86bc500b826eb082a68ac23fea3163fe7794ab9bc52c5c0a3b43dccff37743f5

General

Target

86bc500b826eb082a68ac23fea3163fe7794ab9bc52c5c0a3b43dccff37743f5.exe
Size

1.9MB
MD5

c191eeee517faa121878cfb082357c2c
SHA1

5886f65975bab88d3f2fc3748a28f60e01f245d3
SHA256

86bc500b826eb082a68ac23fea3163fe7794ab9bc52c5c0a3b43dccff37743f5
SHA512

def97d13f46875c503f03a695f35468e068dcbc1c78d8a15037ecde400943fd3b44197877ffc22a375b31aa016bbe2a0070027ccabe1ddd282dfac7f1e49d56a
SSDEEP

49152:4u4m27qh/XTxen2K3nTrnhzj5G+alMmR9N/5vGshc3bdMjkj:4u4CVXTlK3TLKTll9escZZj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

86bc500b826eb082a68ac23fea3163fe7794ab9bc52c5c0a3b43dccff37743f5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	86bc500b826eb082a68ac23fea3163fe7794ab9bc52c5c0a3b43dccff37743f5.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1860 rundll32.exe
4072 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1860	rundll32.exe
4072	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

86bc500b826eb082a68ac23fea3163fe7794ab9bc52c5c0a3b43dccff37743f5.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 2420 wrote to memory of 4600	2420	86bc500b826eb082a68ac23fea3163fe7794ab9bc52c5c0a3b43dccff37743f5.exe	control.exe
PID 2420 wrote to memory of 4600	2420	86bc500b826eb082a68ac23fea3163fe7794ab9bc52c5c0a3b43dccff37743f5.exe	control.exe
PID 2420 wrote to memory of 4600	2420	86bc500b826eb082a68ac23fea3163fe7794ab9bc52c5c0a3b43dccff37743f5.exe	control.exe
PID 4600 wrote to memory of 1860	4600	control.exe	rundll32.exe
PID 4600 wrote to memory of 1860	4600	control.exe	rundll32.exe
PID 4600 wrote to memory of 1860	4600	control.exe	rundll32.exe
PID 1860 wrote to memory of 4524	1860	rundll32.exe	RunDll32.exe
PID 1860 wrote to memory of 4524	1860	rundll32.exe	RunDll32.exe
PID 4524 wrote to memory of 4072	4524	RunDll32.exe	rundll32.exe
PID 4524 wrote to memory of 4072	4524	RunDll32.exe	rundll32.exe
PID 4524 wrote to memory of 4072	4524	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\86bc500b826eb082a68ac23fea3163fe7794ab9bc52c5c0a3b43dccff37743f5.exe
"C:\Users\Admin\AppData\Local\Temp\86bc500b826eb082a68ac23fea3163fe7794ab9bc52c5c0a3b43dccff37743f5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\WHLZnB.0r
2⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\WHLZnB.0r
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\WHLZnB.0r
4⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\WHLZnB.0r
5⤵
- Loads dropped DLL
PID:4072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WHLZnB.0r

Filesize
1.7MB

MD5
d801a88f7eadbbf5729e71cbcea830bd

SHA1
3c5615824e8925352da55d1ad52d5f69584f05c3

SHA256
e1f523be82da499b092c176d062a603afe35302bfba5598b44b6a4d3836f6309

SHA512
1d63eb7670696087c90120f84df805b7c1c0718272db892dc9dc23c909d16a4bdc29d9dd699a79005b54c41319e465a5f7e9b92c2fad12a46f159984b1fa6622

Download Submit
C:\Users\Admin\AppData\Local\Temp\WhLZnb.0r

Filesize
1.7MB

MD5
d801a88f7eadbbf5729e71cbcea830bd

SHA1
3c5615824e8925352da55d1ad52d5f69584f05c3

SHA256
e1f523be82da499b092c176d062a603afe35302bfba5598b44b6a4d3836f6309

SHA512
1d63eb7670696087c90120f84df805b7c1c0718272db892dc9dc23c909d16a4bdc29d9dd699a79005b54c41319e465a5f7e9b92c2fad12a46f159984b1fa6622

Download Submit
C:\Users\Admin\AppData\Local\Temp\WhLZnb.0r

Filesize
1.7MB

MD5
d801a88f7eadbbf5729e71cbcea830bd

SHA1
3c5615824e8925352da55d1ad52d5f69584f05c3

SHA256
e1f523be82da499b092c176d062a603afe35302bfba5598b44b6a4d3836f6309

SHA512
1d63eb7670696087c90120f84df805b7c1c0718272db892dc9dc23c909d16a4bdc29d9dd699a79005b54c41319e465a5f7e9b92c2fad12a46f159984b1fa6622

Download Submit
memory/1860-136-0x00000000031F0000-0x0000000003304000-memory.dmp

Filesize
1.1MB

Download
memory/1860-133-0x0000000000000000-mapping.dmp

Download
memory/1860-137-0x0000000003430000-0x0000000003544000-memory.dmp

Filesize
1.1MB

Download
memory/1860-138-0x00000000031F0000-0x0000000003304000-memory.dmp

Filesize
1.1MB

Download
memory/1860-139-0x0000000003550000-0x0000000003618000-memory.dmp

Filesize
800KB

Download
memory/1860-140-0x0000000003620000-0x00000000036D3000-memory.dmp

Filesize
716KB

Download
memory/1860-143-0x0000000003430000-0x0000000003544000-memory.dmp

Filesize
1.1MB

Download
memory/4072-148-0x0000000003730000-0x0000000003844000-memory.dmp

Filesize
1.1MB

Download
memory/4072-145-0x0000000000000000-mapping.dmp

Download
memory/4072-147-0x00000000034F0000-0x0000000003604000-memory.dmp

Filesize
1.1MB

Download
memory/4072-149-0x0000000003850000-0x0000000003918000-memory.dmp

Filesize
800KB

Download
memory/4072-150-0x0000000003920000-0x00000000039D3000-memory.dmp

Filesize
716KB

Download
memory/4072-153-0x0000000003730000-0x0000000003844000-memory.dmp

Filesize
1.1MB

Download
memory/4524-144-0x0000000000000000-mapping.dmp

Download
memory/4600-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing