4b73d0d14bc8754a2bfe8718e1d3d9d7b5d902f9b8d6336a33c7164992b81e16

General

Target

4b73d0d14bc8754a2bfe8718e1d3d9d7b5d902f9b8d6336a33c7164992b81e16.exe
Size

1.6MB
MD5

9e06a0786468ed24345a62da7b900151
SHA1

d750896c4d733e08826e40a98caed1069c119d61
SHA256

4b73d0d14bc8754a2bfe8718e1d3d9d7b5d902f9b8d6336a33c7164992b81e16
SHA512

443cdd55bc6b0c169c1862eacdd0fa1fd44bbc2dfa5357a8a626b61187ab53bc372e22e154e16bae8f61eaee42efdbca1fa210b5e474f6043360d1f3dcbe34ee
SSDEEP

49152:oeZB+BfJXAEKvukFsT5/NYzLoHP8ZrOO2FKMZJAm2F:oeZB+BfKEKFsT5az8Hyz2YM2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	4b73d0d14bc8754a2bfe8718e1d3d9d7b5d902f9b8d6336a33c7164992b81e16.exe

Loads dropped DLL 3 IoCs

pid	Process
584	rundll32.exe
584	rundll32.exe
2248	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2880	1332	4b73d0d14bc8754a2bfe8718e1d3d9d7b5d902f9b8d6336a33c7164992b81e16.exe	85
PID 1332 wrote to memory of 2880	1332	4b73d0d14bc8754a2bfe8718e1d3d9d7b5d902f9b8d6336a33c7164992b81e16.exe	85
PID 1332 wrote to memory of 2880	1332	4b73d0d14bc8754a2bfe8718e1d3d9d7b5d902f9b8d6336a33c7164992b81e16.exe	85
PID 2880 wrote to memory of 584	2880	control.exe	86
PID 2880 wrote to memory of 584	2880	control.exe	86
PID 2880 wrote to memory of 584	2880	control.exe	86
PID 584 wrote to memory of 2440	584	rundll32.exe	93
PID 584 wrote to memory of 2440	584	rundll32.exe	93
PID 2440 wrote to memory of 2248	2440	RunDll32.exe	94
PID 2440 wrote to memory of 2248	2440	RunDll32.exe	94
PID 2440 wrote to memory of 2248	2440	RunDll32.exe	94

C:\Users\Admin\AppData\Local\Temp\4b73d0d14bc8754a2bfe8718e1d3d9d7b5d902f9b8d6336a33c7164992b81e16.exe
"C:\Users\Admin\AppData\Local\Temp\4b73d0d14bc8754a2bfe8718e1d3d9d7b5d902f9b8d6336a33c7164992b81e16.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\OKqlBO1X.4T
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\OKqlBO1X.4T
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\OKqlBO1X.4T
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\OKqlBO1X.4T
        5⤵
        Loads dropped DLL
        
        PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OKqlBO1X.4T

Filesize
1.1MB

MD5
2ed87c60aa7478ff588ca98aa4f0f26d

SHA1
7b2569fd1fceafa5d328f9ecb0e0a25c937ef949

SHA256
f16d0f341f32f8a1549d164ea3f6bab0a8479364bfbb7ca3918ee0d3874bc67f

SHA512
e645d90d37987f313e41dadd18a0c14c63a9f41ec70e48cbe6acaa8f1455aee685bb63ce48c368c70ec24ec052943bbe25ea3adec436b427c0020ec7d9d81df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OKqlbO1X.4T

Filesize
1.1MB

MD5
2ed87c60aa7478ff588ca98aa4f0f26d

SHA1
7b2569fd1fceafa5d328f9ecb0e0a25c937ef949

SHA256
f16d0f341f32f8a1549d164ea3f6bab0a8479364bfbb7ca3918ee0d3874bc67f

SHA512
e645d90d37987f313e41dadd18a0c14c63a9f41ec70e48cbe6acaa8f1455aee685bb63ce48c368c70ec24ec052943bbe25ea3adec436b427c0020ec7d9d81df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OKqlbO1X.4T

Filesize
1.1MB

MD5
2ed87c60aa7478ff588ca98aa4f0f26d

SHA1
7b2569fd1fceafa5d328f9ecb0e0a25c937ef949

SHA256
f16d0f341f32f8a1549d164ea3f6bab0a8479364bfbb7ca3918ee0d3874bc67f

SHA512
e645d90d37987f313e41dadd18a0c14c63a9f41ec70e48cbe6acaa8f1455aee685bb63ce48c368c70ec24ec052943bbe25ea3adec436b427c0020ec7d9d81df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OKqlbO1X.4T

Filesize
1.1MB

MD5
2ed87c60aa7478ff588ca98aa4f0f26d

SHA1
7b2569fd1fceafa5d328f9ecb0e0a25c937ef949

SHA256
f16d0f341f32f8a1549d164ea3f6bab0a8479364bfbb7ca3918ee0d3874bc67f

SHA512
e645d90d37987f313e41dadd18a0c14c63a9f41ec70e48cbe6acaa8f1455aee685bb63ce48c368c70ec24ec052943bbe25ea3adec436b427c0020ec7d9d81df5

Download Submit
memory/584-146-0x0000000002BE0000-0x0000000002CB2000-memory.dmp

Filesize
840KB

Download
memory/584-141-0x0000000000C50000-0x0000000000C56000-memory.dmp

Filesize
24KB

Download
memory/584-142-0x00000000029E0000-0x0000000002AC7000-memory.dmp

Filesize
924KB

Download
memory/584-143-0x0000000002BE0000-0x0000000002CB2000-memory.dmp

Filesize
840KB

Download
memory/584-139-0x00000000027C0000-0x00000000028D8000-memory.dmp

Filesize
1.1MB

Download
memory/584-147-0x0000000002BE0000-0x0000000002CB2000-memory.dmp

Filesize
840KB

Download
memory/584-138-0x00000000027C0000-0x00000000028D8000-memory.dmp

Filesize
1.1MB

Download
memory/2248-149-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2248-151-0x0000000002B60000-0x0000000002B66000-memory.dmp

Filesize
24KB

Download
memory/2248-154-0x0000000003050000-0x0000000003137000-memory.dmp

Filesize
924KB

Download
memory/2248-155-0x0000000003350000-0x0000000003422000-memory.dmp

Filesize
840KB

Download
memory/2248-158-0x0000000003350000-0x0000000003422000-memory.dmp

Filesize
840KB

Download
memory/2248-159-0x0000000003350000-0x0000000003422000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing