859ed7b613b977117ac2c40d05c1b30a2681376e7e7dd324407a9fea22de9d1c

General

Target

859ed7b613b977117ac2c40d05c1b30a2681376e7e7dd324407a9fea22de9d1c.exe
Size

2.0MB
MD5

840b22c7f90815f6f2b1590c25dffe23
SHA1

51b1057d6a4d4369dfa4e2ea0b2b8dfce33d76c7
SHA256

859ed7b613b977117ac2c40d05c1b30a2681376e7e7dd324407a9fea22de9d1c
SHA512

23a04f9bab64d190932e985da0bedfa7afacf9d822c9e5eaa18e878679c429a8b694ba45414472816bafa19559669ba662a21f10669b8f4bb9caa5249ef28c2d
SSDEEP

49152:TlBfJXAEGWFa5LtZhrCzyqKLNRIZo0Y2ZHhi:TlBfKEharCzyTJ2o8ZHM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	859ed7b613b977117ac2c40d05c1b30a2681376e7e7dd324407a9fea22de9d1c.exe

Loads dropped DLL 2 IoCs

pid	Process
5068	rundll32.exe
212	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	859ed7b613b977117ac2c40d05c1b30a2681376e7e7dd324407a9fea22de9d1c.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4328	4612	859ed7b613b977117ac2c40d05c1b30a2681376e7e7dd324407a9fea22de9d1c.exe	81
PID 4612 wrote to memory of 4328	4612	859ed7b613b977117ac2c40d05c1b30a2681376e7e7dd324407a9fea22de9d1c.exe	81
PID 4612 wrote to memory of 4328	4612	859ed7b613b977117ac2c40d05c1b30a2681376e7e7dd324407a9fea22de9d1c.exe	81
PID 4328 wrote to memory of 5068	4328	control.exe	83
PID 4328 wrote to memory of 5068	4328	control.exe	83
PID 4328 wrote to memory of 5068	4328	control.exe	83
PID 5068 wrote to memory of 3832	5068	rundll32.exe	90
PID 5068 wrote to memory of 3832	5068	rundll32.exe	90
PID 3832 wrote to memory of 212	3832	RunDll32.exe	91
PID 3832 wrote to memory of 212	3832	RunDll32.exe	91
PID 3832 wrote to memory of 212	3832	RunDll32.exe	91

C:\Users\Admin\AppData\Local\Temp\859ed7b613b977117ac2c40d05c1b30a2681376e7e7dd324407a9fea22de9d1c.exe
"C:\Users\Admin\AppData\Local\Temp\859ed7b613b977117ac2c40d05c1b30a2681376e7e7dd324407a9fea22de9d1c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\wohWUQK.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\wohWUQK.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\wohWUQK.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3832
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\wohWUQK.cpl",
        5⤵
        Loads dropped DLL
        
        PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wohWUQK.cpl

Filesize
2.0MB

MD5
addca3dcfcce5cb1f2a3792f2bbabcda

SHA1
6caf945bbac15e357de322373be8936d6ed3414b

SHA256
0275d2afdd6f03d0dca4a33dbffd0cc06516b877a001257018e6aeee47f56fd9

SHA512
bd073e76fb552b48500857ad14ed9f8810126b13807cde23d00561fabd1a21803049b76364ff0e6ace7bcce981ae7f7489b320a2b95232eb268e3ef957bea317

Download Submit
C:\Users\Admin\AppData\Local\Temp\wohWuqk.cpl

Filesize
2.0MB

MD5
addca3dcfcce5cb1f2a3792f2bbabcda

SHA1
6caf945bbac15e357de322373be8936d6ed3414b

SHA256
0275d2afdd6f03d0dca4a33dbffd0cc06516b877a001257018e6aeee47f56fd9

SHA512
bd073e76fb552b48500857ad14ed9f8810126b13807cde23d00561fabd1a21803049b76364ff0e6ace7bcce981ae7f7489b320a2b95232eb268e3ef957bea317

Download Submit
C:\Users\Admin\AppData\Local\Temp\wohWuqk.cpl

Filesize
2.0MB

MD5
addca3dcfcce5cb1f2a3792f2bbabcda

SHA1
6caf945bbac15e357de322373be8936d6ed3414b

SHA256
0275d2afdd6f03d0dca4a33dbffd0cc06516b877a001257018e6aeee47f56fd9

SHA512
bd073e76fb552b48500857ad14ed9f8810126b13807cde23d00561fabd1a21803049b76364ff0e6ace7bcce981ae7f7489b320a2b95232eb268e3ef957bea317

Download Submit
memory/212-152-0x0000000002920000-0x0000000002B0F000-memory.dmp

Filesize
1.9MB

Download
memory/212-150-0x00000000021F0000-0x00000000022B9000-memory.dmp

Filesize
804KB

Download
memory/212-149-0x00000000021F0000-0x00000000022B9000-memory.dmp

Filesize
804KB

Download
memory/212-148-0x0000000002110000-0x00000000021EF000-memory.dmp

Filesize
892KB

Download
memory/212-145-0x0000000002920000-0x0000000002B0F000-memory.dmp

Filesize
1.9MB

Download
memory/5068-136-0x0000000003140000-0x000000000332F000-memory.dmp

Filesize
1.9MB

Download
memory/5068-140-0x0000000003A30000-0x0000000003AF9000-memory.dmp

Filesize
804KB

Download
memory/5068-146-0x0000000003140000-0x000000000332F000-memory.dmp

Filesize
1.9MB

Download
memory/5068-147-0x00000000735A0000-0x000000007379D000-memory.dmp

Filesize
2.0MB

Download
memory/5068-139-0x0000000003A30000-0x0000000003AF9000-memory.dmp

Filesize
804KB

Download
memory/5068-138-0x0000000003950000-0x0000000003A2F000-memory.dmp

Filesize
892KB

Download
memory/5068-137-0x00000000735A0000-0x000000007379D000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing