fdcf0f3acc31f0130aa3a0df8923d6110aeb61b580695c070de4fe8e93c8809a

General

Target

fdcf0f3acc31f0130aa3a0df8923d6110aeb61b580695c070de4fe8e93c8809a.exe
Size

1.8MB
MD5

26968ecbcfdd8dc12250800336e3399f
SHA1

b92090c0ef436bb6b3831778bb1a952aa7896a95
SHA256

fdcf0f3acc31f0130aa3a0df8923d6110aeb61b580695c070de4fe8e93c8809a
SHA512

b889ca5b24dcac9598405ac3576d9ec9939fb4bf3f8d6b10cc4a4a935d0bbe733732e04c5ed4a83bddc3f2a9479dcdabe8ec2f9508a168ab7f63c89b7969d2fa
SSDEEP

49152:KyzoRKcL2mibZIZ4AXcIA6PZgT+Q6SbFFymq:Ky8KZDbm4McIZgF6yVq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fdcf0f3acc31f0130aa3a0df8923d6110aeb61b580695c070de4fe8e93c8809a.exe

Loads dropped DLL 2 IoCs

pid	Process
4940	rundll32.exe
3964	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fdcf0f3acc31f0130aa3a0df8923d6110aeb61b580695c070de4fe8e93c8809a.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 3068	1008	fdcf0f3acc31f0130aa3a0df8923d6110aeb61b580695c070de4fe8e93c8809a.exe	81
PID 1008 wrote to memory of 3068	1008	fdcf0f3acc31f0130aa3a0df8923d6110aeb61b580695c070de4fe8e93c8809a.exe	81
PID 1008 wrote to memory of 3068	1008	fdcf0f3acc31f0130aa3a0df8923d6110aeb61b580695c070de4fe8e93c8809a.exe	81
PID 3068 wrote to memory of 4940	3068	control.exe	83
PID 3068 wrote to memory of 4940	3068	control.exe	83
PID 3068 wrote to memory of 4940	3068	control.exe	83
PID 4940 wrote to memory of 176	4940	rundll32.exe	90
PID 4940 wrote to memory of 176	4940	rundll32.exe	90
PID 176 wrote to memory of 3964	176	RunDll32.exe	91
PID 176 wrote to memory of 3964	176	RunDll32.exe	91
PID 176 wrote to memory of 3964	176	RunDll32.exe	91

C:\Users\Admin\AppData\Local\Temp\fdcf0f3acc31f0130aa3a0df8923d6110aeb61b580695c070de4fe8e93c8809a.exe
"C:\Users\Admin\AppData\Local\Temp\fdcf0f3acc31f0130aa3a0df8923d6110aeb61b580695c070de4fe8e93c8809a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\C9i0QvX.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\C9i0QvX.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\C9i0QvX.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:176
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\C9i0QvX.CpL",
        5⤵
        Loads dropped DLL
        
        PID:3964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C9i0QvX.CpL

Filesize
1.7MB

MD5
dc3a8fdcdc7a18ae814b13a39e7396a0

SHA1
26506cd05d2447e40da816cbeb007c2b037b1b47

SHA256
babf409dc0edea7f42ef03dd944231a513a9f9d75fb7ffd6c1cde64c8f099be1

SHA512
fca9bb3fa178eb8c9527cfc0a4d00341cf9687e7d6fed84674bbec12e5fd5225a3a8079e535ac128496ee0e01ff2c6e3d37806c28fc982324afbb2caa7708735

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9i0Qvx.cpl

Filesize
1.7MB

MD5
dc3a8fdcdc7a18ae814b13a39e7396a0

SHA1
26506cd05d2447e40da816cbeb007c2b037b1b47

SHA256
babf409dc0edea7f42ef03dd944231a513a9f9d75fb7ffd6c1cde64c8f099be1

SHA512
fca9bb3fa178eb8c9527cfc0a4d00341cf9687e7d6fed84674bbec12e5fd5225a3a8079e535ac128496ee0e01ff2c6e3d37806c28fc982324afbb2caa7708735

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9i0Qvx.cpl

Filesize
1.7MB

MD5
dc3a8fdcdc7a18ae814b13a39e7396a0

SHA1
26506cd05d2447e40da816cbeb007c2b037b1b47

SHA256
babf409dc0edea7f42ef03dd944231a513a9f9d75fb7ffd6c1cde64c8f099be1

SHA512
fca9bb3fa178eb8c9527cfc0a4d00341cf9687e7d6fed84674bbec12e5fd5225a3a8079e535ac128496ee0e01ff2c6e3d37806c28fc982324afbb2caa7708735

Download Submit
memory/3964-151-0x00000000033A0000-0x00000000034E2000-memory.dmp

Filesize
1.3MB

Download
memory/3964-149-0x00000000035C0000-0x000000000366B000-memory.dmp

Filesize
684KB

Download
memory/3964-147-0x00000000034F0000-0x00000000035B1000-memory.dmp

Filesize
772KB

Download
memory/3964-146-0x00000000033A0000-0x00000000034E2000-memory.dmp

Filesize
1.3MB

Download
memory/3964-145-0x0000000003100000-0x0000000003246000-memory.dmp

Filesize
1.3MB

Download
memory/4940-137-0x00000000032A0000-0x00000000033E2000-memory.dmp

Filesize
1.3MB

Download
memory/4940-140-0x00000000034C0000-0x000000000356B000-memory.dmp

Filesize
684KB

Download
memory/4940-139-0x00000000034C0000-0x000000000356B000-memory.dmp

Filesize
684KB

Download
memory/4940-138-0x00000000033F0000-0x00000000034B1000-memory.dmp

Filesize
772KB

Download
memory/4940-136-0x0000000003000000-0x0000000003146000-memory.dmp

Filesize
1.3MB

Download
memory/4940-152-0x00000000032A0000-0x00000000033E2000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing