800f3a19e6eb0521ff482ff309a8cb5e2336cf162d10ac3cc5497c1ce48e60ca

General

Target

800f3a19e6eb0521ff482ff309a8cb5e2336cf162d10ac3cc5497c1ce48e60ca.exe
Size

1.7MB
MD5

35fb581334755e485b13f45dc92ae4ce
SHA1

f81aa7bcc8acf31a804674b76e1f8912a97387a0
SHA256

800f3a19e6eb0521ff482ff309a8cb5e2336cf162d10ac3cc5497c1ce48e60ca
SHA512

fe8bb2544565dd36a72618a9ca7d4fb87370cf367ee33f144e20b6f6f260045006ff69b19ce48cc38b13384faf5674028141127704b56b056d454de5fd0f19a4
SSDEEP

49152:084cUpwjQ/RayucA9OmcSm/n61XiS6rB9Lg3Ry8HzZ:6c6RVCvc71n03/d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	800f3a19e6eb0521ff482ff309a8cb5e2336cf162d10ac3cc5497c1ce48e60ca.exe

Loads dropped DLL 3 IoCs

pid	Process
2752	rundll32.exe
2752	rundll32.exe
1268	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	800f3a19e6eb0521ff482ff309a8cb5e2336cf162d10ac3cc5497c1ce48e60ca.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 1684	4924	800f3a19e6eb0521ff482ff309a8cb5e2336cf162d10ac3cc5497c1ce48e60ca.exe	82
PID 4924 wrote to memory of 1684	4924	800f3a19e6eb0521ff482ff309a8cb5e2336cf162d10ac3cc5497c1ce48e60ca.exe	82
PID 4924 wrote to memory of 1684	4924	800f3a19e6eb0521ff482ff309a8cb5e2336cf162d10ac3cc5497c1ce48e60ca.exe	82
PID 1684 wrote to memory of 2752	1684	control.exe	84
PID 1684 wrote to memory of 2752	1684	control.exe	84
PID 1684 wrote to memory of 2752	1684	control.exe	84
PID 2752 wrote to memory of 3108	2752	rundll32.exe	85
PID 2752 wrote to memory of 3108	2752	rundll32.exe	85
PID 3108 wrote to memory of 1268	3108	RunDll32.exe	86
PID 3108 wrote to memory of 1268	3108	RunDll32.exe	86
PID 3108 wrote to memory of 1268	3108	RunDll32.exe	86

C:\Users\Admin\AppData\Local\Temp\800f3a19e6eb0521ff482ff309a8cb5e2336cf162d10ac3cc5497c1ce48e60ca.exe
"C:\Users\Admin\AppData\Local\Temp\800f3a19e6eb0521ff482ff309a8cb5e2336cf162d10ac3cc5497c1ce48e60ca.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\JHRVK.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\JHRVK.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\JHRVK.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\JHRVK.cpl",
        5⤵
        Loads dropped DLL
        
        PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JHRVK.cpl

Filesize
2.0MB

MD5
ad42fe3b275b851bce0ef13e7deafff3

SHA1
afda56d362a3e3e865950843d76e5ad5db442e88

SHA256
59c0b41a3ad0867879a8c33b1978b1036b587fc279f7ce23251f344c5150534c

SHA512
93b2af874e013f6b2d4887777fd6079d82bb4b7633842d9cc885ed874a741082a6a4c3014b2d336ef31276dd11da2e7371f656714c683b8085ef89add65aa4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\JHRvk.cpl

Filesize
2.0MB

MD5
ad42fe3b275b851bce0ef13e7deafff3

SHA1
afda56d362a3e3e865950843d76e5ad5db442e88

SHA256
59c0b41a3ad0867879a8c33b1978b1036b587fc279f7ce23251f344c5150534c

SHA512
93b2af874e013f6b2d4887777fd6079d82bb4b7633842d9cc885ed874a741082a6a4c3014b2d336ef31276dd11da2e7371f656714c683b8085ef89add65aa4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\JHRvk.cpl

Filesize
2.0MB

MD5
ad42fe3b275b851bce0ef13e7deafff3

SHA1
afda56d362a3e3e865950843d76e5ad5db442e88

SHA256
59c0b41a3ad0867879a8c33b1978b1036b587fc279f7ce23251f344c5150534c

SHA512
93b2af874e013f6b2d4887777fd6079d82bb4b7633842d9cc885ed874a741082a6a4c3014b2d336ef31276dd11da2e7371f656714c683b8085ef89add65aa4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\JHRvk.cpl

Filesize
2.0MB

MD5
ad42fe3b275b851bce0ef13e7deafff3

SHA1
afda56d362a3e3e865950843d76e5ad5db442e88

SHA256
59c0b41a3ad0867879a8c33b1978b1036b587fc279f7ce23251f344c5150534c

SHA512
93b2af874e013f6b2d4887777fd6079d82bb4b7633842d9cc885ed874a741082a6a4c3014b2d336ef31276dd11da2e7371f656714c683b8085ef89add65aa4ed

Download Submit
memory/1268-154-0x0000000002EA0000-0x0000000002FA1000-memory.dmp

Filesize
1.0MB

Download
memory/1268-151-0x0000000003090000-0x0000000003158000-memory.dmp

Filesize
800KB

Download
memory/1268-150-0x0000000002FB0000-0x000000000308E000-memory.dmp

Filesize
888KB

Download
memory/1268-148-0x0000000002EA0000-0x0000000002FA1000-memory.dmp

Filesize
1.0MB

Download
memory/1268-147-0x0000000002C90000-0x0000000002D95000-memory.dmp

Filesize
1.0MB

Download
memory/2752-139-0x0000000002B70000-0x0000000002C71000-memory.dmp

Filesize
1.0MB

Download
memory/2752-141-0x0000000002D60000-0x0000000002E28000-memory.dmp

Filesize
800KB

Download
memory/2752-140-0x0000000002C80000-0x0000000002D5E000-memory.dmp

Filesize
888KB

Download
memory/2752-149-0x0000000002B70000-0x0000000002C71000-memory.dmp

Filesize
1.0MB

Download
memory/2752-137-0x00000000024F0000-0x00000000026F4000-memory.dmp

Filesize
2.0MB

Download
memory/2752-138-0x0000000002960000-0x0000000002A65000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing