44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade

General

Target

44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade.exe
Size

1.8MB
MD5

77ccebca0e61c152015429d2f27ed0ae
SHA1

e6b3a971679ebb810844ac2e3e1b6c1dc8e9df80
SHA256

44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade
SHA512

ca2ff71f8bc9e553c6374d75943a056b66480fa0c4a0c5bf3ea6a5d02bb9f2b7cd867ced5aa01bc3c547cfecd7a0a839b9fa4cb2001c311bb33acc066e938b92
SSDEEP

24576:5HLmCiIhiXQtTezW2KN1PD5zqlKjltlJyQTNVHbvtpdf8D7LcUYmyVQTDaZjbezU:qYTez4PpTLXnvdf8D7LvbTCj6TU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2484 rundll32.exe
996 rundll32.exe
996 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2484	rundll32.exe
996	rundll32.exe
996	rundll32.exe

Modifies registry class 1 IoCs

Processes:

44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 3344 wrote to memory of 3532	3344	44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade.exe	control.exe
PID 3344 wrote to memory of 3532	3344	44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade.exe	control.exe
PID 3344 wrote to memory of 3532	3344	44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade.exe	control.exe
PID 3532 wrote to memory of 2484	3532	control.exe	rundll32.exe
PID 3532 wrote to memory of 2484	3532	control.exe	rundll32.exe
PID 3532 wrote to memory of 2484	3532	control.exe	rundll32.exe
PID 2484 wrote to memory of 3400	2484	rundll32.exe	RunDll32.exe
PID 2484 wrote to memory of 3400	2484	rundll32.exe	RunDll32.exe
PID 3400 wrote to memory of 996	3400	RunDll32.exe	rundll32.exe
PID 3400 wrote to memory of 996	3400	RunDll32.exe	rundll32.exe
PID 3400 wrote to memory of 996	3400	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade.exe
"C:\Users\Admin\AppData\Local\Temp\44433cb374794383b86e826326e5b48d712c4e0e9144273c85e5de8b8bd51ade.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\LBWH.cpL",
2⤵
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\LBWH.cpL",
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\LBWH.cpL",
4⤵
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\LBWH.cpL",
5⤵
- Loads dropped DLL
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LBWH.cpL

Filesize
1.7MB

MD5
6288e5cbe9189ddad8fa7984d8b90a17

SHA1
775aa4b846b91ca2d352f0b7c81192dd4db17105

SHA256
64d65f25f51552437d89c6901c9fc44b289817fda14fff76fb5243fc6c11132c

SHA512
f2eb7407b92b7cd129a80080e7b88d72ce959756efbfe22932fda3431dba16ddc975059707cb48dd72be062f0439add610fbe447655f9c6ea3ea8480935422b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBWh.cpl

Filesize
1.7MB

MD5
6288e5cbe9189ddad8fa7984d8b90a17

SHA1
775aa4b846b91ca2d352f0b7c81192dd4db17105

SHA256
64d65f25f51552437d89c6901c9fc44b289817fda14fff76fb5243fc6c11132c

SHA512
f2eb7407b92b7cd129a80080e7b88d72ce959756efbfe22932fda3431dba16ddc975059707cb48dd72be062f0439add610fbe447655f9c6ea3ea8480935422b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBWh.cpl

Filesize
1.7MB

MD5
6288e5cbe9189ddad8fa7984d8b90a17

SHA1
775aa4b846b91ca2d352f0b7c81192dd4db17105

SHA256
64d65f25f51552437d89c6901c9fc44b289817fda14fff76fb5243fc6c11132c

SHA512
f2eb7407b92b7cd129a80080e7b88d72ce959756efbfe22932fda3431dba16ddc975059707cb48dd72be062f0439add610fbe447655f9c6ea3ea8480935422b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBWh.cpl

Filesize
1.7MB

MD5
6288e5cbe9189ddad8fa7984d8b90a17

SHA1
775aa4b846b91ca2d352f0b7c81192dd4db17105

SHA256
64d65f25f51552437d89c6901c9fc44b289817fda14fff76fb5243fc6c11132c

SHA512
f2eb7407b92b7cd129a80080e7b88d72ce959756efbfe22932fda3431dba16ddc975059707cb48dd72be062f0439add610fbe447655f9c6ea3ea8480935422b5

Download Submit
memory/996-149-0x0000000002980000-0x0000000002A4E000-memory.dmp

Filesize
824KB

Download
memory/996-148-0x0000000002EB0000-0x0000000002FC1000-memory.dmp

Filesize
1.1MB

Download
memory/996-154-0x0000000002C90000-0x0000000002DA0000-memory.dmp

Filesize
1.1MB

Download
memory/996-153-0x0000000002EB0000-0x0000000002FC1000-memory.dmp

Filesize
1.1MB

Download
memory/996-150-0x0000000002FD0000-0x000000000308C000-memory.dmp

Filesize
752KB

Download
memory/996-143-0x0000000000000000-mapping.dmp

Download
memory/996-147-0x0000000002C90000-0x0000000002DA0000-memory.dmp

Filesize
1.1MB

Download
memory/996-146-0x00000000027C0000-0x000000000297F000-memory.dmp

Filesize
1.7MB

Download
memory/2484-133-0x0000000000000000-mapping.dmp

Download
memory/2484-136-0x00000000032A0000-0x00000000033B0000-memory.dmp

Filesize
1.1MB

Download
memory/2484-137-0x00000000034C0000-0x00000000035D1000-memory.dmp

Filesize
1.1MB

Download
memory/2484-139-0x00000000036B0000-0x000000000376C000-memory.dmp

Filesize
752KB

Download
memory/2484-138-0x00000000035E0000-0x00000000036AE000-memory.dmp

Filesize
824KB

Download
memory/2484-155-0x00000000034C0000-0x00000000035D1000-memory.dmp

Filesize
1.1MB

Download
memory/3400-142-0x0000000000000000-mapping.dmp

Download
memory/3532-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads