c924884ab0d1f3a072b979f140027981cf9f8b0c69d7ba93e52494b012b6e19a

General

Target

c924884ab0d1f3a072b979f140027981cf9f8b0c69d7ba93e52494b012b6e19a.exe
Size

1.6MB
MD5

febff3be95677d1fcf31225afa2186a9
SHA1

f493e4a46f37a87b3b742a23ccf789c77e3936d6
SHA256

c924884ab0d1f3a072b979f140027981cf9f8b0c69d7ba93e52494b012b6e19a
SHA512

a4f16bdcfdff46e6373e470fe4cbab0449d9814b473a7585a99a2e80ee3d2271a033e42bcfa08ba01bb91fff6eec128b2e88b27b8a4c6dcde1fbb2f6f62fcd0d
SSDEEP

49152:t84AAH6bEIONAMl9hKzqfVDGkdPlaVs4p:tuyDSYxXat

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c924884ab0d1f3a072b979f140027981cf9f8b0c69d7ba93e52494b012b6e19a.exe

Loads dropped DLL 3 IoCs

pid	Process
2332	rundll32.exe
3000	rundll32.exe
3000	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	c924884ab0d1f3a072b979f140027981cf9f8b0c69d7ba93e52494b012b6e19a.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4388	3528	c924884ab0d1f3a072b979f140027981cf9f8b0c69d7ba93e52494b012b6e19a.exe	82
PID 3528 wrote to memory of 4388	3528	c924884ab0d1f3a072b979f140027981cf9f8b0c69d7ba93e52494b012b6e19a.exe	82
PID 3528 wrote to memory of 4388	3528	c924884ab0d1f3a072b979f140027981cf9f8b0c69d7ba93e52494b012b6e19a.exe	82
PID 4388 wrote to memory of 2332	4388	control.exe	84
PID 4388 wrote to memory of 2332	4388	control.exe	84
PID 4388 wrote to memory of 2332	4388	control.exe	84
PID 2332 wrote to memory of 2352	2332	rundll32.exe	91
PID 2332 wrote to memory of 2352	2332	rundll32.exe	91
PID 2352 wrote to memory of 3000	2352	RunDll32.exe	92
PID 2352 wrote to memory of 3000	2352	RunDll32.exe	92
PID 2352 wrote to memory of 3000	2352	RunDll32.exe	92

C:\Users\Admin\AppData\Local\Temp\c924884ab0d1f3a072b979f140027981cf9f8b0c69d7ba93e52494b012b6e19a.exe
"C:\Users\Admin\AppData\Local\Temp\c924884ab0d1f3a072b979f140027981cf9f8b0c69d7ba93e52494b012b6e19a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\RTvWPKz.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RTvWPKz.CPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RTvWPKz.CPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\RTvWPKz.CPL",
        5⤵
        Loads dropped DLL
        
        PID:3000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RTvWPKz.CPL

Filesize
1.6MB

MD5
99dbbb5ae007af04e4a8f414ffe73746

SHA1
3ec6038a0a24054c9e7d6205b7ac78bf4c9bb413

SHA256
cce445eed4ef10483faa13b62468f3b89204257062e79691012b6a62abeefddd

SHA512
84e8772006e0de7d00a06b0b67f5749ed58346fd42e2084a86ac0434a768d701bf8f2b63a675588511863c45ab2e339343fddb52fc202427b87f2a0621220ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTvWPKz.cpl

Filesize
1.6MB

MD5
99dbbb5ae007af04e4a8f414ffe73746

SHA1
3ec6038a0a24054c9e7d6205b7ac78bf4c9bb413

SHA256
cce445eed4ef10483faa13b62468f3b89204257062e79691012b6a62abeefddd

SHA512
84e8772006e0de7d00a06b0b67f5749ed58346fd42e2084a86ac0434a768d701bf8f2b63a675588511863c45ab2e339343fddb52fc202427b87f2a0621220ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTvWPKz.cpl

Filesize
1.6MB

MD5
99dbbb5ae007af04e4a8f414ffe73746

SHA1
3ec6038a0a24054c9e7d6205b7ac78bf4c9bb413

SHA256
cce445eed4ef10483faa13b62468f3b89204257062e79691012b6a62abeefddd

SHA512
84e8772006e0de7d00a06b0b67f5749ed58346fd42e2084a86ac0434a768d701bf8f2b63a675588511863c45ab2e339343fddb52fc202427b87f2a0621220ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTvWPKz.cpl

Filesize
1.6MB

MD5
99dbbb5ae007af04e4a8f414ffe73746

SHA1
3ec6038a0a24054c9e7d6205b7ac78bf4c9bb413

SHA256
cce445eed4ef10483faa13b62468f3b89204257062e79691012b6a62abeefddd

SHA512
84e8772006e0de7d00a06b0b67f5749ed58346fd42e2084a86ac0434a768d701bf8f2b63a675588511863c45ab2e339343fddb52fc202427b87f2a0621220ee5

Download Submit
memory/2332-136-0x0000000003610000-0x000000000372C000-memory.dmp

Filesize
1.1MB

Download
memory/2332-137-0x0000000003730000-0x0000000003819000-memory.dmp

Filesize
932KB

Download
memory/2332-138-0x0000000003820000-0x00000000038E9000-memory.dmp

Filesize
804KB

Download
memory/2332-139-0x00000000038F0000-0x00000000039A3000-memory.dmp

Filesize
716KB

Download
memory/2332-154-0x0000000003730000-0x0000000003819000-memory.dmp

Filesize
932KB

Download
memory/3000-146-0x0000000002770000-0x0000000002906000-memory.dmp

Filesize
1.6MB

Download
memory/3000-147-0x0000000002BD0000-0x0000000002CEC000-memory.dmp

Filesize
1.1MB

Download
memory/3000-148-0x0000000002DE0000-0x0000000002EC9000-memory.dmp

Filesize
932KB

Download
memory/3000-149-0x0000000002ED0000-0x0000000002F99000-memory.dmp

Filesize
804KB

Download
memory/3000-150-0x0000000002FA0000-0x0000000003053000-memory.dmp

Filesize
716KB

Download
memory/3000-153-0x0000000002DE0000-0x0000000002EC9000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing