c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d

General

Target

c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d.exe
Size

1.9MB
MD5

3e2a8e59e795116d48569b647bf1d402
SHA1

ce56de7c6b7a5ff0c507395299b150df2a4c2d3e
SHA256

c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d
SHA512

4d75d61fee41ad3aa7937efec92b36a1bf9f05ba985d1b0a640e88536f4b8ae23c44285eebc8601f21044c5486b8cbd46879250d4c3bcc8de530cd18fc741c06
SSDEEP

49152:WxYmpsHKwDpH1C0dlqDIZj06xRRtOmQ7iHI1MOoF:WTsHKwDpH1C0nq6Jf+mVIyF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

824 rundll32.exe
824 rundll32.exe
3448 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
824	rundll32.exe
824	rundll32.exe
3448	rundll32.exe

Modifies registry class 1 IoCs

Processes:

c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 4712 wrote to memory of 1612	4712	c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d.exe	control.exe
PID 4712 wrote to memory of 1612	4712	c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d.exe	control.exe
PID 4712 wrote to memory of 1612	4712	c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d.exe	control.exe
PID 1612 wrote to memory of 824	1612	control.exe	rundll32.exe
PID 1612 wrote to memory of 824	1612	control.exe	rundll32.exe
PID 1612 wrote to memory of 824	1612	control.exe	rundll32.exe
PID 824 wrote to memory of 3180	824	rundll32.exe	RunDll32.exe
PID 824 wrote to memory of 3180	824	rundll32.exe	RunDll32.exe
PID 3180 wrote to memory of 3448	3180	RunDll32.exe	rundll32.exe
PID 3180 wrote to memory of 3448	3180	RunDll32.exe	rundll32.exe
PID 3180 wrote to memory of 3448	3180	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d.exe
"C:\Users\Admin\AppData\Local\Temp\c3cd3e65bd79f0045d65d8314d42a3556893390e97b2ccaf83ca1d94df151f8d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\9hPWDS.cpL",
2⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\9hPWDS.cpL",
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\9hPWDS.cpL",
4⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\9hPWDS.cpL",
5⤵
- Loads dropped DLL
PID:3448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9hPWDS.cpL

Filesize
1.7MB

MD5
a0215fb9a6b982190799548de43614d0

SHA1
29c92754aeb86aa2a625593a9db638de80e0959b

SHA256
2d9802309d8034b1cc79b14dc2577928dbfc51522dce0b421aafbef27013ad05

SHA512
1c75b5f5c72c3905cbf8bcec1277cfb002151e2b4b6f14fe28dda2ace965b8c4ebb2e9f14097ed00670408ced45c861631902d9bbf372c938d28fb497273dbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9hPWdS.cpl

Filesize
1.7MB

MD5
a0215fb9a6b982190799548de43614d0

SHA1
29c92754aeb86aa2a625593a9db638de80e0959b

SHA256
2d9802309d8034b1cc79b14dc2577928dbfc51522dce0b421aafbef27013ad05

SHA512
1c75b5f5c72c3905cbf8bcec1277cfb002151e2b4b6f14fe28dda2ace965b8c4ebb2e9f14097ed00670408ced45c861631902d9bbf372c938d28fb497273dbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9hPWdS.cpl

Filesize
1.7MB

MD5
a0215fb9a6b982190799548de43614d0

SHA1
29c92754aeb86aa2a625593a9db638de80e0959b

SHA256
2d9802309d8034b1cc79b14dc2577928dbfc51522dce0b421aafbef27013ad05

SHA512
1c75b5f5c72c3905cbf8bcec1277cfb002151e2b4b6f14fe28dda2ace965b8c4ebb2e9f14097ed00670408ced45c861631902d9bbf372c938d28fb497273dbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9hPWdS.cpl

Filesize
1.7MB

MD5
a0215fb9a6b982190799548de43614d0

SHA1
29c92754aeb86aa2a625593a9db638de80e0959b

SHA256
2d9802309d8034b1cc79b14dc2577928dbfc51522dce0b421aafbef27013ad05

SHA512
1c75b5f5c72c3905cbf8bcec1277cfb002151e2b4b6f14fe28dda2ace965b8c4ebb2e9f14097ed00670408ced45c861631902d9bbf372c938d28fb497273dbcc

Download Submit
memory/824-142-0x0000000002F60000-0x0000000003014000-memory.dmp

Filesize
720KB

Download
memory/824-133-0x0000000000000000-mapping.dmp

Download
memory/824-138-0x0000000002B10000-0x0000000002C4B000-memory.dmp

Filesize
1.2MB

Download
memory/824-139-0x0000000002D70000-0x0000000002E85000-memory.dmp

Filesize
1.1MB

Download
memory/824-140-0x0000000002E90000-0x0000000002F57000-memory.dmp

Filesize
796KB

Download
memory/824-141-0x0000000002F60000-0x0000000003014000-memory.dmp

Filesize
720KB

Download
memory/824-137-0x0000000002720000-0x00000000028CD000-memory.dmp

Filesize
1.7MB

Download
memory/824-154-0x0000000002D70000-0x0000000002E85000-memory.dmp

Filesize
1.1MB

Download
memory/1612-132-0x0000000000000000-mapping.dmp

Download
memory/3180-144-0x0000000000000000-mapping.dmp

Download
memory/3448-147-0x0000000003150000-0x000000000328B000-memory.dmp

Filesize
1.2MB

Download
memory/3448-148-0x00000000033B0000-0x00000000034C5000-memory.dmp

Filesize
1.1MB

Download
memory/3448-149-0x00000000034D0000-0x0000000003597000-memory.dmp

Filesize
796KB

Download
memory/3448-151-0x00000000035A0000-0x0000000003654000-memory.dmp

Filesize
720KB

Download
memory/3448-153-0x00000000033B0000-0x00000000034C5000-memory.dmp

Filesize
1.1MB

Download
memory/3448-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads