097c4376f40cebe074334669df685503e0a832b1d09f323ecc8abaa26342ae0c

General

Target

097c4376f40cebe074334669df685503e0a832b1d09f323ecc8abaa26342ae0c.exe
Size

1.4MB
MD5

ba543b43dc0fd0a566795bf3ffed8eab
SHA1

d557939cae1b5c9b2318db028538a5a4ec01af4d
SHA256

097c4376f40cebe074334669df685503e0a832b1d09f323ecc8abaa26342ae0c
SHA512

c471aa288acf1d9cc7dc32158bf22702f583733c1df269c5d4d1d375fef6aca8a7c322ba350986792f70a8b1aa961bdf9de582fe96727bcf8372b49c998fcf6b
SSDEEP

24576:VJr8tEZgHq0MK4MoSjaEpEOClF/fU3ksGwvNuUIWT7X7CC9hxt7AW0gjdikiis:VJ4oxKtvpAlIksG2NutWnrCCb7J/drif

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	097c4376f40cebe074334669df685503e0a832b1d09f323ecc8abaa26342ae0c.exe

Loads dropped DLL 2 IoCs

pid	Process
4152	rundll32.exe
2208	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	097c4376f40cebe074334669df685503e0a832b1d09f323ecc8abaa26342ae0c.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4132	4892	097c4376f40cebe074334669df685503e0a832b1d09f323ecc8abaa26342ae0c.exe	84
PID 4892 wrote to memory of 4132	4892	097c4376f40cebe074334669df685503e0a832b1d09f323ecc8abaa26342ae0c.exe	84
PID 4892 wrote to memory of 4132	4892	097c4376f40cebe074334669df685503e0a832b1d09f323ecc8abaa26342ae0c.exe	84
PID 4132 wrote to memory of 4152	4132	control.exe	86
PID 4132 wrote to memory of 4152	4132	control.exe	86
PID 4132 wrote to memory of 4152	4132	control.exe	86
PID 4152 wrote to memory of 1192	4152	rundll32.exe	90
PID 4152 wrote to memory of 1192	4152	rundll32.exe	90
PID 1192 wrote to memory of 2208	1192	RunDll32.exe	91
PID 1192 wrote to memory of 2208	1192	RunDll32.exe	91
PID 1192 wrote to memory of 2208	1192	RunDll32.exe	91

C:\Users\Admin\AppData\Local\Temp\097c4376f40cebe074334669df685503e0a832b1d09f323ecc8abaa26342ae0c.exe
"C:\Users\Admin\AppData\Local\Temp\097c4376f40cebe074334669df685503e0a832b1d09f323ecc8abaa26342ae0c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\iaFaU2~F.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\iaFaU2~F.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\iaFaU2~F.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\iaFaU2~F.cpl",
        5⤵
        Loads dropped DLL
        
        PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iaFaU2~F.cpl

Filesize
2.3MB

MD5
3dfedc3362c66f6734acd87f05eb355c

SHA1
9314cf398933a1af5bd3c508ccb75be8ded2640a

SHA256
22ab0f50ed49290b831c4977cbedb63df86c1920945ce7c8e329d4b88a39c00d

SHA512
38927663c99bd83e1139175bca89c2b6149918bc0944c02a11122904174bc7e489c0457681051b73101a4fc860df58f5ca590e62dcb0d6d39677c4454b1d83a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iaFaU2~F.cpl

Filesize
2.3MB

MD5
3dfedc3362c66f6734acd87f05eb355c

SHA1
9314cf398933a1af5bd3c508ccb75be8ded2640a

SHA256
22ab0f50ed49290b831c4977cbedb63df86c1920945ce7c8e329d4b88a39c00d

SHA512
38927663c99bd83e1139175bca89c2b6149918bc0944c02a11122904174bc7e489c0457681051b73101a4fc860df58f5ca590e62dcb0d6d39677c4454b1d83a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iaFaU2~F.cpl

Filesize
2.3MB

MD5
3dfedc3362c66f6734acd87f05eb355c

SHA1
9314cf398933a1af5bd3c508ccb75be8ded2640a

SHA256
22ab0f50ed49290b831c4977cbedb63df86c1920945ce7c8e329d4b88a39c00d

SHA512
38927663c99bd83e1139175bca89c2b6149918bc0944c02a11122904174bc7e489c0457681051b73101a4fc860df58f5ca590e62dcb0d6d39677c4454b1d83a0

Download Submit
memory/1192-142-0x0000000000000000-mapping.dmp

Download
memory/2208-146-0x00000000036C0000-0x0000000003782000-memory.dmp

Filesize
776KB

Download
memory/2208-143-0x0000000000000000-mapping.dmp

Download
memory/2208-145-0x00000000032D0000-0x00000000034B9000-memory.dmp

Filesize
1.9MB

Download
memory/2208-147-0x00000000035C0000-0x00000000036B6000-memory.dmp

Filesize
984KB

Download
memory/2208-148-0x00000000037A0000-0x000000000384D000-memory.dmp

Filesize
692KB

Download
memory/2208-151-0x00000000032D0000-0x00000000034B9000-memory.dmp

Filesize
1.9MB

Download
memory/4132-132-0x0000000000000000-mapping.dmp

Download
memory/4152-137-0x00000000031D0000-0x00000000033B9000-memory.dmp

Filesize
1.9MB

Download
memory/4152-138-0x00000000034C0000-0x00000000035B6000-memory.dmp

Filesize
984KB

Download
memory/4152-139-0x00000000036B0000-0x000000000375D000-memory.dmp

Filesize
692KB

Download
memory/4152-136-0x00000000035D0000-0x0000000003692000-memory.dmp

Filesize
776KB

Download
memory/4152-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing