2c6c910fca68fc6588948c1936e553740d2127537f3872d27af3927146482bdd

General

Target

2c6c910fca68fc6588948c1936e553740d2127537f3872d27af3927146482bdd.exe
Size

1.8MB
MD5

8a86dc04a8c8c6d01f3255b0f2f235a0
SHA1

de1bd0016944382f0ae854ddde06a4a6383bfbc5
SHA256

2c6c910fca68fc6588948c1936e553740d2127537f3872d27af3927146482bdd
SHA512

2661cc9975b57613420c3a6f777084abab6a0cef0070a4e913495b914b5917ff678e45058deafdac728d5b58b9433957b1ba754ae08d151b53226d25209e8d0b
SSDEEP

49152:m94TC/FfayPPcb+PJYFcup26yxrKKW2ZClL:mNZpPEb+Pwp26y9xW2Ud

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2c6c910fca68fc6588948c1936e553740d2127537f3872d27af3927146482bdd.exe

Loads dropped DLL 4 IoCs

pid	Process
3336	rundll32.exe
3336	rundll32.exe
4368	rundll32.exe
4368	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	2c6c910fca68fc6588948c1936e553740d2127537f3872d27af3927146482bdd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1376	1800	2c6c910fca68fc6588948c1936e553740d2127537f3872d27af3927146482bdd.exe	78
PID 1800 wrote to memory of 1376	1800	2c6c910fca68fc6588948c1936e553740d2127537f3872d27af3927146482bdd.exe	78
PID 1800 wrote to memory of 1376	1800	2c6c910fca68fc6588948c1936e553740d2127537f3872d27af3927146482bdd.exe	78
PID 1376 wrote to memory of 3336	1376	control.exe	80
PID 1376 wrote to memory of 3336	1376	control.exe	80
PID 1376 wrote to memory of 3336	1376	control.exe	80
PID 3336 wrote to memory of 1608	3336	rundll32.exe	82
PID 3336 wrote to memory of 1608	3336	rundll32.exe	82
PID 1608 wrote to memory of 4368	1608	RunDll32.exe	83
PID 1608 wrote to memory of 4368	1608	RunDll32.exe	83
PID 1608 wrote to memory of 4368	1608	RunDll32.exe	83

C:\Users\Admin\AppData\Local\Temp\2c6c910fca68fc6588948c1936e553740d2127537f3872d27af3927146482bdd.exe
"C:\Users\Admin\AppData\Local\Temp\2c6c910fca68fc6588948c1936e553740d2127537f3872d27af3927146482bdd.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\J4HGMq.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\J4HGMq.CPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\J4HGMq.CPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\J4HGMq.CPL",
        5⤵
        Loads dropped DLL
        
        PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\J4HGMq.CPL

Filesize
1.9MB

MD5
ac781c9f8f80a21a423d352e4013b0f4

SHA1
38e7f370a9b5f50f99e635cb2c3bace344b0dfbc

SHA256
bc95c701eb66d50b3dd5f7823f3d950fc3266eb7bd6459a3fb1ebb0ca648bb9a

SHA512
4ba6182ddcb1515a8a7318992d1ecd0e7f09a92da353ea26372f649577a89785d6466aa3d51b0eba2e5620243e0193d123be8f368d57c20bb52fda3e88e04fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\J4hGMq.cpl

Filesize
1.9MB

MD5
ac781c9f8f80a21a423d352e4013b0f4

SHA1
38e7f370a9b5f50f99e635cb2c3bace344b0dfbc

SHA256
bc95c701eb66d50b3dd5f7823f3d950fc3266eb7bd6459a3fb1ebb0ca648bb9a

SHA512
4ba6182ddcb1515a8a7318992d1ecd0e7f09a92da353ea26372f649577a89785d6466aa3d51b0eba2e5620243e0193d123be8f368d57c20bb52fda3e88e04fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\J4hGMq.cpl

Filesize
1.9MB

MD5
ac781c9f8f80a21a423d352e4013b0f4

SHA1
38e7f370a9b5f50f99e635cb2c3bace344b0dfbc

SHA256
bc95c701eb66d50b3dd5f7823f3d950fc3266eb7bd6459a3fb1ebb0ca648bb9a

SHA512
4ba6182ddcb1515a8a7318992d1ecd0e7f09a92da353ea26372f649577a89785d6466aa3d51b0eba2e5620243e0193d123be8f368d57c20bb52fda3e88e04fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\J4hGMq.cpl

Filesize
1.9MB

MD5
ac781c9f8f80a21a423d352e4013b0f4

SHA1
38e7f370a9b5f50f99e635cb2c3bace344b0dfbc

SHA256
bc95c701eb66d50b3dd5f7823f3d950fc3266eb7bd6459a3fb1ebb0ca648bb9a

SHA512
4ba6182ddcb1515a8a7318992d1ecd0e7f09a92da353ea26372f649577a89785d6466aa3d51b0eba2e5620243e0193d123be8f368d57c20bb52fda3e88e04fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\J4hGMq.cpl

Filesize
1.9MB

MD5
ac781c9f8f80a21a423d352e4013b0f4

SHA1
38e7f370a9b5f50f99e635cb2c3bace344b0dfbc

SHA256
bc95c701eb66d50b3dd5f7823f3d950fc3266eb7bd6459a3fb1ebb0ca648bb9a

SHA512
4ba6182ddcb1515a8a7318992d1ecd0e7f09a92da353ea26372f649577a89785d6466aa3d51b0eba2e5620243e0193d123be8f368d57c20bb52fda3e88e04fd1

Download Submit
memory/3336-142-0x0000000002D50000-0x0000000002E11000-memory.dmp

Filesize
772KB

Download
memory/3336-141-0x0000000002D50000-0x0000000002E11000-memory.dmp

Filesize
772KB

Download
memory/3336-139-0x0000000002B20000-0x0000000002C64000-memory.dmp

Filesize
1.3MB

Download
memory/3336-138-0x0000000002850000-0x00000000029C1000-memory.dmp

Filesize
1.4MB

Download
memory/3336-156-0x0000000002B20000-0x0000000002C64000-memory.dmp

Filesize
1.3MB

Download
memory/3336-137-0x0000000002370000-0x0000000002554000-memory.dmp

Filesize
1.9MB

Download
memory/3336-140-0x0000000002C70000-0x0000000002D43000-memory.dmp

Filesize
844KB

Download
memory/4368-148-0x0000000002540000-0x0000000002724000-memory.dmp

Filesize
1.9MB

Download
memory/4368-149-0x00000000029B0000-0x0000000002B21000-memory.dmp

Filesize
1.4MB

Download
memory/4368-150-0x0000000002C80000-0x0000000002DC4000-memory.dmp

Filesize
1.3MB

Download
memory/4368-151-0x0000000002DD0000-0x0000000002EA3000-memory.dmp

Filesize
844KB

Download
memory/4368-153-0x0000000002EC0000-0x0000000002F81000-memory.dmp

Filesize
772KB

Download
memory/4368-155-0x0000000002C80000-0x0000000002DC4000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing