3f0aa9e5ac994c59b3cf776804ab33f0b70238d4adfb900a49f1931e96a4b09c

General

Target

3f0aa9e5ac994c59b3cf776804ab33f0b70238d4adfb900a49f1931e96a4b09c.exe
Size

1.5MB
MD5

730048fa35bae36cf58601ef455a71c3
SHA1

587d8eba114ca05a6d15fc88101ab77755469b65
SHA256

3f0aa9e5ac994c59b3cf776804ab33f0b70238d4adfb900a49f1931e96a4b09c
SHA512

4ce50653a7e5121f26915edebd4c8a148bf91540707acbc50272eafa53a34f4c721b1ac9961d955a033b7ebdf9a33f7258420698453ef47283ee7f899f3e0c33
SSDEEP

24576:VJr8tEZgHqZM4hHi6UVa+/S45m3cpqR+ukNuD4axx5UvBdI3IG/AvmsE0VvdEk:VJ4oCiH/Ug+B5BLuRD4aRUpdQIrvLt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3f0aa9e5ac994c59b3cf776804ab33f0b70238d4adfb900a49f1931e96a4b09c.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	rundll32.exe
3104	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	3f0aa9e5ac994c59b3cf776804ab33f0b70238d4adfb900a49f1931e96a4b09c.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 3172	4572	3f0aa9e5ac994c59b3cf776804ab33f0b70238d4adfb900a49f1931e96a4b09c.exe	83
PID 4572 wrote to memory of 3172	4572	3f0aa9e5ac994c59b3cf776804ab33f0b70238d4adfb900a49f1931e96a4b09c.exe	83
PID 4572 wrote to memory of 3172	4572	3f0aa9e5ac994c59b3cf776804ab33f0b70238d4adfb900a49f1931e96a4b09c.exe	83
PID 3172 wrote to memory of 2416	3172	control.exe	85
PID 3172 wrote to memory of 2416	3172	control.exe	85
PID 3172 wrote to memory of 2416	3172	control.exe	85
PID 2416 wrote to memory of 840	2416	rundll32.exe	90
PID 2416 wrote to memory of 840	2416	rundll32.exe	90
PID 840 wrote to memory of 3104	840	RunDll32.exe	91
PID 840 wrote to memory of 3104	840	RunDll32.exe	91
PID 840 wrote to memory of 3104	840	RunDll32.exe	91

C:\Users\Admin\AppData\Local\Temp\3f0aa9e5ac994c59b3cf776804ab33f0b70238d4adfb900a49f1931e96a4b09c.exe
"C:\Users\Admin\AppData\Local\Temp\3f0aa9e5ac994c59b3cf776804ab33f0b70238d4adfb900a49f1931e96a4b09c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\B7NXUyn5.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\B7NXUyn5.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\B7NXUyn5.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\B7NXUyn5.cPl",
        5⤵
        Loads dropped DLL
        
        PID:3104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B7NXUyn5.cPl

Filesize
1.4MB

MD5
beff7944921c4a3ee81ba1a2891bd4af

SHA1
87d5d7693a375065864754664d1539d16ca3fb22

SHA256
4149ee5d9915335cd0b9a3b437bb47dde8c4058a3fb0842f05ee4ad51fa21b55

SHA512
8745e632e8377af8b9ee6e0391a25b9768f74e53a65e4074b7872d75fceb36eb904e13a45daaf4cce6c3ba3909c1f5f2ec31ab1ea842a74e988de80ed8ec005a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7NXUyn5.cpl

Filesize
1.4MB

MD5
beff7944921c4a3ee81ba1a2891bd4af

SHA1
87d5d7693a375065864754664d1539d16ca3fb22

SHA256
4149ee5d9915335cd0b9a3b437bb47dde8c4058a3fb0842f05ee4ad51fa21b55

SHA512
8745e632e8377af8b9ee6e0391a25b9768f74e53a65e4074b7872d75fceb36eb904e13a45daaf4cce6c3ba3909c1f5f2ec31ab1ea842a74e988de80ed8ec005a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7NXUyn5.cpl

Filesize
1.4MB

MD5
beff7944921c4a3ee81ba1a2891bd4af

SHA1
87d5d7693a375065864754664d1539d16ca3fb22

SHA256
4149ee5d9915335cd0b9a3b437bb47dde8c4058a3fb0842f05ee4ad51fa21b55

SHA512
8745e632e8377af8b9ee6e0391a25b9768f74e53a65e4074b7872d75fceb36eb904e13a45daaf4cce6c3ba3909c1f5f2ec31ab1ea842a74e988de80ed8ec005a

Download Submit
memory/2416-137-0x0000000003310000-0x000000000341F000-memory.dmp

Filesize
1.1MB

Download
memory/2416-138-0x0000000003530000-0x0000000003640000-memory.dmp

Filesize
1.1MB

Download
memory/2416-139-0x0000000003640000-0x0000000003706000-memory.dmp

Filesize
792KB

Download
memory/2416-140-0x0000000003710000-0x00000000037C3000-memory.dmp

Filesize
716KB

Download
memory/2416-153-0x0000000003530000-0x0000000003640000-memory.dmp

Filesize
1.1MB

Download
memory/3104-146-0x0000000003250000-0x000000000335F000-memory.dmp

Filesize
1.1MB

Download
memory/3104-147-0x0000000003470000-0x0000000003580000-memory.dmp

Filesize
1.1MB

Download
memory/3104-148-0x0000000003590000-0x0000000003656000-memory.dmp

Filesize
792KB

Download
memory/3104-149-0x0000000003670000-0x0000000003723000-memory.dmp

Filesize
716KB

Download
memory/3104-152-0x0000000003470000-0x0000000003580000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing