1e666552a257cb3ce8ea4de868d27c0610e54bc5e6cd64a4a9be869a7bfa9f46

General

Target

1e666552a257cb3ce8ea4de868d27c0610e54bc5e6cd64a4a9be869a7bfa9f46.exe
Size

1.9MB
MD5

e66f3d4c9072ec5e652912387b8ecb10
SHA1

50235b5bb054887a210dfdd160ba2d60ff48e802
SHA256

1e666552a257cb3ce8ea4de868d27c0610e54bc5e6cd64a4a9be869a7bfa9f46
SHA512

fffc0dedc6f7cee77941486e3bd341b76de9ee54e728719a83a296ea93aa6243b8e4eb57dc8724b0fd11bd014a649ffed4955c0cbca26fedb139c4f39bb0631d
SSDEEP

49152:C3dO4wl1Xmw2LrqY4U/hGASU5Iu+3JmLbqVh4pRFv/d1:CiCLL4UJHZ5I70Ehs/3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	1e666552a257cb3ce8ea4de868d27c0610e54bc5e6cd64a4a9be869a7bfa9f46.exe

Loads dropped DLL 3 IoCs

pid	Process
1840	rundll32.exe
1840	rundll32.exe
3180	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	1e666552a257cb3ce8ea4de868d27c0610e54bc5e6cd64a4a9be869a7bfa9f46.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2548	4604	1e666552a257cb3ce8ea4de868d27c0610e54bc5e6cd64a4a9be869a7bfa9f46.exe	82
PID 4604 wrote to memory of 2548	4604	1e666552a257cb3ce8ea4de868d27c0610e54bc5e6cd64a4a9be869a7bfa9f46.exe	82
PID 4604 wrote to memory of 2548	4604	1e666552a257cb3ce8ea4de868d27c0610e54bc5e6cd64a4a9be869a7bfa9f46.exe	82
PID 2548 wrote to memory of 1840	2548	control.exe	84
PID 2548 wrote to memory of 1840	2548	control.exe	84
PID 2548 wrote to memory of 1840	2548	control.exe	84
PID 1840 wrote to memory of 1036	1840	rundll32.exe	87
PID 1840 wrote to memory of 1036	1840	rundll32.exe	87
PID 1036 wrote to memory of 3180	1036	RunDll32.exe	88
PID 1036 wrote to memory of 3180	1036	RunDll32.exe	88
PID 1036 wrote to memory of 3180	1036	RunDll32.exe	88

C:\Users\Admin\AppData\Local\Temp\1e666552a257cb3ce8ea4de868d27c0610e54bc5e6cd64a4a9be869a7bfa9f46.exe
"C:\Users\Admin\AppData\Local\Temp\1e666552a257cb3ce8ea4de868d27c0610e54bc5e6cd64a4a9be869a7bfa9f46.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PbVIl2K.cPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PbVIl2K.cPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PbVIl2K.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\PbVIl2K.cPL",
        5⤵
        Loads dropped DLL
        
        PID:3180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PbVIl2K.cPL

Filesize
1.8MB

MD5
8c7ac83001fafbe3c2bc14e0fb0816d9

SHA1
0b0f80de18a065686b0c27981b4ef838cce700b4

SHA256
74fff79e3510ee4cc61f1b89d2fff949e3af5d2e655e73448950626e12ed048d

SHA512
d0cc339b1eab8c473765aba9655c39a51659cf8545da47d663c7e2ca3bd63dd39ddc3adf5c0c8d1ca74e357e65778983fa06f3459a775f5c702c7ca0adbe2e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PbVIl2K.cpl

Filesize
1.8MB

MD5
8c7ac83001fafbe3c2bc14e0fb0816d9

SHA1
0b0f80de18a065686b0c27981b4ef838cce700b4

SHA256
74fff79e3510ee4cc61f1b89d2fff949e3af5d2e655e73448950626e12ed048d

SHA512
d0cc339b1eab8c473765aba9655c39a51659cf8545da47d663c7e2ca3bd63dd39ddc3adf5c0c8d1ca74e357e65778983fa06f3459a775f5c702c7ca0adbe2e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PbVIl2K.cpl

Filesize
1.8MB

MD5
8c7ac83001fafbe3c2bc14e0fb0816d9

SHA1
0b0f80de18a065686b0c27981b4ef838cce700b4

SHA256
74fff79e3510ee4cc61f1b89d2fff949e3af5d2e655e73448950626e12ed048d

SHA512
d0cc339b1eab8c473765aba9655c39a51659cf8545da47d663c7e2ca3bd63dd39ddc3adf5c0c8d1ca74e357e65778983fa06f3459a775f5c702c7ca0adbe2e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PbVIl2K.cpl

Filesize
1.8MB

MD5
8c7ac83001fafbe3c2bc14e0fb0816d9

SHA1
0b0f80de18a065686b0c27981b4ef838cce700b4

SHA256
74fff79e3510ee4cc61f1b89d2fff949e3af5d2e655e73448950626e12ed048d

SHA512
d0cc339b1eab8c473765aba9655c39a51659cf8545da47d663c7e2ca3bd63dd39ddc3adf5c0c8d1ca74e357e65778983fa06f3459a775f5c702c7ca0adbe2e7f

Download Submit
memory/1840-142-0x0000000002E70000-0x0000000002F24000-memory.dmp

Filesize
720KB

Download
memory/1840-154-0x0000000002C80000-0x0000000002D95000-memory.dmp

Filesize
1.1MB

Download
memory/1840-139-0x0000000002C80000-0x0000000002D95000-memory.dmp

Filesize
1.1MB

Download
memory/1840-140-0x0000000002DA0000-0x0000000002E67000-memory.dmp

Filesize
796KB

Download
memory/1840-141-0x0000000002E70000-0x0000000002F24000-memory.dmp

Filesize
720KB

Download
memory/1840-137-0x0000000002570000-0x0000000002735000-memory.dmp

Filesize
1.8MB

Download
memory/1840-138-0x0000000002A40000-0x0000000002B56000-memory.dmp

Filesize
1.1MB

Download
memory/3180-148-0x00000000035B0000-0x00000000036C5000-memory.dmp

Filesize
1.1MB

Download
memory/3180-149-0x0000000003160000-0x0000000003227000-memory.dmp

Filesize
796KB

Download
memory/3180-151-0x00000000036D0000-0x0000000003784000-memory.dmp

Filesize
720KB

Download
memory/3180-153-0x00000000035B0000-0x00000000036C5000-memory.dmp

Filesize
1.1MB

Download
memory/3180-147-0x0000000003370000-0x0000000003486000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing