e9c2bf9db621ed3caae85e0adf2313be1e572661d47ffb5c3e673d28e0b0e392

Analysis

max time kernel
112s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2022, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9c2bf9db621ed3caae85e0adf2313be1e572661d47ffb5c3e673d28e0b0e392.exe
Size

1.6MB
MD5

5bbd1f5a98e889917b7b213f7e40f6ca
SHA1

8cc8fb5df6ddb3f44b5265cf2be9d14903d69aaa
SHA256

e9c2bf9db621ed3caae85e0adf2313be1e572661d47ffb5c3e673d28e0b0e392
SHA512

d67626a7706346ccf676528caa636d2df14fb4affb898f6a28d5560160d05cb05b475af16406e5b7745cbf580b4f54b741dab0a5d7c3ce6b6d9530be02bf951e
SSDEEP

24576:VLeTtjJF5HrKxIh+RXfKCXAFi2FxcJh50PWrFXxavhWcAjXJBaEFaHYKQRKKyHgc:VLYgJZCiAC7aWrFXx1XnWkR1cIkV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	e9c2bf9db621ed3caae85e0adf2313be1e572661d47ffb5c3e673d28e0b0e392.exe

Loads dropped DLL 2 IoCs

pid	Process
4324	rundll32.exe
1712	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	e9c2bf9db621ed3caae85e0adf2313be1e572661d47ffb5c3e673d28e0b0e392.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 3504	4180	e9c2bf9db621ed3caae85e0adf2313be1e572661d47ffb5c3e673d28e0b0e392.exe	81
PID 4180 wrote to memory of 3504	4180	e9c2bf9db621ed3caae85e0adf2313be1e572661d47ffb5c3e673d28e0b0e392.exe	81
PID 4180 wrote to memory of 3504	4180	e9c2bf9db621ed3caae85e0adf2313be1e572661d47ffb5c3e673d28e0b0e392.exe	81
PID 3504 wrote to memory of 4324	3504	control.exe	83
PID 3504 wrote to memory of 4324	3504	control.exe	83
PID 3504 wrote to memory of 4324	3504	control.exe	83
PID 4324 wrote to memory of 3792	4324	rundll32.exe	84
PID 4324 wrote to memory of 3792	4324	rundll32.exe	84
PID 3792 wrote to memory of 1712	3792	RunDll32.exe	85
PID 3792 wrote to memory of 1712	3792	RunDll32.exe	85
PID 3792 wrote to memory of 1712	3792	RunDll32.exe	85

C:\Users\Admin\AppData\Local\Temp\e9c2bf9db621ed3caae85e0adf2313be1e572661d47ffb5c3e673d28e0b0e392.exe
"C:\Users\Admin\AppData\Local\Temp\e9c2bf9db621ed3caae85e0adf2313be1e572661d47ffb5c3e673d28e0b0e392.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\VHFAE763.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VHFAE763.Cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VHFAE763.Cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\VHFAE763.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VHFAE763.Cpl

Filesize
1.5MB

MD5
b7db2fa80b74c7fcc392d18967b820fe

SHA1
ae6252021f75203a2511c69ef964b64befd4a5ca

SHA256
a01a6ba7796d8f5215970bdbb4eaa8c273c5d9bb68a5b978a54577961a6ee410

SHA512
036aed92cd4d5a19d9642ea85acb54c19a98279d6e2804f815c2bd6999e8f12028c8479486c48ee67613896be257ee35d2a49c4bd2a599712bc87f306378f24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhfAE763.cpl

Filesize
1.5MB

MD5
b7db2fa80b74c7fcc392d18967b820fe

SHA1
ae6252021f75203a2511c69ef964b64befd4a5ca

SHA256
a01a6ba7796d8f5215970bdbb4eaa8c273c5d9bb68a5b978a54577961a6ee410

SHA512
036aed92cd4d5a19d9642ea85acb54c19a98279d6e2804f815c2bd6999e8f12028c8479486c48ee67613896be257ee35d2a49c4bd2a599712bc87f306378f24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhfAE763.cpl

Filesize
1.5MB

MD5
b7db2fa80b74c7fcc392d18967b820fe

SHA1
ae6252021f75203a2511c69ef964b64befd4a5ca

SHA256
a01a6ba7796d8f5215970bdbb4eaa8c273c5d9bb68a5b978a54577961a6ee410

SHA512
036aed92cd4d5a19d9642ea85acb54c19a98279d6e2804f815c2bd6999e8f12028c8479486c48ee67613896be257ee35d2a49c4bd2a599712bc87f306378f24b

Download Submit
memory/1712-145-0x0000000002E20000-0x0000000002FA8000-memory.dmp

Filesize
1.5MB

Download
memory/1712-147-0x0000000002CF0000-0x0000000002DD0000-memory.dmp

Filesize
896KB

Download
memory/1712-148-0x0000000003500000-0x00000000035C8000-memory.dmp

Filesize
800KB

Download
memory/4324-136-0x0000000002C90000-0x0000000002E18000-memory.dmp

Filesize
1.5MB

Download
memory/4324-137-0x0000000072E00000-0x0000000072F90000-memory.dmp

Filesize
1.6MB

Download
memory/4324-138-0x0000000002AC0000-0x0000000002BA0000-memory.dmp

Filesize
896KB

Download
memory/4324-139-0x0000000002BA0000-0x0000000002C68000-memory.dmp

Filesize
800KB

Download
memory/4324-146-0x0000000072E00000-0x0000000072F90000-memory.dmp

Filesize
1.6MB

Download