bd1069b89c06d1415f19fa199da0947999c83caa46c3a7cf7bf1c5d9d28a0b8b

General

Target

bd1069b89c06d1415f19fa199da0947999c83caa46c3a7cf7bf1c5d9d28a0b8b.exe
Size

1.9MB
MD5

fb08b6a3e9fa2449fd5766395ae3400e
SHA1

2097abdd95de0a3f12f4a90efe24ff93bf4533ec
SHA256

bd1069b89c06d1415f19fa199da0947999c83caa46c3a7cf7bf1c5d9d28a0b8b
SHA512

6c1374c798f0cd06db47f5b7136693e38642123cddde14a8979f72205fcc100bb03836673df615b99cf31f27097d01f334957dcba7ffe8eb0e6eafef36cb0428
SSDEEP

49152:mNABfJXAE3O6cCqErznDX7+0TyqxE7czXbys7r/:aABfKEe6iWznTi/6E7czOs7r

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	bd1069b89c06d1415f19fa199da0947999c83caa46c3a7cf7bf1c5d9d28a0b8b.exe

Loads dropped DLL 2 IoCs

pid	Process
4948	rundll32.exe
716	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	bd1069b89c06d1415f19fa199da0947999c83caa46c3a7cf7bf1c5d9d28a0b8b.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 2952	3092	bd1069b89c06d1415f19fa199da0947999c83caa46c3a7cf7bf1c5d9d28a0b8b.exe	81
PID 3092 wrote to memory of 2952	3092	bd1069b89c06d1415f19fa199da0947999c83caa46c3a7cf7bf1c5d9d28a0b8b.exe	81
PID 3092 wrote to memory of 2952	3092	bd1069b89c06d1415f19fa199da0947999c83caa46c3a7cf7bf1c5d9d28a0b8b.exe	81
PID 2952 wrote to memory of 4948	2952	control.exe	83
PID 2952 wrote to memory of 4948	2952	control.exe	83
PID 2952 wrote to memory of 4948	2952	control.exe	83
PID 4948 wrote to memory of 2256	4948	rundll32.exe	86
PID 4948 wrote to memory of 2256	4948	rundll32.exe	86
PID 2256 wrote to memory of 716	2256	RunDll32.exe	87
PID 2256 wrote to memory of 716	2256	RunDll32.exe	87
PID 2256 wrote to memory of 716	2256	RunDll32.exe	87

C:\Users\Admin\AppData\Local\Temp\bd1069b89c06d1415f19fa199da0947999c83caa46c3a7cf7bf1c5d9d28a0b8b.exe
"C:\Users\Admin\AppData\Local\Temp\bd1069b89c06d1415f19fa199da0947999c83caa46c3a7cf7bf1c5d9d28a0b8b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\gYLrG4C.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\gYLrG4C.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\gYLrG4C.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\gYLrG4C.cpl",
        5⤵
        Loads dropped DLL
        
        PID:716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gYLrG4C.cpl

Filesize
2.1MB

MD5
9714316da1a89f9728c40c73d393ae22

SHA1
57a97f95ba1ebf2e31677c0ecdc856055d7edb02

SHA256
65ab6f469dcd72936a4997b90636ff2b192b8038f03b205e151631adff01f1c8

SHA512
15873df7483e0472b970a67eae92a2c8e446606e5c86b00511f2d56102fcaaa34d6de54f499334353c4a97bc53aae66539ae090d2a9fd46771be2ba9c21ea20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYlrg4C.cpl

Filesize
2.1MB

MD5
9714316da1a89f9728c40c73d393ae22

SHA1
57a97f95ba1ebf2e31677c0ecdc856055d7edb02

SHA256
65ab6f469dcd72936a4997b90636ff2b192b8038f03b205e151631adff01f1c8

SHA512
15873df7483e0472b970a67eae92a2c8e446606e5c86b00511f2d56102fcaaa34d6de54f499334353c4a97bc53aae66539ae090d2a9fd46771be2ba9c21ea20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYlrg4C.cpl

Filesize
2.1MB

MD5
9714316da1a89f9728c40c73d393ae22

SHA1
57a97f95ba1ebf2e31677c0ecdc856055d7edb02

SHA256
65ab6f469dcd72936a4997b90636ff2b192b8038f03b205e151631adff01f1c8

SHA512
15873df7483e0472b970a67eae92a2c8e446606e5c86b00511f2d56102fcaaa34d6de54f499334353c4a97bc53aae66539ae090d2a9fd46771be2ba9c21ea20c

Download Submit
memory/716-151-0x0000000003220000-0x000000000333A000-memory.dmp

Filesize
1.1MB

Download
memory/716-148-0x0000000003410000-0x00000000034C4000-memory.dmp

Filesize
720KB

Download
memory/716-147-0x0000000003340000-0x0000000003408000-memory.dmp

Filesize
800KB

Download
memory/716-145-0x0000000002F80000-0x00000000030FE000-memory.dmp

Filesize
1.5MB

Download
memory/716-146-0x0000000003220000-0x000000000333A000-memory.dmp

Filesize
1.1MB

Download
memory/4948-139-0x0000000002790000-0x0000000002844000-memory.dmp

Filesize
720KB

Download
memory/4948-138-0x0000000003210000-0x00000000032D8000-memory.dmp

Filesize
800KB

Download
memory/4948-137-0x00000000030F0000-0x000000000320A000-memory.dmp

Filesize
1.1MB

Download
memory/4948-136-0x0000000002E50000-0x0000000002FCE000-memory.dmp

Filesize
1.5MB

Download
memory/4948-152-0x00000000030F0000-0x000000000320A000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing