a529400795baf31f37fc400d4479813acf48a181b88097de279220d5bf86a6d0

General

Target

a529400795baf31f37fc400d4479813acf48a181b88097de279220d5bf86a6d0.exe
Size

1.6MB
MD5

3695c69c00bdc093fc1622ef5a7697c4
SHA1

1ae5fc22b99d1f8f852c145dba6801d74111948b
SHA256

a529400795baf31f37fc400d4479813acf48a181b88097de279220d5bf86a6d0
SHA512

b1aad3b54ab328686f7c76695fe6e41f5793b07f813e918386ffb0a05ee02db9d2953fc152d718330e73a0756b59aa113cbbefe1a586902e72c39b4898029677
SSDEEP

24576:4ry2uXzmVLjihFU2GDzH8qG7//lSSuz655hIjsuhyIpzQvvHH4sxJvLGGVQRwd:4unTiUL7xX55mjs6yIROvnjvSGOwd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a529400795baf31f37fc400d4479813acf48a181b88097de279220d5bf86a6d0.exe

Loads dropped DLL 2 IoCs

pid	Process
1512	rundll32.exe
4876	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	a529400795baf31f37fc400d4479813acf48a181b88097de279220d5bf86a6d0.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2144	5044	a529400795baf31f37fc400d4479813acf48a181b88097de279220d5bf86a6d0.exe	79
PID 5044 wrote to memory of 2144	5044	a529400795baf31f37fc400d4479813acf48a181b88097de279220d5bf86a6d0.exe	79
PID 5044 wrote to memory of 2144	5044	a529400795baf31f37fc400d4479813acf48a181b88097de279220d5bf86a6d0.exe	79
PID 2144 wrote to memory of 1512	2144	control.exe	81
PID 2144 wrote to memory of 1512	2144	control.exe	81
PID 2144 wrote to memory of 1512	2144	control.exe	81
PID 1512 wrote to memory of 4892	1512	rundll32.exe	82
PID 1512 wrote to memory of 4892	1512	rundll32.exe	82
PID 4892 wrote to memory of 4876	4892	RunDll32.exe	83
PID 4892 wrote to memory of 4876	4892	RunDll32.exe	83
PID 4892 wrote to memory of 4876	4892	RunDll32.exe	83

C:\Users\Admin\AppData\Local\Temp\a529400795baf31f37fc400d4479813acf48a181b88097de279220d5bf86a6d0.exe
"C:\Users\Admin\AppData\Local\Temp\a529400795baf31f37fc400d4479813acf48a181b88097de279220d5bf86a6d0.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\C3xYJ.CPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\C3xYJ.CPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\C3xYJ.CPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\C3xYJ.CPl",
        5⤵
        Loads dropped DLL
        
        PID:4876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C3xYJ.CPl

Filesize
1.6MB

MD5
40356bacd735d203926a1a5a7f499913

SHA1
934b6009a1be21b76b38e153d441c372ddc0fabc

SHA256
b8e172740b26c9792b64c17ab2082cdf12eec86ac6aa84161222ccb9262e0abe

SHA512
761b7f696abed81fbc1aead9a6e587b57226208e8fbf68c9b9267e37f2d71caa970f48e71b3fc5103accc0917afeda5ed90b3508d6a66f4548e58ac5c6f9fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3xyJ.cpl

Filesize
1.6MB

MD5
40356bacd735d203926a1a5a7f499913

SHA1
934b6009a1be21b76b38e153d441c372ddc0fabc

SHA256
b8e172740b26c9792b64c17ab2082cdf12eec86ac6aa84161222ccb9262e0abe

SHA512
761b7f696abed81fbc1aead9a6e587b57226208e8fbf68c9b9267e37f2d71caa970f48e71b3fc5103accc0917afeda5ed90b3508d6a66f4548e58ac5c6f9fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3xyJ.cpl

Filesize
1.6MB

MD5
40356bacd735d203926a1a5a7f499913

SHA1
934b6009a1be21b76b38e153d441c372ddc0fabc

SHA256
b8e172740b26c9792b64c17ab2082cdf12eec86ac6aa84161222ccb9262e0abe

SHA512
761b7f696abed81fbc1aead9a6e587b57226208e8fbf68c9b9267e37f2d71caa970f48e71b3fc5103accc0917afeda5ed90b3508d6a66f4548e58ac5c6f9fb42

Download Submit
memory/1512-136-0x0000000002D00000-0x0000000002DF2000-memory.dmp

Filesize
968KB

Download
memory/1512-137-0x0000000002EF0000-0x0000000002FE2000-memory.dmp

Filesize
968KB

Download
memory/1512-138-0x0000000002FF0000-0x00000000030B9000-memory.dmp

Filesize
804KB

Download
memory/1512-139-0x00000000030D0000-0x0000000003185000-memory.dmp

Filesize
724KB

Download
memory/1512-152-0x0000000002EF0000-0x0000000002FE2000-memory.dmp

Filesize
968KB

Download
memory/4876-145-0x0000000002EE0000-0x0000000002FD2000-memory.dmp

Filesize
968KB

Download
memory/4876-146-0x00000000030D0000-0x00000000031C2000-memory.dmp

Filesize
968KB

Download
memory/4876-147-0x00000000031D0000-0x0000000003299000-memory.dmp

Filesize
804KB

Download
memory/4876-148-0x00000000032A0000-0x0000000003355000-memory.dmp

Filesize
724KB

Download
memory/4876-151-0x00000000030D0000-0x00000000031C2000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing