fb3e1300f8ad8e14ed0da5799fd2c529f163c31c0461f4168d9c8c989bb11600

General

Target

fb3e1300f8ad8e14ed0da5799fd2c529f163c31c0461f4168d9c8c989bb11600.exe
Size

1.3MB
MD5

f1ef268433f64b0a89cee30aabd93472
SHA1

6f9108cae55c429d3cf10c689f72b45fc5467980
SHA256

fb3e1300f8ad8e14ed0da5799fd2c529f163c31c0461f4168d9c8c989bb11600
SHA512

ebcaa2c1c84275bf03602fc8eb80bc1761658fcced5a1090c1be8e7b41672bba2b4650ea906da4eecab5e911caa2df9f0423d9c83a77b33780f4edd72e3abb41
SSDEEP

24576:VLeTtjJF5HrKMuNr57WjvZTrCw+TpJxQ8HpA87KtAsB2GMyZlbamRTA5TRgVtl:VLYgM+RWjRTrQzQAm8UAsB7jamRTA5Ni

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fb3e1300f8ad8e14ed0da5799fd2c529f163c31c0461f4168d9c8c989bb11600.exe

Loads dropped DLL 4 IoCs

pid	Process
4200	rundll32.exe
4200	rundll32.exe
2208	rundll32.exe
2208	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fb3e1300f8ad8e14ed0da5799fd2c529f163c31c0461f4168d9c8c989bb11600.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4392	4972	fb3e1300f8ad8e14ed0da5799fd2c529f163c31c0461f4168d9c8c989bb11600.exe	81
PID 4972 wrote to memory of 4392	4972	fb3e1300f8ad8e14ed0da5799fd2c529f163c31c0461f4168d9c8c989bb11600.exe	81
PID 4972 wrote to memory of 4392	4972	fb3e1300f8ad8e14ed0da5799fd2c529f163c31c0461f4168d9c8c989bb11600.exe	81
PID 4392 wrote to memory of 4200	4392	control.exe	83
PID 4392 wrote to memory of 4200	4392	control.exe	83
PID 4392 wrote to memory of 4200	4392	control.exe	83
PID 4200 wrote to memory of 372	4200	rundll32.exe	84
PID 4200 wrote to memory of 372	4200	rundll32.exe	84
PID 372 wrote to memory of 2208	372	RunDll32.exe	85
PID 372 wrote to memory of 2208	372	RunDll32.exe	85
PID 372 wrote to memory of 2208	372	RunDll32.exe	85

C:\Users\Admin\AppData\Local\Temp\fb3e1300f8ad8e14ed0da5799fd2c529f163c31c0461f4168d9c8c989bb11600.exe
"C:\Users\Admin\AppData\Local\Temp\fb3e1300f8ad8e14ed0da5799fd2c529f163c31c0461f4168d9c8c989bb11600.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7DBwUM.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7DBwUM.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7DBwUM.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:372
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7DBwUM.cpl",
        5⤵
        Loads dropped DLL
        
        PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7DBwUM.cpl

Filesize
1.4MB

MD5
97aa9f41f70d700d3a09c5758e0d4495

SHA1
b828da70a101d4ea5b61e27ff5be5d8ffc4c45bd

SHA256
c16048323f00fe1cf492e8f2758694c42a9027551c5b94673a473c4468e81a0b

SHA512
ea98ac90368785eb63516e0af38aa31b8e0555045b26b70a72108f9c07a6bef58bfd303da02e16b3aef3deca41901bb034d6cc1f341f25edf86b799a347ab84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dBwUm.cpl

Filesize
1.4MB

MD5
97aa9f41f70d700d3a09c5758e0d4495

SHA1
b828da70a101d4ea5b61e27ff5be5d8ffc4c45bd

SHA256
c16048323f00fe1cf492e8f2758694c42a9027551c5b94673a473c4468e81a0b

SHA512
ea98ac90368785eb63516e0af38aa31b8e0555045b26b70a72108f9c07a6bef58bfd303da02e16b3aef3deca41901bb034d6cc1f341f25edf86b799a347ab84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dBwUm.cpl

Filesize
1.4MB

MD5
97aa9f41f70d700d3a09c5758e0d4495

SHA1
b828da70a101d4ea5b61e27ff5be5d8ffc4c45bd

SHA256
c16048323f00fe1cf492e8f2758694c42a9027551c5b94673a473c4468e81a0b

SHA512
ea98ac90368785eb63516e0af38aa31b8e0555045b26b70a72108f9c07a6bef58bfd303da02e16b3aef3deca41901bb034d6cc1f341f25edf86b799a347ab84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dBwUm.cpl

Filesize
1.4MB

MD5
97aa9f41f70d700d3a09c5758e0d4495

SHA1
b828da70a101d4ea5b61e27ff5be5d8ffc4c45bd

SHA256
c16048323f00fe1cf492e8f2758694c42a9027551c5b94673a473c4468e81a0b

SHA512
ea98ac90368785eb63516e0af38aa31b8e0555045b26b70a72108f9c07a6bef58bfd303da02e16b3aef3deca41901bb034d6cc1f341f25edf86b799a347ab84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dBwUm.cpl

Filesize
1.4MB

MD5
97aa9f41f70d700d3a09c5758e0d4495

SHA1
b828da70a101d4ea5b61e27ff5be5d8ffc4c45bd

SHA256
c16048323f00fe1cf492e8f2758694c42a9027551c5b94673a473c4468e81a0b

SHA512
ea98ac90368785eb63516e0af38aa31b8e0555045b26b70a72108f9c07a6bef58bfd303da02e16b3aef3deca41901bb034d6cc1f341f25edf86b799a347ab84b

Download Submit
memory/2208-150-0x00000000027B0000-0x0000000002911000-memory.dmp

Filesize
1.4MB

Download
memory/2208-151-0x00000000027B0000-0x0000000002911000-memory.dmp

Filesize
1.4MB

Download
memory/2208-154-0x0000000002940000-0x0000000002946000-memory.dmp

Filesize
24KB

Download
memory/2208-155-0x0000000002B80000-0x0000000002C5F000-memory.dmp

Filesize
892KB

Download
memory/2208-156-0x0000000002C70000-0x0000000002D39000-memory.dmp

Filesize
804KB

Download
memory/4200-141-0x0000000000AA0000-0x0000000000AC8000-memory.dmp

Filesize
160KB

Download
memory/4200-142-0x00000000029A0000-0x0000000002A7F000-memory.dmp

Filesize
892KB

Download
memory/4200-143-0x0000000002A80000-0x0000000002B49000-memory.dmp

Filesize
804KB

Download
memory/4200-138-0x0000000002560000-0x00000000026C1000-memory.dmp

Filesize
1.4MB

Download
memory/4200-137-0x0000000002560000-0x00000000026C1000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing