07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f

General

Target

07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f.exe
Size

1.6MB
MD5

fab715c7d1b3f20d85fd593c8649e07c
SHA1

b1c081077787a62f101fc03eda8782bf94a2ac22
SHA256

07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f
SHA512

7661c5f3bc1ac8d139a589e7484d15cb8cdd0bc5faa13d200c31320c040d6a479ccbb582314dfbc6796b5c6e461bfe99e95c40c3090d5eef07121824ce544508
SSDEEP

24576:4ry2uXzmVLeRTgLszgM5EXiMfxtaqbuohAGbwMcgxpVO7u7gNej5o0LS4zEW0cwT:4unqCg0ZMfnAcOipQYKe1TSW0zm2z9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1268 rundll32.exe
4364 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1268	rundll32.exe
4364	rundll32.exe

Modifies registry class 1 IoCs

Processes:

07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 4928 wrote to memory of 1456	4928	07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f.exe	control.exe
PID 4928 wrote to memory of 1456	4928	07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f.exe	control.exe
PID 4928 wrote to memory of 1456	4928	07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f.exe	control.exe
PID 1456 wrote to memory of 1268	1456	control.exe	rundll32.exe
PID 1456 wrote to memory of 1268	1456	control.exe	rundll32.exe
PID 1456 wrote to memory of 1268	1456	control.exe	rundll32.exe
PID 1268 wrote to memory of 2464	1268	rundll32.exe	RunDll32.exe
PID 1268 wrote to memory of 2464	1268	rundll32.exe	RunDll32.exe
PID 2464 wrote to memory of 4364	2464	RunDll32.exe	rundll32.exe
PID 2464 wrote to memory of 4364	2464	RunDll32.exe	rundll32.exe
PID 2464 wrote to memory of 4364	2464	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f.exe
"C:\Users\Admin\AppData\Local\Temp\07a45c6b307c26ca304298a53878c7ce5594e118733d6fbd5a1eef85d278bc2f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZS98f.CPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZS98f.CPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZS98f.CPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\ZS98f.CPl",
        5⤵
        Loads dropped DLL
        
        PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZS98f.CPl

Filesize
1.7MB

MD5
7f8754fc25a0ec481a1eaff4357b1742

SHA1
fdf1b6deb01bc9c9c1b800aa57682d09a8cad4d2

SHA256
7e00b9e62357606515b32642669df6ecf0c33215f576cc21907b314ee95836d7

SHA512
413de4a8bbc6edeafd30993a4fc8f0a85bbc94eb76fb48a1d6fedf016eff54c7a1c1b02632516d616a346c2690810e1ca6b8d33b26fc7f1f73513f53c3f2dd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zs98f.cpl

Filesize
1.7MB

MD5
7f8754fc25a0ec481a1eaff4357b1742

SHA1
fdf1b6deb01bc9c9c1b800aa57682d09a8cad4d2

SHA256
7e00b9e62357606515b32642669df6ecf0c33215f576cc21907b314ee95836d7

SHA512
413de4a8bbc6edeafd30993a4fc8f0a85bbc94eb76fb48a1d6fedf016eff54c7a1c1b02632516d616a346c2690810e1ca6b8d33b26fc7f1f73513f53c3f2dd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zs98f.cpl

Filesize
1.7MB

MD5
7f8754fc25a0ec481a1eaff4357b1742

SHA1
fdf1b6deb01bc9c9c1b800aa57682d09a8cad4d2

SHA256
7e00b9e62357606515b32642669df6ecf0c33215f576cc21907b314ee95836d7

SHA512
413de4a8bbc6edeafd30993a4fc8f0a85bbc94eb76fb48a1d6fedf016eff54c7a1c1b02632516d616a346c2690810e1ca6b8d33b26fc7f1f73513f53c3f2dd6b

Download Submit
memory/1268-136-0x00000000034D0000-0x000000000360B000-memory.dmp

Filesize
1.2MB

Download
memory/1268-133-0x0000000000000000-mapping.dmp

Download
memory/1268-137-0x0000000003730000-0x0000000003845000-memory.dmp

Filesize
1.1MB

Download
memory/1268-138-0x00000000034D0000-0x000000000360B000-memory.dmp

Filesize
1.2MB

Download
memory/1268-139-0x0000000003850000-0x0000000003917000-memory.dmp

Filesize
796KB

Download
memory/1268-140-0x0000000002D90000-0x0000000002E44000-memory.dmp

Filesize
720KB

Download
memory/1268-141-0x0000000002D90000-0x0000000002E44000-memory.dmp

Filesize
720KB

Download
memory/1268-153-0x0000000003730000-0x0000000003845000-memory.dmp

Filesize
1.1MB

Download
memory/1456-132-0x0000000000000000-mapping.dmp

Download
memory/2464-143-0x0000000000000000-mapping.dmp

Download
memory/4364-147-0x0000000003250000-0x0000000003365000-memory.dmp

Filesize
1.1MB

Download
memory/4364-146-0x0000000002FF0000-0x000000000312B000-memory.dmp

Filesize
1.2MB

Download
memory/4364-148-0x0000000003370000-0x0000000003437000-memory.dmp

Filesize
796KB

Download
memory/4364-150-0x0000000003440000-0x00000000034F4000-memory.dmp

Filesize
720KB

Download
memory/4364-152-0x0000000003250000-0x0000000003365000-memory.dmp

Filesize
1.1MB

Download
memory/4364-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads