35b2eed19f92c4899d5aa1524db25d9b39056af80e99ddaf5ee36764f77ae25a

General

Target

35b2eed19f92c4899d5aa1524db25d9b39056af80e99ddaf5ee36764f77ae25a.exe
Size

1.6MB
MD5

24cf7f14b3f8314659fe7e1999b9470e
SHA1

077bfc2b5eb4ef6926fca5b3bcb3823101cb6c0c
SHA256

35b2eed19f92c4899d5aa1524db25d9b39056af80e99ddaf5ee36764f77ae25a
SHA512

538f98eed986e696928f43eaff0563a92a2f51943e87146d3ce8eacee01363f4e83861ab300ef775949390a53a1ab536a9b826ccf4fec90834a45611bb839cb0
SSDEEP

49152:908/RY8vF8DMllzD55S7s6MIDCtnb5is2xXM7aJ:e8/RJv+ED5U7XDDKiHXn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	35b2eed19f92c4899d5aa1524db25d9b39056af80e99ddaf5ee36764f77ae25a.exe

Loads dropped DLL 3 IoCs

pid	Process
2804	rundll32.exe
4524	rundll32.exe
4524	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	35b2eed19f92c4899d5aa1524db25d9b39056af80e99ddaf5ee36764f77ae25a.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 372	5028	35b2eed19f92c4899d5aa1524db25d9b39056af80e99ddaf5ee36764f77ae25a.exe	82
PID 5028 wrote to memory of 372	5028	35b2eed19f92c4899d5aa1524db25d9b39056af80e99ddaf5ee36764f77ae25a.exe	82
PID 5028 wrote to memory of 372	5028	35b2eed19f92c4899d5aa1524db25d9b39056af80e99ddaf5ee36764f77ae25a.exe	82
PID 372 wrote to memory of 2804	372	control.exe	84
PID 372 wrote to memory of 2804	372	control.exe	84
PID 372 wrote to memory of 2804	372	control.exe	84
PID 2804 wrote to memory of 4736	2804	rundll32.exe	93
PID 2804 wrote to memory of 4736	2804	rundll32.exe	93
PID 4736 wrote to memory of 4524	4736	RunDll32.exe	94
PID 4736 wrote to memory of 4524	4736	RunDll32.exe	94
PID 4736 wrote to memory of 4524	4736	RunDll32.exe	94

C:\Users\Admin\AppData\Local\Temp\35b2eed19f92c4899d5aa1524db25d9b39056af80e99ddaf5ee36764f77ae25a.exe
"C:\Users\Admin\AppData\Local\Temp\35b2eed19f92c4899d5aa1524db25d9b39056af80e99ddaf5ee36764f77ae25a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2lY7.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2lY7.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2lY7.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\2lY7.cPl",
        5⤵
        Loads dropped DLL
        
        PID:4524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2lY7.cPl

Filesize
1.6MB

MD5
c0c0b632897b1373c1947c586140d685

SHA1
17ef1996db1bf62096e4d8309ac97def39abdd60

SHA256
39e6322429b54f75ef307aa55f65af24fdc8badc845a347d96dd20fb1ed29954

SHA512
873677a5aea7eaeecaa71fa18b53d6cd5ba56fb77205e2a9d978361d482bb3bf1b60e47743e64d0e477d72c88702e89b2613e5c856200e3c9c42517ee3d6d41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ly7.cpl

Filesize
1.6MB

MD5
c0c0b632897b1373c1947c586140d685

SHA1
17ef1996db1bf62096e4d8309ac97def39abdd60

SHA256
39e6322429b54f75ef307aa55f65af24fdc8badc845a347d96dd20fb1ed29954

SHA512
873677a5aea7eaeecaa71fa18b53d6cd5ba56fb77205e2a9d978361d482bb3bf1b60e47743e64d0e477d72c88702e89b2613e5c856200e3c9c42517ee3d6d41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ly7.cpl

Filesize
1.6MB

MD5
c0c0b632897b1373c1947c586140d685

SHA1
17ef1996db1bf62096e4d8309ac97def39abdd60

SHA256
39e6322429b54f75ef307aa55f65af24fdc8badc845a347d96dd20fb1ed29954

SHA512
873677a5aea7eaeecaa71fa18b53d6cd5ba56fb77205e2a9d978361d482bb3bf1b60e47743e64d0e477d72c88702e89b2613e5c856200e3c9c42517ee3d6d41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ly7.cpl

Filesize
1.6MB

MD5
c0c0b632897b1373c1947c586140d685

SHA1
17ef1996db1bf62096e4d8309ac97def39abdd60

SHA256
39e6322429b54f75ef307aa55f65af24fdc8badc845a347d96dd20fb1ed29954

SHA512
873677a5aea7eaeecaa71fa18b53d6cd5ba56fb77205e2a9d978361d482bb3bf1b60e47743e64d0e477d72c88702e89b2613e5c856200e3c9c42517ee3d6d41c

Download Submit
memory/2804-141-0x0000000003100000-0x00000000031C9000-memory.dmp

Filesize
804KB

Download
memory/2804-140-0x0000000003000000-0x00000000030F2000-memory.dmp

Filesize
968KB

Download
memory/2804-142-0x00000000026C0000-0x0000000002775000-memory.dmp

Filesize
724KB

Download
memory/2804-139-0x0000000002E10000-0x0000000002F02000-memory.dmp

Filesize
968KB

Download
memory/2804-150-0x0000000002E10000-0x0000000002F02000-memory.dmp

Filesize
968KB

Download
memory/2804-151-0x0000000003000000-0x00000000030F2000-memory.dmp

Filesize
968KB

Download
memory/4524-149-0x0000000000C00000-0x0000000000DA1000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing