40b56c427f3b48710e30a25c3ce1637230fef81617f5cd03610b0b64264af826

General

Target

40b56c427f3b48710e30a25c3ce1637230fef81617f5cd03610b0b64264af826.exe
Size

1.7MB
MD5

4fbeec1a772be5f9ad1325d2601c7928
SHA1

2dec7958c62a24c05d8e1e259bb185d42dfddfbc
SHA256

40b56c427f3b48710e30a25c3ce1637230fef81617f5cd03610b0b64264af826
SHA512

837663bb1a7db821fd504bf85629e6a453da77896e55f58e07b44d177bfddbf2b4a9965512c1a7d0660abf322618ded2fb208c67ada19b10d76b7b59a45321ea
SSDEEP

24576:4ry2uXzmVL5I6tVUi723/1YfyQAEEwxQypgMUFo8rbBdmFb2wGqL40aBXDVuWYYr:4unYZ723a/Qya1Fo8rzWb2ELi1D0Wm8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	40b56c427f3b48710e30a25c3ce1637230fef81617f5cd03610b0b64264af826.exe

Loads dropped DLL 3 IoCs

pid	Process
3604	rundll32.exe
392	rundll32.exe
392	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	40b56c427f3b48710e30a25c3ce1637230fef81617f5cd03610b0b64264af826.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 4788	3524	40b56c427f3b48710e30a25c3ce1637230fef81617f5cd03610b0b64264af826.exe	79
PID 3524 wrote to memory of 4788	3524	40b56c427f3b48710e30a25c3ce1637230fef81617f5cd03610b0b64264af826.exe	79
PID 3524 wrote to memory of 4788	3524	40b56c427f3b48710e30a25c3ce1637230fef81617f5cd03610b0b64264af826.exe	79
PID 4788 wrote to memory of 3604	4788	control.exe	81
PID 4788 wrote to memory of 3604	4788	control.exe	81
PID 4788 wrote to memory of 3604	4788	control.exe	81
PID 3604 wrote to memory of 4936	3604	rundll32.exe	82
PID 3604 wrote to memory of 4936	3604	rundll32.exe	82
PID 4936 wrote to memory of 392	4936	RunDll32.exe	83
PID 4936 wrote to memory of 392	4936	RunDll32.exe	83
PID 4936 wrote to memory of 392	4936	RunDll32.exe	83

C:\Users\Admin\AppData\Local\Temp\40b56c427f3b48710e30a25c3ce1637230fef81617f5cd03610b0b64264af826.exe
"C:\Users\Admin\AppData\Local\Temp\40b56c427f3b48710e30a25c3ce1637230fef81617f5cd03610b0b64264af826.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\CKRLZK.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\CKRLZK.CPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\CKRLZK.CPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\CKRLZK.CPL",
        5⤵
        Loads dropped DLL
        
        PID:392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CKRLZK.CPL

Filesize
2.7MB

MD5
ecb87edf1b562b07dd1ceafe9f8816d3

SHA1
f1bf97f09cb13338e391b69078a56d8edede4a4b

SHA256
ee6a8939f9c5e5f3a6d0e9c45fea31f1391c27d3ee66f1f45a775890ed9b9aed

SHA512
06662c3bb2f9b2c5986e445c562c8b3bf1105112a576c858c895ba763a7d89a326aae412ac226e1b0acdedae1abedf741492d0811279440c1248ed88eb50034c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKRLZK.cpl

Filesize
2.7MB

MD5
ecb87edf1b562b07dd1ceafe9f8816d3

SHA1
f1bf97f09cb13338e391b69078a56d8edede4a4b

SHA256
ee6a8939f9c5e5f3a6d0e9c45fea31f1391c27d3ee66f1f45a775890ed9b9aed

SHA512
06662c3bb2f9b2c5986e445c562c8b3bf1105112a576c858c895ba763a7d89a326aae412ac226e1b0acdedae1abedf741492d0811279440c1248ed88eb50034c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKRLZK.cpl

Filesize
2.7MB

MD5
ecb87edf1b562b07dd1ceafe9f8816d3

SHA1
f1bf97f09cb13338e391b69078a56d8edede4a4b

SHA256
ee6a8939f9c5e5f3a6d0e9c45fea31f1391c27d3ee66f1f45a775890ed9b9aed

SHA512
06662c3bb2f9b2c5986e445c562c8b3bf1105112a576c858c895ba763a7d89a326aae412ac226e1b0acdedae1abedf741492d0811279440c1248ed88eb50034c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CKRLZK.cpl

Filesize
2.7MB

MD5
ecb87edf1b562b07dd1ceafe9f8816d3

SHA1
f1bf97f09cb13338e391b69078a56d8edede4a4b

SHA256
ee6a8939f9c5e5f3a6d0e9c45fea31f1391c27d3ee66f1f45a775890ed9b9aed

SHA512
06662c3bb2f9b2c5986e445c562c8b3bf1105112a576c858c895ba763a7d89a326aae412ac226e1b0acdedae1abedf741492d0811279440c1248ed88eb50034c

Download Submit
memory/392-146-0x00000000024F0000-0x00000000027B2000-memory.dmp

Filesize
2.8MB

Download
memory/392-154-0x0000000002EF0000-0x0000000003020000-memory.dmp

Filesize
1.2MB

Download
memory/392-151-0x0000000003100000-0x00000000031C9000-memory.dmp

Filesize
804KB

Download
memory/392-150-0x0000000003020000-0x00000000030FF000-memory.dmp

Filesize
892KB

Download
memory/392-148-0x0000000002EF0000-0x0000000003020000-memory.dmp

Filesize
1.2MB

Download
memory/392-147-0x0000000002B40000-0x0000000002DB4000-memory.dmp

Filesize
2.5MB

Download
memory/3604-136-0x0000000003620000-0x0000000003894000-memory.dmp

Filesize
2.5MB

Download
memory/3604-139-0x0000000003BE0000-0x0000000003CA9000-memory.dmp

Filesize
804KB

Download
memory/3604-138-0x0000000003B00000-0x0000000003BDF000-memory.dmp

Filesize
892KB

Download
memory/3604-149-0x00000000039D0000-0x0000000003B00000-memory.dmp

Filesize
1.2MB

Download
memory/3604-137-0x00000000039D0000-0x0000000003B00000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing