2a21da4175eee4fcf3287e4bf3e5427d5270232558329c4ca4b34f04341ef6a5

General

Target

2a21da4175eee4fcf3287e4bf3e5427d5270232558329c4ca4b34f04341ef6a5.exe
Size

1.6MB
MD5

14e3b9b38c97efba12cf90755dc71579
SHA1

67e0fd88bbeddacb0e0303a51bdf93746b4f9ce9
SHA256

2a21da4175eee4fcf3287e4bf3e5427d5270232558329c4ca4b34f04341ef6a5
SHA512

c4a282dca0f132befc1f87bccfab7226f269f7f1ad3f4538ab6034ae1f1f83a11add89d04715f486ebd849acffa10d790c48e14bf6a05440e6d1b1002e15cd22
SSDEEP

49152:/eZBYBfJXAElWD+D2Emnahm/dT8NqULagbQZ65zcy48YloLi0:/eZBYBfKElTKEZqZ8eyQZQzcy48YloL9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	2a21da4175eee4fcf3287e4bf3e5427d5270232558329c4ca4b34f04341ef6a5.exe

Loads dropped DLL 4 IoCs

pid	Process
636	rundll32.exe
636	rundll32.exe
1144	rundll32.exe
1144	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	2a21da4175eee4fcf3287e4bf3e5427d5270232558329c4ca4b34f04341ef6a5.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 4264	4720	2a21da4175eee4fcf3287e4bf3e5427d5270232558329c4ca4b34f04341ef6a5.exe	81
PID 4720 wrote to memory of 4264	4720	2a21da4175eee4fcf3287e4bf3e5427d5270232558329c4ca4b34f04341ef6a5.exe	81
PID 4720 wrote to memory of 4264	4720	2a21da4175eee4fcf3287e4bf3e5427d5270232558329c4ca4b34f04341ef6a5.exe	81
PID 4264 wrote to memory of 636	4264	control.exe	83
PID 4264 wrote to memory of 636	4264	control.exe	83
PID 4264 wrote to memory of 636	4264	control.exe	83
PID 636 wrote to memory of 696	636	rundll32.exe	84
PID 636 wrote to memory of 696	636	rundll32.exe	84
PID 696 wrote to memory of 1144	696	RunDll32.exe	85
PID 696 wrote to memory of 1144	696	RunDll32.exe	85
PID 696 wrote to memory of 1144	696	RunDll32.exe	85

C:\Users\Admin\AppData\Local\Temp\2a21da4175eee4fcf3287e4bf3e5427d5270232558329c4ca4b34f04341ef6a5.exe
"C:\Users\Admin\AppData\Local\Temp\2a21da4175eee4fcf3287e4bf3e5427d5270232558329c4ca4b34f04341ef6a5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2SOS.cPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2SOS.cPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2SOS.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:696
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\2SOS.cPL",
        5⤵
        Loads dropped DLL
        
        PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2SOS.cPL

Filesize
1.5MB

MD5
ce08a0f2f4ac10613fea98fc23c31bf3

SHA1
3b50a4cb552002416011cec7a1097d1baa7fc52b

SHA256
4b0df36827527b0cae1069a020b21245922593a9b9f7e5001ccac7312ed759ae

SHA512
d2fea09b50c10612ffab278e69d2e870d2d4f01e6f3e1c9db24e8e6864902c96da6d4ef7041e352cc47e333f7d4ff7c85cd98cfd8c00913ea3f981a92a2ef700

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SOs.cpl

Filesize
1.5MB

MD5
ce08a0f2f4ac10613fea98fc23c31bf3

SHA1
3b50a4cb552002416011cec7a1097d1baa7fc52b

SHA256
4b0df36827527b0cae1069a020b21245922593a9b9f7e5001ccac7312ed759ae

SHA512
d2fea09b50c10612ffab278e69d2e870d2d4f01e6f3e1c9db24e8e6864902c96da6d4ef7041e352cc47e333f7d4ff7c85cd98cfd8c00913ea3f981a92a2ef700

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SOs.cpl

Filesize
1.5MB

MD5
ce08a0f2f4ac10613fea98fc23c31bf3

SHA1
3b50a4cb552002416011cec7a1097d1baa7fc52b

SHA256
4b0df36827527b0cae1069a020b21245922593a9b9f7e5001ccac7312ed759ae

SHA512
d2fea09b50c10612ffab278e69d2e870d2d4f01e6f3e1c9db24e8e6864902c96da6d4ef7041e352cc47e333f7d4ff7c85cd98cfd8c00913ea3f981a92a2ef700

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SOs.cpl

Filesize
1.5MB

MD5
ce08a0f2f4ac10613fea98fc23c31bf3

SHA1
3b50a4cb552002416011cec7a1097d1baa7fc52b

SHA256
4b0df36827527b0cae1069a020b21245922593a9b9f7e5001ccac7312ed759ae

SHA512
d2fea09b50c10612ffab278e69d2e870d2d4f01e6f3e1c9db24e8e6864902c96da6d4ef7041e352cc47e333f7d4ff7c85cd98cfd8c00913ea3f981a92a2ef700

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SOs.cpl

Filesize
1.5MB

MD5
ce08a0f2f4ac10613fea98fc23c31bf3

SHA1
3b50a4cb552002416011cec7a1097d1baa7fc52b

SHA256
4b0df36827527b0cae1069a020b21245922593a9b9f7e5001ccac7312ed759ae

SHA512
d2fea09b50c10612ffab278e69d2e870d2d4f01e6f3e1c9db24e8e6864902c96da6d4ef7041e352cc47e333f7d4ff7c85cd98cfd8c00913ea3f981a92a2ef700

Download Submit
memory/636-144-0x0000000002A50000-0x0000000002B27000-memory.dmp

Filesize
860KB

Download
memory/636-137-0x0000000002520000-0x0000000002695000-memory.dmp

Filesize
1.5MB

Download
memory/636-140-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

Filesize
24KB

Download
memory/636-142-0x0000000002960000-0x0000000002A4F000-memory.dmp

Filesize
956KB

Download
memory/636-143-0x0000000002A50000-0x0000000002B27000-memory.dmp

Filesize
860KB

Download
memory/636-138-0x0000000002520000-0x0000000002695000-memory.dmp

Filesize
1.5MB

Download
memory/1144-150-0x0000000002740000-0x00000000028B5000-memory.dmp

Filesize
1.5MB

Download
memory/1144-151-0x0000000002740000-0x00000000028B5000-memory.dmp

Filesize
1.5MB

Download
memory/1144-154-0x00000000022C0000-0x00000000022C6000-memory.dmp

Filesize
24KB

Download
memory/1144-155-0x0000000002B00000-0x0000000002BEF000-memory.dmp

Filesize
956KB

Download
memory/1144-157-0x0000000002BF0000-0x0000000002CC7000-memory.dmp

Filesize
860KB

Download

Analysis

Sharing