bee966732580dcf8d67d38a4d530e77ddc5dfb9b41aa1b31eb8452ff4087062d

General

Target

bee966732580dcf8d67d38a4d530e77ddc5dfb9b41aa1b31eb8452ff4087062d.exe
Size

1.8MB
MD5

66f9c1e4ce51bdd179d7bd9d2db53a09
SHA1

a255e40ed453fbb8086a3dda2f61799839b2a43a
SHA256

bee966732580dcf8d67d38a4d530e77ddc5dfb9b41aa1b31eb8452ff4087062d
SHA512

a95b59d6b00042447d701d858d872c7d2dfbfe52a3744b12dd07cfc48a6f912071ba56f7f16b592d23c2b97753646a72c2c14b9ae521bfb36b3c8c9112a905c6
SSDEEP

49152:beWh6RBfJXAE6U2DoBZO9jwIUfTNPhGPi66Yp:beWh6RBfKEYDiZO90rNPhGPzp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	bee966732580dcf8d67d38a4d530e77ddc5dfb9b41aa1b31eb8452ff4087062d.exe

Loads dropped DLL 2 IoCs

pid	Process
3484	rundll32.exe
4684	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	bee966732580dcf8d67d38a4d530e77ddc5dfb9b41aa1b31eb8452ff4087062d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1232	1008	bee966732580dcf8d67d38a4d530e77ddc5dfb9b41aa1b31eb8452ff4087062d.exe	86
PID 1008 wrote to memory of 1232	1008	bee966732580dcf8d67d38a4d530e77ddc5dfb9b41aa1b31eb8452ff4087062d.exe	86
PID 1008 wrote to memory of 1232	1008	bee966732580dcf8d67d38a4d530e77ddc5dfb9b41aa1b31eb8452ff4087062d.exe	86
PID 1232 wrote to memory of 3484	1232	control.exe	88
PID 1232 wrote to memory of 3484	1232	control.exe	88
PID 1232 wrote to memory of 3484	1232	control.exe	88
PID 3484 wrote to memory of 2776	3484	rundll32.exe	92
PID 3484 wrote to memory of 2776	3484	rundll32.exe	92
PID 2776 wrote to memory of 4684	2776	RunDll32.exe	93
PID 2776 wrote to memory of 4684	2776	RunDll32.exe	93
PID 2776 wrote to memory of 4684	2776	RunDll32.exe	93

C:\Users\Admin\AppData\Local\Temp\bee966732580dcf8d67d38a4d530e77ddc5dfb9b41aa1b31eb8452ff4087062d.exe
"C:\Users\Admin\AppData\Local\Temp\bee966732580dcf8d67d38a4d530e77ddc5dfb9b41aa1b31eb8452ff4087062d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\X_Rr4.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\X_Rr4.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\X_Rr4.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\X_Rr4.CpL",
        5⤵
        Loads dropped DLL
        
        PID:4684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\X_Rr4.CpL

Filesize
1.2MB

MD5
05e2d1e3f971703138ce8391761fe5fa

SHA1
5a95fbfd6f9674d52c6602836e4067bee7c1a84d

SHA256
0a31a43e3d8cad2eccfa7155e2a12274d0463a4c32d86ad802c7859e7b8644de

SHA512
d2af53c0090fc10b27888d3c1ca3504039cc329075ea0239222f7fa0ab355388849ca7f612dbdb6419e0c533576e5fea27f4051217520ddb5ed6061fa6071b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\X_Rr4.cpl

Filesize
1.2MB

MD5
05e2d1e3f971703138ce8391761fe5fa

SHA1
5a95fbfd6f9674d52c6602836e4067bee7c1a84d

SHA256
0a31a43e3d8cad2eccfa7155e2a12274d0463a4c32d86ad802c7859e7b8644de

SHA512
d2af53c0090fc10b27888d3c1ca3504039cc329075ea0239222f7fa0ab355388849ca7f612dbdb6419e0c533576e5fea27f4051217520ddb5ed6061fa6071b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\X_Rr4.cpl

Filesize
1.2MB

MD5
05e2d1e3f971703138ce8391761fe5fa

SHA1
5a95fbfd6f9674d52c6602836e4067bee7c1a84d

SHA256
0a31a43e3d8cad2eccfa7155e2a12274d0463a4c32d86ad802c7859e7b8644de

SHA512
d2af53c0090fc10b27888d3c1ca3504039cc329075ea0239222f7fa0ab355388849ca7f612dbdb6419e0c533576e5fea27f4051217520ddb5ed6061fa6071b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\X_Rr4.cpl

Filesize
1.2MB

MD5
05e2d1e3f971703138ce8391761fe5fa

SHA1
5a95fbfd6f9674d52c6602836e4067bee7c1a84d

SHA256
0a31a43e3d8cad2eccfa7155e2a12274d0463a4c32d86ad802c7859e7b8644de

SHA512
d2af53c0090fc10b27888d3c1ca3504039cc329075ea0239222f7fa0ab355388849ca7f612dbdb6419e0c533576e5fea27f4051217520ddb5ed6061fa6071b10

Download Submit
memory/3484-144-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3484-147-0x0000000002C80000-0x0000000002D63000-memory.dmp

Filesize
908KB

Download
memory/3484-148-0x0000000002D70000-0x0000000002E3F000-memory.dmp

Filesize
828KB

Download
memory/3484-151-0x0000000002D70000-0x0000000002E3F000-memory.dmp

Filesize
828KB

Download
memory/3484-152-0x0000000002D70000-0x0000000002E3F000-memory.dmp

Filesize
828KB

Download
memory/3484-146-0x0000000000D60000-0x0000000000D66000-memory.dmp

Filesize
24KB

Download
memory/4684-156-0x0000000001270000-0x0000000001276000-memory.dmp

Filesize
24KB

Download
memory/4684-159-0x0000000003350000-0x0000000003433000-memory.dmp

Filesize
908KB

Download
memory/4684-160-0x0000000003440000-0x000000000350F000-memory.dmp

Filesize
828KB

Download
memory/4684-163-0x0000000003440000-0x000000000350F000-memory.dmp

Filesize
828KB

Download
memory/4684-164-0x0000000003440000-0x000000000350F000-memory.dmp

Filesize
828KB

Download

Analysis

Sharing