4e3f6b70dc8e75203afcc4a9a6171ed55f00ee492fa564cf2ccd3a0a4c7259eb

General

Target

4e3f6b70dc8e75203afcc4a9a6171ed55f00ee492fa564cf2ccd3a0a4c7259eb.exe
Size

1.5MB
MD5

1f6273d93d693846d5f72698088e7fe6
SHA1

510aa7649e63fb26f32022c6f7a6884b942e951e
SHA256

4e3f6b70dc8e75203afcc4a9a6171ed55f00ee492fa564cf2ccd3a0a4c7259eb
SHA512

b9d1aebfcd298c0b5ddb7f82a982f406ef70e6d6e68f1301c75cfc7b5798c20b397ab6708f74092d1dadef9cfaf7cb8ca366ec85405b2054f5b75a80685a4bcd
SSDEEP

24576:JLllLl7tEtJbM1P2G8PMo5i1fI2t1CkYV7RpkQdC2R9RJtqRhWFwbUgFgVuZ8:hllL8Jb/Goh4BPtKdw2R9sRhWFM/FO5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	4e3f6b70dc8e75203afcc4a9a6171ed55f00ee492fa564cf2ccd3a0a4c7259eb.exe

Loads dropped DLL 2 IoCs

pid	Process
4276	rundll32.exe
4576	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	4e3f6b70dc8e75203afcc4a9a6171ed55f00ee492fa564cf2ccd3a0a4c7259eb.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 2588	3256	4e3f6b70dc8e75203afcc4a9a6171ed55f00ee492fa564cf2ccd3a0a4c7259eb.exe	79
PID 3256 wrote to memory of 2588	3256	4e3f6b70dc8e75203afcc4a9a6171ed55f00ee492fa564cf2ccd3a0a4c7259eb.exe	79
PID 3256 wrote to memory of 2588	3256	4e3f6b70dc8e75203afcc4a9a6171ed55f00ee492fa564cf2ccd3a0a4c7259eb.exe	79
PID 2588 wrote to memory of 4276	2588	control.exe	81
PID 2588 wrote to memory of 4276	2588	control.exe	81
PID 2588 wrote to memory of 4276	2588	control.exe	81
PID 4276 wrote to memory of 4360	4276	rundll32.exe	84
PID 4276 wrote to memory of 4360	4276	rundll32.exe	84
PID 4360 wrote to memory of 4576	4360	RunDll32.exe	85
PID 4360 wrote to memory of 4576	4360	RunDll32.exe	85
PID 4360 wrote to memory of 4576	4360	RunDll32.exe	85

C:\Users\Admin\AppData\Local\Temp\4e3f6b70dc8e75203afcc4a9a6171ed55f00ee492fa564cf2ccd3a0a4c7259eb.exe
"C:\Users\Admin\AppData\Local\Temp\4e3f6b70dc8e75203afcc4a9a6171ed55f00ee492fa564cf2ccd3a0a4c7259eb.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\6FqeLyfC.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\6FqeLyfC.Cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\6FqeLyfC.Cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\6FqeLyfC.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6FqeLyfC.Cpl

Filesize
1.7MB

MD5
fa04167228430d152d72f1f44fc28a6b

SHA1
c3caf43ebea4dd0baf3dd282ed86e370188f71be

SHA256
3db26e04e6a85c6d2d008bbdb9e467cf8423e4338d8118045f2c9c2a113bb964

SHA512
4237d39559930e661f85836a11d040d210f8bb5e8c0d00e39a77fc3eaefe39b0c6931815b6cb0e5af5937b8e0b736fe106e68ab46dbd12968179458bdfc25ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FqeLyfc.cpl

Filesize
1.7MB

MD5
fa04167228430d152d72f1f44fc28a6b

SHA1
c3caf43ebea4dd0baf3dd282ed86e370188f71be

SHA256
3db26e04e6a85c6d2d008bbdb9e467cf8423e4338d8118045f2c9c2a113bb964

SHA512
4237d39559930e661f85836a11d040d210f8bb5e8c0d00e39a77fc3eaefe39b0c6931815b6cb0e5af5937b8e0b736fe106e68ab46dbd12968179458bdfc25ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FqeLyfc.cpl

Filesize
1.7MB

MD5
fa04167228430d152d72f1f44fc28a6b

SHA1
c3caf43ebea4dd0baf3dd282ed86e370188f71be

SHA256
3db26e04e6a85c6d2d008bbdb9e467cf8423e4338d8118045f2c9c2a113bb964

SHA512
4237d39559930e661f85836a11d040d210f8bb5e8c0d00e39a77fc3eaefe39b0c6931815b6cb0e5af5937b8e0b736fe106e68ab46dbd12968179458bdfc25ce9

Download Submit
memory/2588-133-0x0000000000000000-mapping.dmp

Download
memory/4276-141-0x00000000031F0000-0x00000000032ED000-memory.dmp

Filesize
1012KB

Download
memory/4276-140-0x0000000002BD0000-0x0000000002BD6000-memory.dmp

Filesize
24KB

Download
memory/4276-137-0x0000000000400000-0x00000000005AE000-memory.dmp

Filesize
1.7MB

Download
memory/4276-142-0x00000000032F0000-0x00000000033D5000-memory.dmp

Filesize
916KB

Download
memory/4276-134-0x0000000000000000-mapping.dmp

Download
memory/4360-145-0x0000000000000000-mapping.dmp

Download
memory/4576-146-0x0000000000000000-mapping.dmp

Download
memory/4576-151-0x0000000000C10000-0x0000000000C16000-memory.dmp

Filesize
24KB

Download
memory/4576-152-0x0000000002C90000-0x0000000002D8D000-memory.dmp

Filesize
1012KB

Download
memory/4576-153-0x0000000002D90000-0x0000000002E75000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing