c3a83ae46ee4b00a1d551476c487e7444036b24ed7ba4d24475ac9e90a552094

General

Target

c3a83ae46ee4b00a1d551476c487e7444036b24ed7ba4d24475ac9e90a552094.exe
Size

1.7MB
MD5

8004a236daa4a408780713ef63fabba2
SHA1

9e79ec34770b0a13f89f1e7fac02f01e59815c51
SHA256

c3a83ae46ee4b00a1d551476c487e7444036b24ed7ba4d24475ac9e90a552094
SHA512

9befe43afe82acf104e983c4e7b42385f5cfe0bfbbb7a82e66247beeb543923e1b46b9ad2f6634fa187fb768b76dd21785901756bf88da53e02a7be6dcb2c734
SSDEEP

49152:EuWxf6wc4E9IvwM6UdDdUJHNyQ8dfiYxHv/vg8x:EuWjc43YMxdmHIPdKYxH3vJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	c3a83ae46ee4b00a1d551476c487e7444036b24ed7ba4d24475ac9e90a552094.exe

Loads dropped DLL 4 IoCs

pid	Process
2744	rundll32.exe
2744	rundll32.exe
2848	rundll32.exe
2848	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	c3a83ae46ee4b00a1d551476c487e7444036b24ed7ba4d24475ac9e90a552094.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4288	4656	c3a83ae46ee4b00a1d551476c487e7444036b24ed7ba4d24475ac9e90a552094.exe	83
PID 4656 wrote to memory of 4288	4656	c3a83ae46ee4b00a1d551476c487e7444036b24ed7ba4d24475ac9e90a552094.exe	83
PID 4656 wrote to memory of 4288	4656	c3a83ae46ee4b00a1d551476c487e7444036b24ed7ba4d24475ac9e90a552094.exe	83
PID 4288 wrote to memory of 2744	4288	control.exe	85
PID 4288 wrote to memory of 2744	4288	control.exe	85
PID 4288 wrote to memory of 2744	4288	control.exe	85
PID 2744 wrote to memory of 2204	2744	rundll32.exe	89
PID 2744 wrote to memory of 2204	2744	rundll32.exe	89
PID 2204 wrote to memory of 2848	2204	RunDll32.exe	90
PID 2204 wrote to memory of 2848	2204	RunDll32.exe	90
PID 2204 wrote to memory of 2848	2204	RunDll32.exe	90

C:\Users\Admin\AppData\Local\Temp\c3a83ae46ee4b00a1d551476c487e7444036b24ed7ba4d24475ac9e90a552094.exe
"C:\Users\Admin\AppData\Local\Temp\c3a83ae46ee4b00a1d551476c487e7444036b24ed7ba4d24475ac9e90a552094.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\EHMZ8qF.cPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EHMZ8qF.cPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EHMZ8qF.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\EHMZ8qF.cPL",
        5⤵
        Loads dropped DLL
        
        PID:2848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EHMZ8qF.cPL

Filesize
1.6MB

MD5
f41153abc4b9c161419bca4fdb1bce5e

SHA1
0a3ef0d7298e820039047c738e3c56caeea4659d

SHA256
7ca50aba1b8577fd0a5bb7dbb30d17f8c45bd9824c3c30fcd5c0f08176ecd188

SHA512
107f43463e86e517df0d9d92be1ba244d6022ee08cdaf5821530423cc8cbc137d55a02a6f964c434215c65a9cea9e35e0bb821ee09cdd6431bc45d98504ce152

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHmz8qF.cpl

Filesize
1.6MB

MD5
f41153abc4b9c161419bca4fdb1bce5e

SHA1
0a3ef0d7298e820039047c738e3c56caeea4659d

SHA256
7ca50aba1b8577fd0a5bb7dbb30d17f8c45bd9824c3c30fcd5c0f08176ecd188

SHA512
107f43463e86e517df0d9d92be1ba244d6022ee08cdaf5821530423cc8cbc137d55a02a6f964c434215c65a9cea9e35e0bb821ee09cdd6431bc45d98504ce152

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHmz8qF.cpl

Filesize
1.6MB

MD5
f41153abc4b9c161419bca4fdb1bce5e

SHA1
0a3ef0d7298e820039047c738e3c56caeea4659d

SHA256
7ca50aba1b8577fd0a5bb7dbb30d17f8c45bd9824c3c30fcd5c0f08176ecd188

SHA512
107f43463e86e517df0d9d92be1ba244d6022ee08cdaf5821530423cc8cbc137d55a02a6f964c434215c65a9cea9e35e0bb821ee09cdd6431bc45d98504ce152

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHmz8qF.cpl

Filesize
1.6MB

MD5
f41153abc4b9c161419bca4fdb1bce5e

SHA1
0a3ef0d7298e820039047c738e3c56caeea4659d

SHA256
7ca50aba1b8577fd0a5bb7dbb30d17f8c45bd9824c3c30fcd5c0f08176ecd188

SHA512
107f43463e86e517df0d9d92be1ba244d6022ee08cdaf5821530423cc8cbc137d55a02a6f964c434215c65a9cea9e35e0bb821ee09cdd6431bc45d98504ce152

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHmz8qF.cpl

Filesize
1.6MB

MD5
f41153abc4b9c161419bca4fdb1bce5e

SHA1
0a3ef0d7298e820039047c738e3c56caeea4659d

SHA256
7ca50aba1b8577fd0a5bb7dbb30d17f8c45bd9824c3c30fcd5c0f08176ecd188

SHA512
107f43463e86e517df0d9d92be1ba244d6022ee08cdaf5821530423cc8cbc137d55a02a6f964c434215c65a9cea9e35e0bb821ee09cdd6431bc45d98504ce152

Download Submit
memory/2744-137-0x0000000002A40000-0x0000000002BD8000-memory.dmp

Filesize
1.6MB

Download
memory/2744-139-0x0000000003010000-0x0000000003111000-memory.dmp

Filesize
1.0MB

Download
memory/2744-140-0x0000000003120000-0x00000000031E7000-memory.dmp

Filesize
796KB

Download
memory/2744-141-0x0000000002D10000-0x0000000002DC3000-memory.dmp

Filesize
716KB

Download
memory/2744-156-0x0000000003010000-0x0000000003111000-memory.dmp

Filesize
1.0MB

Download
memory/2744-138-0x0000000002DE0000-0x0000000002F06000-memory.dmp

Filesize
1.1MB

Download
memory/2848-148-0x00000000024A0000-0x0000000002638000-memory.dmp

Filesize
1.6MB

Download
memory/2848-149-0x0000000002880000-0x00000000029A6000-memory.dmp

Filesize
1.1MB

Download
memory/2848-150-0x0000000002AB0000-0x0000000002BB1000-memory.dmp

Filesize
1.0MB

Download
memory/2848-151-0x0000000002BC0000-0x0000000002C87000-memory.dmp

Filesize
796KB

Download
memory/2848-152-0x0000000002C90000-0x0000000002D43000-memory.dmp

Filesize
716KB

Download
memory/2848-155-0x0000000002AB0000-0x0000000002BB1000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing