cb46ebe1920753d5bc23c30b282a801f9e2d33b2ebb1d1cdc294cdae1e3e9d5a

Resubmissions

06/11/2022, 05:43

221106-ge3kyshbfl 7

06/11/2022, 04:46

221106-fd5hgsfeej 7

Analysis

max time kernel
316s
max time network
320s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb46ebe1920753d5bc23c30b282a801f9e2d33b2ebb1d1cdc294cdae1e3e9d5a.exe
Size

1.4MB
MD5

150c26e0a6e75076ccc1d9740f474964
SHA1

c67b640e4dc08735a46f3e11d639f912a17ce2cf
SHA256

cb46ebe1920753d5bc23c30b282a801f9e2d33b2ebb1d1cdc294cdae1e3e9d5a
SHA512

a4b9e9ee36b276d2f9714598c96b24a719ebbb0ec7d7a66cd934da79ec1dd1d7a3b95b7f51c42927056d6a4e271b9d1559aa7be99d6bc0ac17c2e5f89f334248
SSDEEP

24576:4ry2uXzmVLs11ftArg360a9aLhUFDEzVDGEB9jsC/OaJByq/LGWQ:4unl11AUE9WqDExDRB9jd2yBt/LQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cb46ebe1920753d5bc23c30b282a801f9e2d33b2ebb1d1cdc294cdae1e3e9d5a.exe

Loads dropped DLL 3 IoCs

pid	Process
5016	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cb46ebe1920753d5bc23c30b282a801f9e2d33b2ebb1d1cdc294cdae1e3e9d5a.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 4340	2080	cb46ebe1920753d5bc23c30b282a801f9e2d33b2ebb1d1cdc294cdae1e3e9d5a.exe	78
PID 2080 wrote to memory of 4340	2080	cb46ebe1920753d5bc23c30b282a801f9e2d33b2ebb1d1cdc294cdae1e3e9d5a.exe	78
PID 2080 wrote to memory of 4340	2080	cb46ebe1920753d5bc23c30b282a801f9e2d33b2ebb1d1cdc294cdae1e3e9d5a.exe	78
PID 4340 wrote to memory of 5016	4340	control.exe	80
PID 4340 wrote to memory of 5016	4340	control.exe	80
PID 4340 wrote to memory of 5016	4340	control.exe	80
PID 5016 wrote to memory of 4432	5016	rundll32.exe	82
PID 5016 wrote to memory of 4432	5016	rundll32.exe	82
PID 4432 wrote to memory of 1892	4432	RunDll32.exe	83
PID 4432 wrote to memory of 1892	4432	RunDll32.exe	83
PID 4432 wrote to memory of 1892	4432	RunDll32.exe	83

C:\Users\Admin\AppData\Local\Temp\cb46ebe1920753d5bc23c30b282a801f9e2d33b2ebb1d1cdc294cdae1e3e9d5a.exe
"C:\Users\Admin\AppData\Local\Temp\cb46ebe1920753d5bc23c30b282a801f9e2d33b2ebb1d1cdc294cdae1e3e9d5a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\A6F~Ouhs.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\A6F~Ouhs.Cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\A6F~Ouhs.Cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\A6F~Ouhs.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A6F~Ouhs.Cpl

Filesize
1.4MB

MD5
3efb5ffedbc4468bcb7769390cf8328c

SHA1
0bff1d5f78549c7b4da04e90fe0a945ab5b92790

SHA256
4cc08f6532003cb1bc1a0421234b21f8e4e5363ca4a7af440af4eb39994f3965

SHA512
1a730525c28af93ce9c7271b96757f363db47c1ababe1ce41c4b9cb10c2bff175a19cdf87c1325f20deeab867366043b2478fad79df69f0d3a61814443841133

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6F~Ouhs.cpl

Filesize
1.4MB

MD5
3efb5ffedbc4468bcb7769390cf8328c

SHA1
0bff1d5f78549c7b4da04e90fe0a945ab5b92790

SHA256
4cc08f6532003cb1bc1a0421234b21f8e4e5363ca4a7af440af4eb39994f3965

SHA512
1a730525c28af93ce9c7271b96757f363db47c1ababe1ce41c4b9cb10c2bff175a19cdf87c1325f20deeab867366043b2478fad79df69f0d3a61814443841133

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6F~Ouhs.cpl

Filesize
1.4MB

MD5
3efb5ffedbc4468bcb7769390cf8328c

SHA1
0bff1d5f78549c7b4da04e90fe0a945ab5b92790

SHA256
4cc08f6532003cb1bc1a0421234b21f8e4e5363ca4a7af440af4eb39994f3965

SHA512
1a730525c28af93ce9c7271b96757f363db47c1ababe1ce41c4b9cb10c2bff175a19cdf87c1325f20deeab867366043b2478fad79df69f0d3a61814443841133

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6F~Ouhs.cpl

Filesize
1.4MB

MD5
3efb5ffedbc4468bcb7769390cf8328c

SHA1
0bff1d5f78549c7b4da04e90fe0a945ab5b92790

SHA256
4cc08f6532003cb1bc1a0421234b21f8e4e5363ca4a7af440af4eb39994f3965

SHA512
1a730525c28af93ce9c7271b96757f363db47c1ababe1ce41c4b9cb10c2bff175a19cdf87c1325f20deeab867366043b2478fad79df69f0d3a61814443841133

Download Submit
memory/1892-146-0x0000000002720000-0x000000000287F000-memory.dmp

Filesize
1.4MB

Download
memory/1892-153-0x0000000002D20000-0x0000000002E1B000-memory.dmp

Filesize
1004KB

Download
memory/1892-150-0x0000000002EF0000-0x0000000002FA7000-memory.dmp

Filesize
732KB

Download
memory/1892-149-0x0000000002E20000-0x0000000002EE9000-memory.dmp

Filesize
804KB

Download
memory/1892-148-0x0000000002D20000-0x0000000002E1B000-memory.dmp

Filesize
1004KB

Download
memory/1892-147-0x0000000002B20000-0x0000000002C1E000-memory.dmp

Filesize
1016KB

Download
memory/5016-139-0x0000000002FF0000-0x00000000030A7000-memory.dmp

Filesize
732KB

Download
memory/5016-138-0x0000000002F20000-0x0000000002FE9000-memory.dmp

Filesize
804KB

Download
memory/5016-137-0x0000000002E20000-0x0000000002F1B000-memory.dmp

Filesize
1004KB

Download
memory/5016-136-0x0000000002C20000-0x0000000002D1E000-memory.dmp

Filesize
1016KB

Download
memory/5016-154-0x0000000002E20000-0x0000000002F1B000-memory.dmp

Filesize
1004KB

Download