32efe4bce31646e4367060a016d5e7e06abfb5808c3ef1c06360eb86

SHA512
552140ffd2d4b4262135773dababd98ca8425d52e06fbb97b23dcb6dcc7ffca3dcd1ee4ab0f862437b8b26a1300f2271fe7ed638df8f59c163088d24331e6e30

Download Submit
memory/4816-151-0x00000000036D0000-0x00000000037E7000-memory.dmp

Filesize
1.1MB

Download
memory/4816-149-0x00000000037F0000-0x0000000003899000-memory.dmp

Filesize
676KB

Download
memory/4816-147-0x00000000030F0000-0x00000000031AE000-memory.dmp

Filesize
760KB

Download
memory/4816-146-0x00000000036D0000-0x00000000037E7000-memory.dmp

Filesize
1.1MB

Download
memory/4816-145-0x0000000003450000-0x00000000035A4000-memory.dmp

Filesize
1.3MB

Download
memory/4976-136-0x0000000002EC0000-0x0000000003014000-memory.dmp

Filesize
1.3MB

Download
memory/4976-140-0x0000000003320000-0x00000000033C9000-memory.dmp

Filesize
676KB

Download
memory/4976-139-0x0000000003320000-0x00000000033C9000-memory.dmp

Filesize
676KB

Download
memory/4976-138-0x0000000003260000-0x000000000331E000-memory.dmp

Filesize
760KB

Download
memory/4976-137-0x0000000003140000-0x0000000003257000-memory.dmp

Filesize
1.1MB

Download
memory/4976-152-0x0000000003140000-0x0000000003257000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing