ca020bf46e86f3a8953fa2420dd99c6fb933689dfb4c20b7071569a2035771d8

General

Target

ca020bf46e86f3a8953fa2420dd99c6fb933689dfb4c20b7071569a2035771d8.exe
Size

2.0MB
MD5

d5f6a2d686b53ba6d2a34b7118ee84c2
SHA1

51b7705e979cba4945dce3a24cafef6f4836c4a1
SHA256

ca020bf46e86f3a8953fa2420dd99c6fb933689dfb4c20b7071569a2035771d8
SHA512

c6a4a352c85e1b8350ae66ee55bdc21dae33eef0f922b855801c9bceb27505f6d85c07d596543cdec64c92c3bf8d87b831c0e0d2a3ae9891e6970f73b12529b4
SSDEEP

49152:CBD71LWw33pbPymb/v+cF5dl7YoGQ5Ztw:U9P330cnxY8fw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ca020bf46e86f3a8953fa2420dd99c6fb933689dfb4c20b7071569a2035771d8.exe

Loads dropped DLL 4 IoCs

pid	Process
612	rundll32.exe
612	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	ca020bf46e86f3a8953fa2420dd99c6fb933689dfb4c20b7071569a2035771d8.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 5108	4680	ca020bf46e86f3a8953fa2420dd99c6fb933689dfb4c20b7071569a2035771d8.exe	85
PID 4680 wrote to memory of 5108	4680	ca020bf46e86f3a8953fa2420dd99c6fb933689dfb4c20b7071569a2035771d8.exe	85
PID 4680 wrote to memory of 5108	4680	ca020bf46e86f3a8953fa2420dd99c6fb933689dfb4c20b7071569a2035771d8.exe	85
PID 5108 wrote to memory of 612	5108	control.exe	87
PID 5108 wrote to memory of 612	5108	control.exe	87
PID 5108 wrote to memory of 612	5108	control.exe	87
PID 612 wrote to memory of 1188	612	rundll32.exe	95
PID 612 wrote to memory of 1188	612	rundll32.exe	95
PID 1188 wrote to memory of 4648	1188	RunDll32.exe	96
PID 1188 wrote to memory of 4648	1188	RunDll32.exe	96
PID 1188 wrote to memory of 4648	1188	RunDll32.exe	96

C:\Users\Admin\AppData\Local\Temp\ca020bf46e86f3a8953fa2420dd99c6fb933689dfb4c20b7071569a2035771d8.exe
"C:\Users\Admin\AppData\Local\Temp\ca020bf46e86f3a8953fa2420dd99c6fb933689dfb4c20b7071569a2035771d8.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\NweWKTr.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\NweWKTr.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\NweWKTr.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\NweWKTr.CpL",
        5⤵
        Loads dropped DLL
        
        PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NweWKTr.CpL

Filesize
1.7MB

MD5
1879ff6f831f690f73cc26954976b817

SHA1
6f9ad93e8661f2de26ec4e817871c4729a3f7cca

SHA256
b8eeadd618b737c272ea7b528ad7b0032057c208e895b50a0f9d03a187e24267

SHA512
b2f48445c893dfb187f77e08ebe5f0a73ff94d35b1b9d628e7ea941737655342c7a89e50b8f797a77e84d57b3e8f1fa6dea00ae07f2e3dc0747078b512d4facc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NweWktr.cpl

Filesize
1.7MB

MD5
1879ff6f831f690f73cc26954976b817

SHA1
6f9ad93e8661f2de26ec4e817871c4729a3f7cca

SHA256
b8eeadd618b737c272ea7b528ad7b0032057c208e895b50a0f9d03a187e24267

SHA512
b2f48445c893dfb187f77e08ebe5f0a73ff94d35b1b9d628e7ea941737655342c7a89e50b8f797a77e84d57b3e8f1fa6dea00ae07f2e3dc0747078b512d4facc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NweWktr.cpl

Filesize
1.7MB

MD5
1879ff6f831f690f73cc26954976b817

SHA1
6f9ad93e8661f2de26ec4e817871c4729a3f7cca

SHA256
b8eeadd618b737c272ea7b528ad7b0032057c208e895b50a0f9d03a187e24267

SHA512
b2f48445c893dfb187f77e08ebe5f0a73ff94d35b1b9d628e7ea941737655342c7a89e50b8f797a77e84d57b3e8f1fa6dea00ae07f2e3dc0747078b512d4facc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NweWktr.cpl

Filesize
1.7MB

MD5
1879ff6f831f690f73cc26954976b817

SHA1
6f9ad93e8661f2de26ec4e817871c4729a3f7cca

SHA256
b8eeadd618b737c272ea7b528ad7b0032057c208e895b50a0f9d03a187e24267

SHA512
b2f48445c893dfb187f77e08ebe5f0a73ff94d35b1b9d628e7ea941737655342c7a89e50b8f797a77e84d57b3e8f1fa6dea00ae07f2e3dc0747078b512d4facc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NweWktr.cpl

Filesize
1.7MB

MD5
1879ff6f831f690f73cc26954976b817

SHA1
6f9ad93e8661f2de26ec4e817871c4729a3f7cca

SHA256
b8eeadd618b737c272ea7b528ad7b0032057c208e895b50a0f9d03a187e24267

SHA512
b2f48445c893dfb187f77e08ebe5f0a73ff94d35b1b9d628e7ea941737655342c7a89e50b8f797a77e84d57b3e8f1fa6dea00ae07f2e3dc0747078b512d4facc

Download Submit
memory/612-140-0x0000000002AD0000-0x0000000002C02000-memory.dmp

Filesize
1.2MB

Download
memory/612-139-0x0000000002D40000-0x0000000002E72000-memory.dmp

Filesize
1.2MB

Download
memory/612-138-0x0000000002AD0000-0x0000000002C02000-memory.dmp

Filesize
1.2MB

Download
memory/612-141-0x0000000002E80000-0x0000000002F4A000-memory.dmp

Filesize
808KB

Download
memory/612-142-0x0000000002F50000-0x0000000003005000-memory.dmp

Filesize
724KB

Download
memory/612-143-0x0000000002F50000-0x0000000003005000-memory.dmp

Filesize
724KB

Download
memory/612-137-0x00000000026E0000-0x000000000288C000-memory.dmp

Filesize
1.7MB

Download
memory/4648-149-0x0000000002A60000-0x0000000002C0C000-memory.dmp

Filesize
1.7MB

Download
memory/4648-151-0x0000000003140000-0x0000000003272000-memory.dmp

Filesize
1.2MB

Download
memory/4648-150-0x0000000002ED0000-0x0000000003002000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing