615e6385626ede37425717337ee0c65ca3073b2ca5fed5da486edfbc4a00c131

General

Target

615e6385626ede37425717337ee0c65ca3073b2ca5fed5da486edfbc4a00c131.exe
Size

1.7MB
MD5

a9894a4e1ec54193d5dcac4fc5b570a9
SHA1

dcaf4c228d57c09e57c9b4c43f97e691d4c96919
SHA256

615e6385626ede37425717337ee0c65ca3073b2ca5fed5da486edfbc4a00c131
SHA512

00e69357d887ada49089ad121122fea060d233635004503677bcd790613979411685927811cfc67110c86ccbcc4fac61b9c02afa498399cc014a4be45ca30be9
SSDEEP

24576:KLlgAiob65jv6ztfBxS+FFV9j/lb6TlTEiLbYOf6dynUbKVF1cfP4hQ7sQMfKTLd:Ky958tfBRFMlJb8WT1DZQFLtZV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	615e6385626ede37425717337ee0c65ca3073b2ca5fed5da486edfbc4a00c131.exe

Loads dropped DLL 3 IoCs

pid	Process
3928	rundll32.exe
3928	rundll32.exe
4992	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 5116	3540	615e6385626ede37425717337ee0c65ca3073b2ca5fed5da486edfbc4a00c131.exe	82
PID 3540 wrote to memory of 5116	3540	615e6385626ede37425717337ee0c65ca3073b2ca5fed5da486edfbc4a00c131.exe	82
PID 3540 wrote to memory of 5116	3540	615e6385626ede37425717337ee0c65ca3073b2ca5fed5da486edfbc4a00c131.exe	82
PID 5116 wrote to memory of 3928	5116	control.exe	83
PID 5116 wrote to memory of 3928	5116	control.exe	83
PID 5116 wrote to memory of 3928	5116	control.exe	83
PID 3928 wrote to memory of 4360	3928	rundll32.exe	84
PID 3928 wrote to memory of 4360	3928	rundll32.exe	84
PID 4360 wrote to memory of 4992	4360	RunDll32.exe	85
PID 4360 wrote to memory of 4992	4360	RunDll32.exe	85
PID 4360 wrote to memory of 4992	4360	RunDll32.exe	85

C:\Users\Admin\AppData\Local\Temp\615e6385626ede37425717337ee0c65ca3073b2ca5fed5da486edfbc4a00c131.exe
"C:\Users\Admin\AppData\Local\Temp\615e6385626ede37425717337ee0c65ca3073b2ca5fed5da486edfbc4a00c131.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\3~J6K.JH
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\3~J6K.JH
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\3~J6K.JH
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\3~J6K.JH
        5⤵
        Loads dropped DLL
        
        PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3~J6K.JH

Filesize
1.8MB

MD5
c2c6df007569080d3258bbbc40830269

SHA1
8d55d8cd86deb56dc461e570d7a65a940302451c

SHA256
bfb16a70cb43f0d513d85837c32f7d074a4debcced62d0a9d8284e8b9443f794

SHA512
16b13a86e1715a065007d7284329d1779e91cda6b60fd655e79f5eeab7247367789bdb9d1352e9cd0bac6dea308485b72f4e08ac4b677e12a7f11c8a9aeba6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3~J6k.JH

Filesize
1.8MB

MD5
c2c6df007569080d3258bbbc40830269

SHA1
8d55d8cd86deb56dc461e570d7a65a940302451c

SHA256
bfb16a70cb43f0d513d85837c32f7d074a4debcced62d0a9d8284e8b9443f794

SHA512
16b13a86e1715a065007d7284329d1779e91cda6b60fd655e79f5eeab7247367789bdb9d1352e9cd0bac6dea308485b72f4e08ac4b677e12a7f11c8a9aeba6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3~J6k.JH

Filesize
1.8MB

MD5
c2c6df007569080d3258bbbc40830269

SHA1
8d55d8cd86deb56dc461e570d7a65a940302451c

SHA256
bfb16a70cb43f0d513d85837c32f7d074a4debcced62d0a9d8284e8b9443f794

SHA512
16b13a86e1715a065007d7284329d1779e91cda6b60fd655e79f5eeab7247367789bdb9d1352e9cd0bac6dea308485b72f4e08ac4b677e12a7f11c8a9aeba6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3~J6k.JH

Filesize
1.8MB

MD5
c2c6df007569080d3258bbbc40830269

SHA1
8d55d8cd86deb56dc461e570d7a65a940302451c

SHA256
bfb16a70cb43f0d513d85837c32f7d074a4debcced62d0a9d8284e8b9443f794

SHA512
16b13a86e1715a065007d7284329d1779e91cda6b60fd655e79f5eeab7247367789bdb9d1352e9cd0bac6dea308485b72f4e08ac4b677e12a7f11c8a9aeba6c3

Download Submit
memory/3928-143-0x0000000000C60000-0x0000000000D14000-memory.dmp

Filesize
720KB

Download
memory/3928-138-0x0000000002990000-0x0000000002AA1000-memory.dmp

Filesize
1.1MB

Download
memory/3928-139-0x0000000002BC0000-0x0000000002CCF000-memory.dmp

Filesize
1.1MB

Download
memory/3928-140-0x0000000000D30000-0x0000000000DF8000-memory.dmp

Filesize
800KB

Download
memory/3928-142-0x0000000000C6C000-0x0000000000D12000-memory.dmp

Filesize
664KB

Download
memory/3928-154-0x0000000002BC0000-0x0000000002CCF000-memory.dmp

Filesize
1.1MB

Download
memory/3928-141-0x0000000000C60000-0x0000000000CED000-memory.dmp

Filesize
564KB

Download
memory/3928-137-0x0000000002570000-0x0000000002741000-memory.dmp

Filesize
1.8MB

Download
memory/4992-147-0x0000000003460000-0x0000000003571000-memory.dmp

Filesize
1.1MB

Download
memory/4992-148-0x0000000003690000-0x000000000379F000-memory.dmp

Filesize
1.1MB

Download
memory/4992-149-0x0000000003260000-0x0000000003328000-memory.dmp

Filesize
800KB

Download
memory/4992-150-0x00000000037A0000-0x0000000003854000-memory.dmp

Filesize
720KB

Download
memory/4992-153-0x0000000003690000-0x000000000379F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing