57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a

General

Target

57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a.exe
Size

1.6MB
MD5

5224fc1980b1ac7fd417debaef29877b
SHA1

dd9c3a55ebb10012dc1b2fc019354c45cedf4fe6
SHA256

57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a
SHA512

aae287f633ac70945058568d8b064a9551bef7ec082e100ff9764cc57dcc214b53658a77ce4fe5e6bc0035c7b9646a9d82700dba909d7db7e4ea965159921dfa
SSDEEP

24576:4ry2uXzmVLvtW/BXgJWNnh5F9UPdxVi3wJZiTPEYZe6RWJLODQtcHNSuxd3fcw/E:4unOWJXzNnhDisAJZiwYZvQpu/vz/sz9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4396 rundll32.exe
4844 rundll32.exe
4844 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4396	rundll32.exe
4844	rundll32.exe
4844	rundll32.exe

Modifies registry class 1 IoCs

Processes:

57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 3912 wrote to memory of 2200	3912	57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a.exe	control.exe
PID 3912 wrote to memory of 2200	3912	57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a.exe	control.exe
PID 3912 wrote to memory of 2200	3912	57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a.exe	control.exe
PID 2200 wrote to memory of 4396	2200	control.exe	rundll32.exe
PID 2200 wrote to memory of 4396	2200	control.exe	rundll32.exe
PID 2200 wrote to memory of 4396	2200	control.exe	rundll32.exe
PID 4396 wrote to memory of 4556	4396	rundll32.exe	RunDll32.exe
PID 4396 wrote to memory of 4556	4396	rundll32.exe	RunDll32.exe
PID 4556 wrote to memory of 4844	4556	RunDll32.exe	rundll32.exe
PID 4556 wrote to memory of 4844	4556	RunDll32.exe	rundll32.exe
PID 4556 wrote to memory of 4844	4556	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a.exe
"C:\Users\Admin\AppData\Local\Temp\57665f375bfb67e94c9468677d73d8ba98d741dc680726f4cd6f75cae04cc95a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZS98f.CPl",
2⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZS98f.CPl",
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZS98f.CPl",
4⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\ZS98f.CPl",
5⤵
- Loads dropped DLL
PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZS98f.CPl

Filesize
1.7MB

MD5
2d651abc49d33447713b0fd34f221ae8

SHA1
a20738055f2e9e14baec621d9c0f2fee612414ed

SHA256
631576338236d320ffffe02311493bad49605b5b93fe7a227888553de26ee35b

SHA512
d37ad62467e3bfb0aa39c8e593b53453f4f69868cc5e5f40256d96809410921171edb8882d0749d763538c5ef9a48ffaff7d59da48e8c9412abc856115a17c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zs98f.cpl

Filesize
1.7MB

MD5
2d651abc49d33447713b0fd34f221ae8

SHA1
a20738055f2e9e14baec621d9c0f2fee612414ed

SHA256
631576338236d320ffffe02311493bad49605b5b93fe7a227888553de26ee35b

SHA512
d37ad62467e3bfb0aa39c8e593b53453f4f69868cc5e5f40256d96809410921171edb8882d0749d763538c5ef9a48ffaff7d59da48e8c9412abc856115a17c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zs98f.cpl

Filesize
1.7MB

MD5
2d651abc49d33447713b0fd34f221ae8

SHA1
a20738055f2e9e14baec621d9c0f2fee612414ed

SHA256
631576338236d320ffffe02311493bad49605b5b93fe7a227888553de26ee35b

SHA512
d37ad62467e3bfb0aa39c8e593b53453f4f69868cc5e5f40256d96809410921171edb8882d0749d763538c5ef9a48ffaff7d59da48e8c9412abc856115a17c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zs98f.cpl

Filesize
1.7MB

MD5
2d651abc49d33447713b0fd34f221ae8

SHA1
a20738055f2e9e14baec621d9c0f2fee612414ed

SHA256
631576338236d320ffffe02311493bad49605b5b93fe7a227888553de26ee35b

SHA512
d37ad62467e3bfb0aa39c8e593b53453f4f69868cc5e5f40256d96809410921171edb8882d0749d763538c5ef9a48ffaff7d59da48e8c9412abc856115a17c1e

Download Submit
memory/2200-132-0x0000000000000000-mapping.dmp

Download
memory/4396-138-0x0000000002E20000-0x0000000002EE7000-memory.dmp

Filesize
796KB

Download
memory/4396-154-0x00000000032A0000-0x00000000033B5000-memory.dmp

Filesize
1.1MB

Download
memory/4396-139-0x00000000033C0000-0x0000000003474000-memory.dmp

Filesize
720KB

Download
memory/4396-140-0x00000000033C0000-0x0000000003474000-memory.dmp

Filesize
720KB

Download
memory/4396-137-0x00000000032A0000-0x00000000033B5000-memory.dmp

Filesize
1.1MB

Download
memory/4396-136-0x0000000003040000-0x000000000317B000-memory.dmp

Filesize
1.2MB

Download
memory/4396-133-0x0000000000000000-mapping.dmp

Download
memory/4556-142-0x0000000000000000-mapping.dmp

Download
memory/4844-143-0x0000000000000000-mapping.dmp

Download
memory/4844-147-0x0000000002C70000-0x0000000002DAB000-memory.dmp

Filesize
1.2MB

Download
memory/4844-148-0x0000000002ED0000-0x0000000002FE5000-memory.dmp

Filesize
1.1MB

Download
memory/4844-149-0x0000000002FF0000-0x00000000030B7000-memory.dmp

Filesize
796KB

Download
memory/4844-151-0x00000000030C0000-0x0000000003174000-memory.dmp

Filesize
720KB

Download
memory/4844-153-0x0000000002ED0000-0x0000000002FE5000-memory.dmp

Filesize
1.1MB

Download
memory/4844-146-0x0000000002780000-0x000000000292D000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads