be734a507f65ef9069ca4ae605f7cdfcf849efbc3e6c5819d220a263ff20fd02

General

Target

be734a507f65ef9069ca4ae605f7cdfcf849efbc3e6c5819d220a263ff20fd02.exe
Size

1.7MB
MD5

03eb9c039a552a1a82113ce0b178f953
SHA1

b00c2eaf1bda51c626938660d8d25f22d8b97e20
SHA256

be734a507f65ef9069ca4ae605f7cdfcf849efbc3e6c5819d220a263ff20fd02
SHA512

ded438a18c91bd8e9c5bb03d0c9fd20e382f6bf6953133bf2b6bcd152f84d459a207ca7e006c8df8ea69bfb43fc52581d584daf8933d2745f43d0724ed4c3f99
SSDEEP

49152:4u4mdb3CbUb2xXy7ZGchtYKSMVjjl23gVjf8:4u4+32UbmXyGLKSMV834f8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	be734a507f65ef9069ca4ae605f7cdfcf849efbc3e6c5819d220a263ff20fd02.exe

Loads dropped DLL 4 IoCs

pid	Process
3148	rundll32.exe
3148	rundll32.exe
1268	rundll32.exe
1268	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	be734a507f65ef9069ca4ae605f7cdfcf849efbc3e6c5819d220a263ff20fd02.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 3064	2732	be734a507f65ef9069ca4ae605f7cdfcf849efbc3e6c5819d220a263ff20fd02.exe	85
PID 2732 wrote to memory of 3064	2732	be734a507f65ef9069ca4ae605f7cdfcf849efbc3e6c5819d220a263ff20fd02.exe	85
PID 2732 wrote to memory of 3064	2732	be734a507f65ef9069ca4ae605f7cdfcf849efbc3e6c5819d220a263ff20fd02.exe	85
PID 3064 wrote to memory of 3148	3064	control.exe	87
PID 3064 wrote to memory of 3148	3064	control.exe	87
PID 3064 wrote to memory of 3148	3064	control.exe	87
PID 3148 wrote to memory of 4100	3148	rundll32.exe	92
PID 3148 wrote to memory of 4100	3148	rundll32.exe	92
PID 4100 wrote to memory of 1268	4100	RunDll32.exe	93
PID 4100 wrote to memory of 1268	4100	RunDll32.exe	93
PID 4100 wrote to memory of 1268	4100	RunDll32.exe	93

C:\Users\Admin\AppData\Local\Temp\be734a507f65ef9069ca4ae605f7cdfcf849efbc3e6c5819d220a263ff20fd02.exe
"C:\Users\Admin\AppData\Local\Temp\be734a507f65ef9069ca4ae605f7cdfcf849efbc3e6c5819d220a263ff20fd02.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\XNK7Y3.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XNK7Y3.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XNK7Y3.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\XNK7Y3.cpl",
        5⤵
        Loads dropped DLL
        
        PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XNK7Y3.cpl

Filesize
1.2MB

MD5
8138b75f9a226b56b978aa63b94a060f

SHA1
c710710de74d434688cf8df941d2f34cea05c478

SHA256
0b6a7d9875c184e265876baddad63c6770ff8cff6e3c6753d678ad8375fc2548

SHA512
d995eedd8281bf8dc9132ceb84a4182e97a94eb969f898ceeb4fc9aa7b1bac631880849cb0949c08543af45ef635d058e82d4366be00356b9f33a75c234bbeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XnK7Y3.cpl

Filesize
1.2MB

MD5
8138b75f9a226b56b978aa63b94a060f

SHA1
c710710de74d434688cf8df941d2f34cea05c478

SHA256
0b6a7d9875c184e265876baddad63c6770ff8cff6e3c6753d678ad8375fc2548

SHA512
d995eedd8281bf8dc9132ceb84a4182e97a94eb969f898ceeb4fc9aa7b1bac631880849cb0949c08543af45ef635d058e82d4366be00356b9f33a75c234bbeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XnK7Y3.cpl

Filesize
1.2MB

MD5
8138b75f9a226b56b978aa63b94a060f

SHA1
c710710de74d434688cf8df941d2f34cea05c478

SHA256
0b6a7d9875c184e265876baddad63c6770ff8cff6e3c6753d678ad8375fc2548

SHA512
d995eedd8281bf8dc9132ceb84a4182e97a94eb969f898ceeb4fc9aa7b1bac631880849cb0949c08543af45ef635d058e82d4366be00356b9f33a75c234bbeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XnK7Y3.cpl

Filesize
1.2MB

MD5
8138b75f9a226b56b978aa63b94a060f

SHA1
c710710de74d434688cf8df941d2f34cea05c478

SHA256
0b6a7d9875c184e265876baddad63c6770ff8cff6e3c6753d678ad8375fc2548

SHA512
d995eedd8281bf8dc9132ceb84a4182e97a94eb969f898ceeb4fc9aa7b1bac631880849cb0949c08543af45ef635d058e82d4366be00356b9f33a75c234bbeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XnK7Y3.cpl

Filesize
1.2MB

MD5
8138b75f9a226b56b978aa63b94a060f

SHA1
c710710de74d434688cf8df941d2f34cea05c478

SHA256
0b6a7d9875c184e265876baddad63c6770ff8cff6e3c6753d678ad8375fc2548

SHA512
d995eedd8281bf8dc9132ceb84a4182e97a94eb969f898ceeb4fc9aa7b1bac631880849cb0949c08543af45ef635d058e82d4366be00356b9f33a75c234bbeb8

Download Submit
memory/1268-149-0x0000000002790000-0x00000000028A2000-memory.dmp

Filesize
1.1MB

Download
memory/1268-148-0x0000000002420000-0x0000000002561000-memory.dmp

Filesize
1.3MB

Download
memory/1268-156-0x00000000029C0000-0x0000000002ACE000-memory.dmp

Filesize
1.1MB

Download
memory/1268-153-0x0000000002BB0000-0x0000000002C72000-memory.dmp

Filesize
776KB

Download
memory/1268-152-0x0000000002AD0000-0x0000000002BA7000-memory.dmp

Filesize
860KB

Download
memory/1268-150-0x00000000029C0000-0x0000000002ACE000-memory.dmp

Filesize
1.1MB

Download
memory/3148-141-0x0000000002B70000-0x0000000002C32000-memory.dmp

Filesize
776KB

Download
memory/3148-137-0x00000000023E0000-0x0000000002521000-memory.dmp

Filesize
1.3MB

Download
memory/3148-151-0x0000000002980000-0x0000000002A8E000-memory.dmp

Filesize
1.1MB

Download
memory/3148-138-0x0000000002750000-0x0000000002862000-memory.dmp

Filesize
1.1MB

Download
memory/3148-140-0x0000000002A90000-0x0000000002B67000-memory.dmp

Filesize
860KB

Download
memory/3148-139-0x0000000002980000-0x0000000002A8E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing