ceb21a4bb579c99a217b6c228678f730c86c18392598c61ec11eeee613f7c57c

General

Target

ceb21a4bb579c99a217b6c228678f730c86c18392598c61ec11eeee613f7c57c.exe
Size

1.6MB
MD5

0f842a4ec01b35f6b2ef240e85ad37db
SHA1

44ec1c8c73c7508dc533d7e49a2e477e0033b879
SHA256

ceb21a4bb579c99a217b6c228678f730c86c18392598c61ec11eeee613f7c57c
SHA512

096812d1144d10b42589dcaaf52645ada9d50286b1e9f5bbb82511be95742919e910e5c3bbd03e5f207da170c087ca827d0a8aaa7195161f6af610d6e6290e8b
SSDEEP

24576:zry2uXzmwLXh0J0o35t5a5QZ6j6MuCc14Yfy96ihQQItVTwA/ZkBumLA3mv/wW4c:zunDhs3rt2W11Fw6XhmLA3qeeD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ceb21a4bb579c99a217b6c228678f730c86c18392598c61ec11eeee613f7c57c.exe

Loads dropped DLL 3 IoCs

pid	Process
900	rundll32.exe
900	rundll32.exe
212	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 4916	2276	ceb21a4bb579c99a217b6c228678f730c86c18392598c61ec11eeee613f7c57c.exe	79
PID 2276 wrote to memory of 4916	2276	ceb21a4bb579c99a217b6c228678f730c86c18392598c61ec11eeee613f7c57c.exe	79
PID 2276 wrote to memory of 4916	2276	ceb21a4bb579c99a217b6c228678f730c86c18392598c61ec11eeee613f7c57c.exe	79
PID 4916 wrote to memory of 900	4916	control.exe	80
PID 4916 wrote to memory of 900	4916	control.exe	80
PID 4916 wrote to memory of 900	4916	control.exe	80
PID 900 wrote to memory of 2328	900	rundll32.exe	84
PID 900 wrote to memory of 2328	900	rundll32.exe	84
PID 2328 wrote to memory of 212	2328	RunDll32.exe	85
PID 2328 wrote to memory of 212	2328	RunDll32.exe	85
PID 2328 wrote to memory of 212	2328	RunDll32.exe	85

C:\Users\Admin\AppData\Local\Temp\ceb21a4bb579c99a217b6c228678f730c86c18392598c61ec11eeee613f7c57c.exe
"C:\Users\Admin\AppData\Local\Temp\ceb21a4bb579c99a217b6c228678f730c86c18392598c61ec11eeee613f7c57c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\FJMRO8tR.P
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FJMRO8tR.P
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FJMRO8tR.P
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FJMRO8tR.P
        5⤵
        Loads dropped DLL
        
        PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FJMRO8tR.P

Filesize
1.3MB

MD5
8b1bba95e428087c48a48bd89a01ae60

SHA1
74405511acf4e78a6b485c9a9dbbb4cbb10ba43b

SHA256
c316d51a273e9ba46cbc624fbeda82743aa2d3cb97db879611e4091cf4acf5a5

SHA512
413b675e4d5b93ce1f3a8e8964102f0ad9d5b097c644970812e498c16cc6da53ce1aee2b321cc34ad538bade00d7773439bcefd2468ddfea1cf2824b29eeb270

Download Submit
C:\Users\Admin\AppData\Local\Temp\FJmRO8tr.p

Filesize
1.3MB

MD5
8b1bba95e428087c48a48bd89a01ae60

SHA1
74405511acf4e78a6b485c9a9dbbb4cbb10ba43b

SHA256
c316d51a273e9ba46cbc624fbeda82743aa2d3cb97db879611e4091cf4acf5a5

SHA512
413b675e4d5b93ce1f3a8e8964102f0ad9d5b097c644970812e498c16cc6da53ce1aee2b321cc34ad538bade00d7773439bcefd2468ddfea1cf2824b29eeb270

Download Submit
C:\Users\Admin\AppData\Local\Temp\FJmRO8tr.p

Filesize
1.3MB

MD5
8b1bba95e428087c48a48bd89a01ae60

SHA1
74405511acf4e78a6b485c9a9dbbb4cbb10ba43b

SHA256
c316d51a273e9ba46cbc624fbeda82743aa2d3cb97db879611e4091cf4acf5a5

SHA512
413b675e4d5b93ce1f3a8e8964102f0ad9d5b097c644970812e498c16cc6da53ce1aee2b321cc34ad538bade00d7773439bcefd2468ddfea1cf2824b29eeb270

Download Submit
C:\Users\Admin\AppData\Local\Temp\FJmRO8tr.p

Filesize
1.3MB

MD5
8b1bba95e428087c48a48bd89a01ae60

SHA1
74405511acf4e78a6b485c9a9dbbb4cbb10ba43b

SHA256
c316d51a273e9ba46cbc624fbeda82743aa2d3cb97db879611e4091cf4acf5a5

SHA512
413b675e4d5b93ce1f3a8e8964102f0ad9d5b097c644970812e498c16cc6da53ce1aee2b321cc34ad538bade00d7773439bcefd2468ddfea1cf2824b29eeb270

Download Submit
memory/212-148-0x0000000003450000-0x000000000358E000-memory.dmp

Filesize
1.2MB

Download
memory/212-154-0x0000000003450000-0x000000000358E000-memory.dmp

Filesize
1.2MB

Download
memory/212-152-0x0000000003670000-0x0000000003733000-memory.dmp

Filesize
780KB

Download
memory/212-150-0x0000000003590000-0x000000000366A000-memory.dmp

Filesize
872KB

Download
memory/212-147-0x00000000031C0000-0x0000000003302000-memory.dmp

Filesize
1.3MB

Download
memory/900-140-0x0000000002F10000-0x0000000002FEA000-memory.dmp

Filesize
872KB

Download
memory/900-142-0x0000000002FF0000-0x00000000030B3000-memory.dmp

Filesize
780KB

Download
memory/900-141-0x0000000002FF0000-0x00000000030B3000-memory.dmp

Filesize
780KB

Download
memory/900-149-0x0000000002DD0000-0x0000000002F0E000-memory.dmp

Filesize
1.2MB

Download
memory/900-137-0x0000000002790000-0x00000000028EC000-memory.dmp

Filesize
1.4MB

Download
memory/900-139-0x0000000002DD0000-0x0000000002F0E000-memory.dmp

Filesize
1.2MB

Download
memory/900-138-0x0000000002B40000-0x0000000002C82000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing