938d7427fceb7e021ca024f1c6b289209dbeacae66729a4b4b8a862eaa47561f

General

Target

938d7427fceb7e021ca024f1c6b289209dbeacae66729a4b4b8a862eaa47561f.exe
Size

1.8MB
MD5

815b2e145b5647be4aaf95ee2de52f7e
SHA1

9ea503286e5fb0b3d137f4368e5d5fa496c50431
SHA256

938d7427fceb7e021ca024f1c6b289209dbeacae66729a4b4b8a862eaa47561f
SHA512

edd6dd4633868d6003f2449fa3599140e7308e115aaf8fb74f052375ab8d6efeed28af50c6e167ee545495184c6850e3ca7334bc314a0e4cd99a46d0dd4f2483
SSDEEP

49152:4unOhqxUFQAuw9xDRCq0J/me1B8tXvGIJW9KIxPYO1rI:4KelFjXaemTIJUN4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	938d7427fceb7e021ca024f1c6b289209dbeacae66729a4b4b8a862eaa47561f.exe

Loads dropped DLL 2 IoCs

pid	Process
3392	rundll32.exe
448	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	938d7427fceb7e021ca024f1c6b289209dbeacae66729a4b4b8a862eaa47561f.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 5060	4512	938d7427fceb7e021ca024f1c6b289209dbeacae66729a4b4b8a862eaa47561f.exe	80
PID 4512 wrote to memory of 5060	4512	938d7427fceb7e021ca024f1c6b289209dbeacae66729a4b4b8a862eaa47561f.exe	80
PID 4512 wrote to memory of 5060	4512	938d7427fceb7e021ca024f1c6b289209dbeacae66729a4b4b8a862eaa47561f.exe	80
PID 5060 wrote to memory of 3392	5060	control.exe	82
PID 5060 wrote to memory of 3392	5060	control.exe	82
PID 5060 wrote to memory of 3392	5060	control.exe	82
PID 3392 wrote to memory of 4768	3392	rundll32.exe	85
PID 3392 wrote to memory of 4768	3392	rundll32.exe	85
PID 4768 wrote to memory of 448	4768	RunDll32.exe	86
PID 4768 wrote to memory of 448	4768	RunDll32.exe	86
PID 4768 wrote to memory of 448	4768	RunDll32.exe	86

C:\Users\Admin\AppData\Local\Temp\938d7427fceb7e021ca024f1c6b289209dbeacae66729a4b4b8a862eaa47561f.exe
"C:\Users\Admin\AppData\Local\Temp\938d7427fceb7e021ca024f1c6b289209dbeacae66729a4b4b8a862eaa47561f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\IvPH.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\IvPH.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\IvPH.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\IvPH.CpL",
        5⤵
        Loads dropped DLL
        
        PID:448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IvPH.CpL

Filesize
3.5MB

MD5
b4ebef36191df15cce12ecf1a9678f12

SHA1
8a2770810392d59fcd835c6524ddbf3a37e09b3e

SHA256
e12263ff44662de69de15c61753c616e80d9e59919be01a89396ae8e099a18f8

SHA512
41dfa58c1026be97c741bf20ab1932cbc08a79dee26141c7e31f88a18a731378da5a5107a6418da2183be4b072c5620c232a2cd679eba7a008364a8aa34af691

Download Submit
C:\Users\Admin\AppData\Local\Temp\IvPH.cpl

Filesize
3.5MB

MD5
b4ebef36191df15cce12ecf1a9678f12

SHA1
8a2770810392d59fcd835c6524ddbf3a37e09b3e

SHA256
e12263ff44662de69de15c61753c616e80d9e59919be01a89396ae8e099a18f8

SHA512
41dfa58c1026be97c741bf20ab1932cbc08a79dee26141c7e31f88a18a731378da5a5107a6418da2183be4b072c5620c232a2cd679eba7a008364a8aa34af691

Download Submit
C:\Users\Admin\AppData\Local\Temp\IvPH.cpl

Filesize
3.5MB

MD5
b4ebef36191df15cce12ecf1a9678f12

SHA1
8a2770810392d59fcd835c6524ddbf3a37e09b3e

SHA256
e12263ff44662de69de15c61753c616e80d9e59919be01a89396ae8e099a18f8

SHA512
41dfa58c1026be97c741bf20ab1932cbc08a79dee26141c7e31f88a18a731378da5a5107a6418da2183be4b072c5620c232a2cd679eba7a008364a8aa34af691

Download Submit
memory/448-151-0x0000000003600000-0x000000000375C000-memory.dmp

Filesize
1.4MB

Download
memory/448-149-0x0000000003860000-0x000000000393A000-memory.dmp

Filesize
872KB

Download
memory/448-147-0x0000000003760000-0x0000000003852000-memory.dmp

Filesize
968KB

Download
memory/448-146-0x0000000003600000-0x000000000375C000-memory.dmp

Filesize
1.4MB

Download
memory/448-145-0x0000000003150000-0x000000000349B000-memory.dmp

Filesize
3.3MB

Download
memory/3392-136-0x0000000002FE0000-0x000000000332B000-memory.dmp

Filesize
3.3MB

Download
memory/3392-139-0x00000000036F0000-0x00000000037CA000-memory.dmp

Filesize
872KB

Download
memory/3392-140-0x00000000036F0000-0x00000000037CA000-memory.dmp

Filesize
872KB

Download
memory/3392-138-0x00000000035F0000-0x00000000036E2000-memory.dmp

Filesize
968KB

Download
memory/3392-137-0x0000000003490000-0x00000000035EC000-memory.dmp

Filesize
1.4MB

Download
memory/3392-152-0x0000000003490000-0x00000000035EC000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing