6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667

General

Target

6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667.exe
Size

1.7MB
MD5

1d22ac9846eba303d971643f0ecf52d2
SHA1

61c848d86dfc2964e48a4f2856f291129b5c705d
SHA256

6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667
SHA512

6097f3ed2e5146304ee9a602a805550c3959667749c5fae77c107046bfc4442c4cff0b5a6f132eac52a9647dce7a89a46abe523b3c457776e8cb0859dd52189b
SSDEEP

49152:NsAD7L6DY6dbJxa40ndZdVkf7b0JtrCFQe:uADyDpdbJxYffaUJhCFB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

228 rundll32.exe
3652 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
228	rundll32.exe
3652	rundll32.exe

Modifies registry class 1 IoCs

Processes:

6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 1148 wrote to memory of 2764	1148	6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667.exe	control.exe
PID 1148 wrote to memory of 2764	1148	6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667.exe	control.exe
PID 1148 wrote to memory of 2764	1148	6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667.exe	control.exe
PID 2764 wrote to memory of 228	2764	control.exe	rundll32.exe
PID 2764 wrote to memory of 228	2764	control.exe	rundll32.exe
PID 2764 wrote to memory of 228	2764	control.exe	rundll32.exe
PID 228 wrote to memory of 3348	228	rundll32.exe	RunDll32.exe
PID 228 wrote to memory of 3348	228	rundll32.exe	RunDll32.exe
PID 3348 wrote to memory of 3652	3348	RunDll32.exe	rundll32.exe
PID 3348 wrote to memory of 3652	3348	RunDll32.exe	rundll32.exe
PID 3348 wrote to memory of 3652	3348	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667.exe
"C:\Users\Admin\AppData\Local\Temp\6aad8a32e30f465fbff02e87be305d0658f200d2bc434806471ea747e14d4667.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\zP7SMn9F.CpL",
2⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\zP7SMn9F.CpL",
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\zP7SMn9F.CpL",
4⤵
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\zP7SMn9F.CpL",
5⤵
- Loads dropped DLL
PID:3652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zP7SMn9F.CpL
Filesize
1.7MB

MD5
508640a1423d42a18ff4bdcd9b7ad1aa

SHA1
f62e061d8ea7f959893eff924a1082698c0dcf9b

SHA256
fa08547563dd146e6bfdb9826ec49541ccb9910d943fc5cd6d2dc6e6c1923685

SHA512
3d6e3149de51c6ad4ff29beb9eea4e199b1dd94c96842254c6db05eda016dc0812905d86761384107b1c969819bf0c45555efaf1e6657c5df52a766ae4e9bc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\zP7SMn9F.cpl
Filesize
1.7MB

MD5
508640a1423d42a18ff4bdcd9b7ad1aa

SHA1
f62e061d8ea7f959893eff924a1082698c0dcf9b

SHA256
fa08547563dd146e6bfdb9826ec49541ccb9910d943fc5cd6d2dc6e6c1923685

SHA512
3d6e3149de51c6ad4ff29beb9eea4e199b1dd94c96842254c6db05eda016dc0812905d86761384107b1c969819bf0c45555efaf1e6657c5df52a766ae4e9bc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\zP7SMn9F.cpl
Filesize
1.7MB

MD5
508640a1423d42a18ff4bdcd9b7ad1aa

SHA1
f62e061d8ea7f959893eff924a1082698c0dcf9b

SHA256
fa08547563dd146e6bfdb9826ec49541ccb9910d943fc5cd6d2dc6e6c1923685

SHA512
3d6e3149de51c6ad4ff29beb9eea4e199b1dd94c96842254c6db05eda016dc0812905d86761384107b1c969819bf0c45555efaf1e6657c5df52a766ae4e9bc31

Download Submit
memory/228-133-0x0000000000000000-mapping.dmp

Download
memory/228-137-0x00000000034C0000-0x00000000035D1000-memory.dmp

Filesize
1.1MB

Download
memory/228-136-0x00000000032A0000-0x00000000033B0000-memory.dmp

Filesize
1.1MB

Download
memory/228-138-0x00000000035E0000-0x00000000036AE000-memory.dmp

Filesize
824KB

Download
memory/228-139-0x00000000036B0000-0x000000000376C000-memory.dmp

Filesize
752KB

Download
memory/228-152-0x00000000034C0000-0x00000000035D1000-memory.dmp

Filesize
1.1MB

Download
memory/2764-132-0x0000000000000000-mapping.dmp

Download
memory/3348-142-0x0000000000000000-mapping.dmp

Download
memory/3652-145-0x0000000002DB0000-0x0000000002EC0000-memory.dmp

Filesize
1.1MB

Download
memory/3652-146-0x0000000002FD0000-0x00000000030E1000-memory.dmp

Filesize
1.1MB

Download
memory/3652-147-0x00000000030F0000-0x00000000031BE000-memory.dmp

Filesize
824KB

Download
memory/3652-148-0x00000000031C0000-0x000000000327C000-memory.dmp

Filesize
752KB

Download
memory/3652-151-0x0000000002FD0000-0x00000000030E1000-memory.dmp

Filesize
1.1MB

Download
memory/3652-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads