e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420

General

Target

e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe
Size

1.7MB
MD5

f19f9579b42168080761e723996b5e98
SHA1

921c97bcade3afe6955514073a69485dadfe774a
SHA256

e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420
SHA512

9d8d18a279832b79b45dcffb8f733f820ba114d2a523054f222951e2c35e85a091e7cc936affec23358e87d4896f0096f711c0e3ce13df6b209de289e69bc072
SSDEEP

49152:Kyx4ql56OSVbug9D3+IsL9OI7xWHQ3aw2uwzUBTRv:KyxDl56OKyg9aIk9JtKYZ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3768 rundll32.exe
2448 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3768	rundll32.exe
2448	rundll32.exe

Modifies registry class 1 IoCs

Processes:

e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.execontrol.exerundll32.exeRunDll32.exe

description	pid	process	target process
PID 3548 wrote to memory of 3012	3548	e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe	control.exe
PID 3548 wrote to memory of 3012	3548	e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe	control.exe
PID 3548 wrote to memory of 3012	3548	e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe	control.exe
PID 3012 wrote to memory of 3768	3012	control.exe	rundll32.exe
PID 3012 wrote to memory of 3768	3012	control.exe	rundll32.exe
PID 3012 wrote to memory of 3768	3012	control.exe	rundll32.exe
PID 3768 wrote to memory of 4300	3768	rundll32.exe	RunDll32.exe
PID 3768 wrote to memory of 4300	3768	rundll32.exe	RunDll32.exe
PID 4300 wrote to memory of 2448	4300	RunDll32.exe	rundll32.exe
PID 4300 wrote to memory of 2448	4300	RunDll32.exe	rundll32.exe
PID 4300 wrote to memory of 2448	4300	RunDll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe
"C:\Users\Admin\AppData\Local\Temp\e801befe886e6c0d8b0efa59a04e07e86d6f99132360e1e5d54151c3b5fcb420.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\pwYNZ2.cPL",
2⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\pwYNZ2.cPL",
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\pwYNZ2.cPL",
4⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\pwYNZ2.cPL",
5⤵
- Loads dropped DLL
PID:2448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pwYNZ2.cPL
Filesize
2.0MB

MD5
0dbe5c1809c2ce45db5eed5c434c00d6

SHA1
094f1be837a77c56a99e6aa0a76c6812b87ec6d3

SHA256
c80b04723a4127fb0d6436237084532d443f4c1deb870a9d294da39be3a3dbe8

SHA512
07b3f56cace2ef7952ce953b71e595b3c72a332898d6d14b30304ec147dd75395a114ce2dd67b5438b6a9f316b7356d9872b66d296ad9034af7bdb0338110599

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyNZ2.cpl
Filesize
2.0MB

MD5
0dbe5c1809c2ce45db5eed5c434c00d6

SHA1
094f1be837a77c56a99e6aa0a76c6812b87ec6d3

SHA256
c80b04723a4127fb0d6436237084532d443f4c1deb870a9d294da39be3a3dbe8

SHA512
07b3f56cace2ef7952ce953b71e595b3c72a332898d6d14b30304ec147dd75395a114ce2dd67b5438b6a9f316b7356d9872b66d296ad9034af7bdb0338110599

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwyNZ2.cpl
Filesize
2.0MB

MD5
0dbe5c1809c2ce45db5eed5c434c00d6

SHA1
094f1be837a77c56a99e6aa0a76c6812b87ec6d3

SHA256
c80b04723a4127fb0d6436237084532d443f4c1deb870a9d294da39be3a3dbe8

SHA512
07b3f56cace2ef7952ce953b71e595b3c72a332898d6d14b30304ec147dd75395a114ce2dd67b5438b6a9f316b7356d9872b66d296ad9034af7bdb0338110599

Download Submit
memory/2448-151-0x0000000003790000-0x00000000038BE000-memory.dmp

Filesize
1.2MB

Download
memory/2448-148-0x0000000003990000-0x0000000003A44000-memory.dmp

Filesize
720KB

Download
memory/2448-147-0x00000000038C0000-0x0000000003988000-memory.dmp

Filesize
800KB

Download
memory/2448-146-0x0000000003790000-0x00000000038BE000-memory.dmp

Filesize
1.2MB

Download
memory/2448-145-0x00000000034C0000-0x0000000003659000-memory.dmp

Filesize
1.6MB

Download
memory/2448-143-0x0000000000000000-mapping.dmp

Download
memory/3012-132-0x0000000000000000-mapping.dmp

Download
memory/3768-137-0x0000000002F50000-0x000000000307E000-memory.dmp

Filesize
1.2MB

Download
memory/3768-139-0x0000000003150000-0x0000000003204000-memory.dmp

Filesize
720KB

Download
memory/3768-138-0x0000000003080000-0x0000000003148000-memory.dmp

Filesize
800KB

Download
memory/3768-136-0x0000000002C80000-0x0000000002E19000-memory.dmp

Filesize
1.6MB

Download
memory/3768-133-0x0000000000000000-mapping.dmp

Download
memory/3768-152-0x0000000002F50000-0x000000000307E000-memory.dmp

Filesize
1.2MB

Download
memory/4300-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads