cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc

Resubmissions

27/12/2022, 00:41

221227-a15twahc5y 7

27/12/2022, 00:20

221227-amsmdshc3w 7

Analysis

max time kernel
61s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2022, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe
Size

1.7MB
MD5

39fa68973af1c0d337504dc5f5a78c19
SHA1

ef0a813e0667a0fd0bb7f3856a3a43f910fd07b8
SHA256

cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc
SHA512

25c944174c1387c881ed5b01e25f7190519fbdca7a8e51f7f1de87954b7f2aded3bdff65c30294e68b3c1512ce1f38ae7b7d62c030ee214ffcbee08f3398c538
SSDEEP

49152:084cPIOD7j5EfFtmwLWwzshG41qQfMqhyf3hVEtg:6cPIOD7jWfWwLWwz8G4xfMqhyJVEa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe

Loads dropped DLL 2 IoCs

pid	Process
4360	rundll32.exe
4896	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 2512	4860	cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe	82
PID 4860 wrote to memory of 2512	4860	cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe	82
PID 4860 wrote to memory of 2512	4860	cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe	82
PID 2512 wrote to memory of 4360	2512	control.exe	84
PID 2512 wrote to memory of 4360	2512	control.exe	84
PID 2512 wrote to memory of 4360	2512	control.exe	84
PID 4360 wrote to memory of 4284	4360	rundll32.exe	87
PID 4360 wrote to memory of 4284	4360	rundll32.exe	87
PID 4284 wrote to memory of 4896	4284	RunDll32.exe	88
PID 4284 wrote to memory of 4896	4284	RunDll32.exe	88
PID 4284 wrote to memory of 4896	4284	RunDll32.exe	88

C:\Users\Admin\AppData\Local\Temp\cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe
"C:\Users\Admin\AppData\Local\Temp\cf9f7872dd9109d9e11f39184d19fc93f74b9c5411681c6881a12415eb0751fc.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\BV7TV.CPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\BV7TV.CPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\BV7TV.CPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\BV7TV.CPl",
        5⤵
        Loads dropped DLL
        
        PID:4896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BV7TV.CPl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bv7tv.cpl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bv7tv.cpl

Filesize
1.7MB

MD5
ac5fc984f91784330c3fe570fc2d2904

SHA1
805fb0e284ce964335559a01e2ed9c3da70604b7

SHA256
65074cc409f4d1947ab4fd51d01c15db063cca4cbf7818d2e21d3bb4d43d6e54

SHA512
75b88512e3dc4955d0210502ee17e5414542d1c1b80bd65ebcaa0ad52ef1c6dcb4f9f84333d7b619ef7fcea260e97e32d18a2d5dc6555d167c550bfabfee37f6

Download Submit
memory/4360-138-0x0000000002DD0000-0x0000000002ECA000-memory.dmp

Filesize
1000KB

Download
memory/4360-137-0x0000000072DB0000-0x0000000072F67000-memory.dmp

Filesize
1.7MB

Download
memory/4360-139-0x0000000002ED0000-0x0000000002FB1000-memory.dmp

Filesize
900KB

Download
memory/4360-136-0x0000000002650000-0x00000000027FE000-memory.dmp

Filesize
1.7MB

Download
memory/4896-145-0x0000000002A30000-0x0000000002BDE000-memory.dmp

Filesize
1.7MB

Download
memory/4896-146-0x0000000002890000-0x000000000298A000-memory.dmp

Filesize
1000KB

Download
memory/4896-147-0x00000000031B0000-0x0000000003291000-memory.dmp

Filesize
900KB

Download