86bec77dc2bbcf42fa0b5bdd93dcc81dd23875cbb62f77fed1b7e2f87520a4c5

General

Target

86bec77dc2bbcf42fa0b5bdd93dcc81dd23875cbb62f77fed1b7e2f87520a4c5.exe
Size

1.7MB
MD5

2586a2bb960359b7d458273c3654046a
SHA1

aa45cd202ec22bab36918c0627683d84309b0a80
SHA256

86bec77dc2bbcf42fa0b5bdd93dcc81dd23875cbb62f77fed1b7e2f87520a4c5
SHA512

f09a667c7b6fab1439841a7d780aade5601ed85de782aa98873fdfca2e9a374c2b0445584f87aeed97830233f113d06f1f28d5f5d404967a8e62b1c1a3b0e9b0
SSDEEP

24576:hZ7Xar2VsBq/OebOKQXsudEfOQmx7Kps4RTVCV4Uxc0b4F+Q3zUtl4n1rjFagnhP:NsNHd+OQIKVCyUcu7Mn1rA0hBgU7gK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	86bec77dc2bbcf42fa0b5bdd93dcc81dd23875cbb62f77fed1b7e2f87520a4c5.exe

Loads dropped DLL 3 IoCs

pid	Process
1860	rundll32.exe
4380	rundll32.exe
4380	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3816	4596	86bec77dc2bbcf42fa0b5bdd93dcc81dd23875cbb62f77fed1b7e2f87520a4c5.exe	83
PID 4596 wrote to memory of 3816	4596	86bec77dc2bbcf42fa0b5bdd93dcc81dd23875cbb62f77fed1b7e2f87520a4c5.exe	83
PID 4596 wrote to memory of 3816	4596	86bec77dc2bbcf42fa0b5bdd93dcc81dd23875cbb62f77fed1b7e2f87520a4c5.exe	83
PID 3816 wrote to memory of 1860	3816	control.exe	84
PID 3816 wrote to memory of 1860	3816	control.exe	84
PID 3816 wrote to memory of 1860	3816	control.exe	84
PID 1860 wrote to memory of 1348	1860	rundll32.exe	91
PID 1860 wrote to memory of 1348	1860	rundll32.exe	91
PID 1348 wrote to memory of 4380	1348	RunDll32.exe	92
PID 1348 wrote to memory of 4380	1348	RunDll32.exe	92
PID 1348 wrote to memory of 4380	1348	RunDll32.exe	92

C:\Users\Admin\AppData\Local\Temp\86bec77dc2bbcf42fa0b5bdd93dcc81dd23875cbb62f77fed1b7e2f87520a4c5.exe
"C:\Users\Admin\AppData\Local\Temp\86bec77dc2bbcf42fa0b5bdd93dcc81dd23875cbb62f77fed1b7e2f87520a4c5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\i8tZ.G
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\i8tZ.G
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\i8tZ.G
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\i8tZ.G
        5⤵
        Loads dropped DLL
        
        PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\i8tZ.G

Filesize
2.8MB

MD5
1728580f64c4b56c123118375279e02e

SHA1
a38443635a1b222c5136ed97f548ffbf3e6ea7ff

SHA256
ceb0e7ae219fd83f4f0896b9d9e610ed9963c60581ab33e235d9ab4fd70baa92

SHA512
32d5ca2c88c1941dea68aacd7c46badb6a322c3d97f12d676136d2791a789cff3e44fc4683571c9e8b2b468c67908a6421e9e4be948bad9213af4d21df50cdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8tZ.g

Filesize
2.8MB

MD5
1728580f64c4b56c123118375279e02e

SHA1
a38443635a1b222c5136ed97f548ffbf3e6ea7ff

SHA256
ceb0e7ae219fd83f4f0896b9d9e610ed9963c60581ab33e235d9ab4fd70baa92

SHA512
32d5ca2c88c1941dea68aacd7c46badb6a322c3d97f12d676136d2791a789cff3e44fc4683571c9e8b2b468c67908a6421e9e4be948bad9213af4d21df50cdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8tZ.g

Filesize
2.8MB

MD5
1728580f64c4b56c123118375279e02e

SHA1
a38443635a1b222c5136ed97f548ffbf3e6ea7ff

SHA256
ceb0e7ae219fd83f4f0896b9d9e610ed9963c60581ab33e235d9ab4fd70baa92

SHA512
32d5ca2c88c1941dea68aacd7c46badb6a322c3d97f12d676136d2791a789cff3e44fc4683571c9e8b2b468c67908a6421e9e4be948bad9213af4d21df50cdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\i8tZ.g

Filesize
2.8MB

MD5
1728580f64c4b56c123118375279e02e

SHA1
a38443635a1b222c5136ed97f548ffbf3e6ea7ff

SHA256
ceb0e7ae219fd83f4f0896b9d9e610ed9963c60581ab33e235d9ab4fd70baa92

SHA512
32d5ca2c88c1941dea68aacd7c46badb6a322c3d97f12d676136d2791a789cff3e44fc4683571c9e8b2b468c67908a6421e9e4be948bad9213af4d21df50cdfa

Download Submit
memory/1860-138-0x0000000003330000-0x00000000033F2000-memory.dmp

Filesize
776KB

Download
memory/1860-139-0x0000000003400000-0x00000000034AE000-memory.dmp

Filesize
696KB

Download
memory/1860-147-0x00000000031F0000-0x000000000332D000-memory.dmp

Filesize
1.2MB

Download
memory/1860-136-0x0000000002E30000-0x00000000030A8000-memory.dmp

Filesize
2.5MB

Download
memory/1860-137-0x00000000031F0000-0x000000000332D000-memory.dmp

Filesize
1.2MB

Download
memory/4380-146-0x0000000002780000-0x0000000002A4E000-memory.dmp

Filesize
2.8MB

Download
memory/4380-148-0x0000000002DD0000-0x0000000003048000-memory.dmp

Filesize
2.5MB

Download
memory/4380-149-0x0000000003190000-0x00000000032CD000-memory.dmp

Filesize
1.2MB

Download
memory/4380-150-0x00000000032D0000-0x0000000003392000-memory.dmp

Filesize
776KB

Download
memory/4380-151-0x00000000033A0000-0x000000000344E000-memory.dmp

Filesize
696KB

Download
memory/4380-154-0x0000000003190000-0x00000000032CD000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing