ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad

General

Target

ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad.exe
Size

1.7MB
MD5

2f183560b5ea544574d4767568b29bb0
SHA1

772e68086d339526fc4f5d57adf64804c028ddec
SHA256

ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad
SHA512

192e2ab01cf1d040e5fb863052ec8492a3c0deeaf0dd6a1cafa1799fcd8aafdda587bfb77cf70659dd8989ed3c84ef491ab3016528ec6b64df9a5a8347519f88
SSDEEP

49152:zunH3/PUf0y26inrMc68NIDxdfxnIMSntZ5VkTbqJpljav:zKH33Uf0y26socFNIDxdfxnEv7Wopp2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4824 rundll32.exe
1708 rundll32.exe
1708 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4824	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe

Modifies registry class 1 IoCs

Processes:

ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 1168 wrote to memory of 4308	1168	ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad.exe	control.exe
PID 1168 wrote to memory of 4308	1168	ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad.exe	control.exe
PID 1168 wrote to memory of 4308	1168	ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad.exe	control.exe
PID 4308 wrote to memory of 4824	4308	control.exe	rundll32.exe
PID 4308 wrote to memory of 4824	4308	control.exe	rundll32.exe
PID 4308 wrote to memory of 4824	4308	control.exe	rundll32.exe
PID 4824 wrote to memory of 2356	4824	rundll32.exe	RunDll32.exe
PID 4824 wrote to memory of 2356	4824	rundll32.exe	RunDll32.exe
PID 2356 wrote to memory of 1708	2356	RunDll32.exe	rundll32.exe
PID 2356 wrote to memory of 1708	2356	RunDll32.exe	rundll32.exe
PID 2356 wrote to memory of 1708	2356	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad.exe
"C:\Users\Admin\AppData\Local\Temp\ac10e8410f881edb39644be80a8269638de2feaf1068f61f079ff8aac971c9ad.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\DNknEOHK.cpl",
2⤵
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DNknEOHK.cpl",
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DNknEOHK.cpl",
4⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\DNknEOHK.cpl",
5⤵
- Loads dropped DLL
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DNknEOHK.cpl

Filesize
1.7MB

MD5
da8de540d6d685c9d099145a3ac44ec1

SHA1
f8ddfb3170a257d9df5381773ee8fa8a3b83f0b0

SHA256
4961a725ff7cf647400cf3bd39fc1c35c384ec09dc1226536d8c436321bce616

SHA512
b504c3585ac752b86007a830a8dc715eb5c4542a3115a035d1812f80756d1ca831810be3510db40b6ed6020c922a3e6b0276e868932147a8d2bcc680538dfc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnknEOhK.cpl

Filesize
1.7MB

MD5
da8de540d6d685c9d099145a3ac44ec1

SHA1
f8ddfb3170a257d9df5381773ee8fa8a3b83f0b0

SHA256
4961a725ff7cf647400cf3bd39fc1c35c384ec09dc1226536d8c436321bce616

SHA512
b504c3585ac752b86007a830a8dc715eb5c4542a3115a035d1812f80756d1ca831810be3510db40b6ed6020c922a3e6b0276e868932147a8d2bcc680538dfc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnknEOhK.cpl

Filesize
1.7MB

MD5
da8de540d6d685c9d099145a3ac44ec1

SHA1
f8ddfb3170a257d9df5381773ee8fa8a3b83f0b0

SHA256
4961a725ff7cf647400cf3bd39fc1c35c384ec09dc1226536d8c436321bce616

SHA512
b504c3585ac752b86007a830a8dc715eb5c4542a3115a035d1812f80756d1ca831810be3510db40b6ed6020c922a3e6b0276e868932147a8d2bcc680538dfc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnknEOhK.cpl

Filesize
1.7MB

MD5
da8de540d6d685c9d099145a3ac44ec1

SHA1
f8ddfb3170a257d9df5381773ee8fa8a3b83f0b0

SHA256
4961a725ff7cf647400cf3bd39fc1c35c384ec09dc1226536d8c436321bce616

SHA512
b504c3585ac752b86007a830a8dc715eb5c4542a3115a035d1812f80756d1ca831810be3510db40b6ed6020c922a3e6b0276e868932147a8d2bcc680538dfc7a

Download Submit
memory/1708-143-0x0000000000000000-mapping.dmp

Download
memory/1708-146-0x00000000024E0000-0x000000000269F000-memory.dmp

Filesize
1.7MB

Download
memory/2356-142-0x0000000000000000-mapping.dmp

Download
memory/4308-132-0x0000000000000000-mapping.dmp

Download
memory/4824-137-0x0000000003700000-0x0000000003811000-memory.dmp

Filesize
1.1MB

Download
memory/4824-138-0x0000000003820000-0x00000000038EE000-memory.dmp

Filesize
824KB

Download
memory/4824-139-0x00000000038F0000-0x00000000039AC000-memory.dmp

Filesize
752KB

Download
memory/4824-136-0x00000000034E0000-0x00000000035F0000-memory.dmp

Filesize
1.1MB

Download
memory/4824-133-0x0000000000000000-mapping.dmp

Download
memory/4824-147-0x0000000003700000-0x0000000003811000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads