04ccc7b18c003a56a02845e980e1c45dfee304b7e91fb16043ae4515bfbf91ca

General

Target

04ccc7b18c003a56a02845e980e1c45dfee304b7e91fb16043ae4515bfbf91ca.exe
Size

1.8MB
MD5

b4bc90628a3bc8ef0f48bf676245be9c
SHA1

7269a81ea9f23eae146cc992e90c46c8d9169013
SHA256

04ccc7b18c003a56a02845e980e1c45dfee304b7e91fb16043ae4515bfbf91ca
SHA512

9683f43393e124e5eb2df454e5fdcef0ec586828470362bdfecd57e78d665a59ea46857bfa8b06d6a4dd7ec8037d6c812f933a7cee6bb4aa1528860e721adc97
SSDEEP

49152:H6awbQ7l4cqFLBKNluOrZ54bkjh0NeiR0w:H6RQ45BKb1N5WGhKeiOw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	04ccc7b18c003a56a02845e980e1c45dfee304b7e91fb16043ae4515bfbf91ca.exe

Loads dropped DLL 3 IoCs

pid	Process
1148	rundll32.exe
4208	rundll32.exe
4208	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	04ccc7b18c003a56a02845e980e1c45dfee304b7e91fb16043ae4515bfbf91ca.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 400	4736	04ccc7b18c003a56a02845e980e1c45dfee304b7e91fb16043ae4515bfbf91ca.exe	82
PID 4736 wrote to memory of 400	4736	04ccc7b18c003a56a02845e980e1c45dfee304b7e91fb16043ae4515bfbf91ca.exe	82
PID 4736 wrote to memory of 400	4736	04ccc7b18c003a56a02845e980e1c45dfee304b7e91fb16043ae4515bfbf91ca.exe	82
PID 400 wrote to memory of 1148	400	control.exe	84
PID 400 wrote to memory of 1148	400	control.exe	84
PID 400 wrote to memory of 1148	400	control.exe	84
PID 1148 wrote to memory of 2592	1148	rundll32.exe	91
PID 1148 wrote to memory of 2592	1148	rundll32.exe	91
PID 2592 wrote to memory of 4208	2592	RunDll32.exe	92
PID 2592 wrote to memory of 4208	2592	RunDll32.exe	92
PID 2592 wrote to memory of 4208	2592	RunDll32.exe	92

C:\Users\Admin\AppData\Local\Temp\04ccc7b18c003a56a02845e980e1c45dfee304b7e91fb16043ae4515bfbf91ca.exe
"C:\Users\Admin\AppData\Local\Temp\04ccc7b18c003a56a02845e980e1c45dfee304b7e91fb16043ae4515bfbf91ca.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\YQxI.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\YQxI.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\YQxI.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\YQxI.CpL",
        5⤵
        Loads dropped DLL
        
        PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YQxI.CpL

Filesize
1.8MB

MD5
0195861b9ea3b35d4d3d78df2ad2e1b0

SHA1
9b6f56f36f97395519f10415a2f1226685faa087

SHA256
a1152ab89412ef067b1595e981b48a06bc08d14b130fc4e2fddb02128f190cf1

SHA512
9862a2a5e0f442bb4f1a638009a42369f62b2171b460584d8bfb732ccc883f20d03e6b6b3a6afe17a46aea863e397273d06249a265d6a34cf2e52b93fd5fc7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQxI.cpl

Filesize
1.8MB

MD5
0195861b9ea3b35d4d3d78df2ad2e1b0

SHA1
9b6f56f36f97395519f10415a2f1226685faa087

SHA256
a1152ab89412ef067b1595e981b48a06bc08d14b130fc4e2fddb02128f190cf1

SHA512
9862a2a5e0f442bb4f1a638009a42369f62b2171b460584d8bfb732ccc883f20d03e6b6b3a6afe17a46aea863e397273d06249a265d6a34cf2e52b93fd5fc7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQxI.cpl

Filesize
1.8MB

MD5
0195861b9ea3b35d4d3d78df2ad2e1b0

SHA1
9b6f56f36f97395519f10415a2f1226685faa087

SHA256
a1152ab89412ef067b1595e981b48a06bc08d14b130fc4e2fddb02128f190cf1

SHA512
9862a2a5e0f442bb4f1a638009a42369f62b2171b460584d8bfb732ccc883f20d03e6b6b3a6afe17a46aea863e397273d06249a265d6a34cf2e52b93fd5fc7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQxI.cpl

Filesize
1.8MB

MD5
0195861b9ea3b35d4d3d78df2ad2e1b0

SHA1
9b6f56f36f97395519f10415a2f1226685faa087

SHA256
a1152ab89412ef067b1595e981b48a06bc08d14b130fc4e2fddb02128f190cf1

SHA512
9862a2a5e0f442bb4f1a638009a42369f62b2171b460584d8bfb732ccc883f20d03e6b6b3a6afe17a46aea863e397273d06249a265d6a34cf2e52b93fd5fc7a4

Download Submit
memory/1148-136-0x0000000003330000-0x000000000347A000-memory.dmp

Filesize
1.3MB

Download
memory/1148-137-0x00000000035D0000-0x0000000003716000-memory.dmp

Filesize
1.3MB

Download
memory/1148-138-0x0000000003720000-0x0000000003810000-memory.dmp

Filesize
960KB

Download
memory/1148-139-0x0000000003810000-0x00000000038E7000-memory.dmp

Filesize
860KB

Download
memory/1148-154-0x00000000035D0000-0x0000000003716000-memory.dmp

Filesize
1.3MB

Download
memory/4208-146-0x00000000024A0000-0x0000000002668000-memory.dmp

Filesize
1.8MB

Download
memory/4208-147-0x00000000028C0000-0x0000000002A0A000-memory.dmp

Filesize
1.3MB

Download
memory/4208-148-0x0000000002B60000-0x0000000002CA6000-memory.dmp

Filesize
1.3MB

Download
memory/4208-149-0x0000000002CB0000-0x0000000002DA0000-memory.dmp

Filesize
960KB

Download
memory/4208-150-0x0000000002DA0000-0x0000000002E77000-memory.dmp

Filesize
860KB

Download
memory/4208-153-0x0000000002B60000-0x0000000002CA6000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing