3b436dd40ff12e6cfe5609a4062834ac9a44d07b84ca798190942058f5629e8a

General

Target

3b436dd40ff12e6cfe5609a4062834ac9a44d07b84ca798190942058f5629e8a.exe
Size

1.3MB
MD5

b00cdd5d39a71c7043305c268d3c1833
SHA1

202fb7dba112e1e78e89a8159db47176aa86042a
SHA256

3b436dd40ff12e6cfe5609a4062834ac9a44d07b84ca798190942058f5629e8a
SHA512

a615487793d67306a96b7a69f50e83eb2ce8d6d3ae17c5b7104eaa4ef3014ce6cd7900708483c809b10525d0c72ac499a42042f0fceaa6fa08fd01ff73e2f3c4
SSDEEP

24576:gJr8tE+gHqHAV4psT80BvX7FANJhrzX4NjMXEEjedB6zHkxjdW7bQkKq123X:gJ4Ng6+Ay7KJhINQzXQxjdWy22X

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	3b436dd40ff12e6cfe5609a4062834ac9a44d07b84ca798190942058f5629e8a.exe

Loads dropped DLL 3 IoCs

pid	Process
2560	rundll32.exe
2560	rundll32.exe
4444	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	3b436dd40ff12e6cfe5609a4062834ac9a44d07b84ca798190942058f5629e8a.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 3376	4464	3b436dd40ff12e6cfe5609a4062834ac9a44d07b84ca798190942058f5629e8a.exe	86
PID 4464 wrote to memory of 3376	4464	3b436dd40ff12e6cfe5609a4062834ac9a44d07b84ca798190942058f5629e8a.exe	86
PID 4464 wrote to memory of 3376	4464	3b436dd40ff12e6cfe5609a4062834ac9a44d07b84ca798190942058f5629e8a.exe	86
PID 3376 wrote to memory of 2560	3376	control.exe	88
PID 3376 wrote to memory of 2560	3376	control.exe	88
PID 3376 wrote to memory of 2560	3376	control.exe	88
PID 2560 wrote to memory of 5100	2560	rundll32.exe	89
PID 2560 wrote to memory of 5100	2560	rundll32.exe	89
PID 5100 wrote to memory of 4444	5100	RunDll32.exe	90
PID 5100 wrote to memory of 4444	5100	RunDll32.exe	90
PID 5100 wrote to memory of 4444	5100	RunDll32.exe	90

C:\Users\Admin\AppData\Local\Temp\3b436dd40ff12e6cfe5609a4062834ac9a44d07b84ca798190942058f5629e8a.exe
"C:\Users\Admin\AppData\Local\Temp\3b436dd40ff12e6cfe5609a4062834ac9a44d07b84ca798190942058f5629e8a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\iXZMRXe.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\iXZMRXe.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\iXZMRXe.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\iXZMRXe.cPl",
        5⤵
        Loads dropped DLL
        
        PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iXZMRXe.cPl

Filesize
1.1MB

MD5
904efa58a86b643db1f8e45cdee2e925

SHA1
f56a0927622726f6575c4f01b89db4635ccde2fb

SHA256
3839dbfec8c99734572156973b8f6518e159c9e3c9ea256181844b6997107700

SHA512
4e4b472ec8a45a2faf032204c077fdab9992312155624e7c4171cadfe72637c825033d9a3d7acc343002c525ac66578f2e9bd8ed38ad039a2e4d6011aea200e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixzMrXe.cpl

Filesize
1.1MB

MD5
904efa58a86b643db1f8e45cdee2e925

SHA1
f56a0927622726f6575c4f01b89db4635ccde2fb

SHA256
3839dbfec8c99734572156973b8f6518e159c9e3c9ea256181844b6997107700

SHA512
4e4b472ec8a45a2faf032204c077fdab9992312155624e7c4171cadfe72637c825033d9a3d7acc343002c525ac66578f2e9bd8ed38ad039a2e4d6011aea200e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixzMrXe.cpl

Filesize
1.1MB

MD5
904efa58a86b643db1f8e45cdee2e925

SHA1
f56a0927622726f6575c4f01b89db4635ccde2fb

SHA256
3839dbfec8c99734572156973b8f6518e159c9e3c9ea256181844b6997107700

SHA512
4e4b472ec8a45a2faf032204c077fdab9992312155624e7c4171cadfe72637c825033d9a3d7acc343002c525ac66578f2e9bd8ed38ad039a2e4d6011aea200e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixzMrXe.cpl

Filesize
1.1MB

MD5
904efa58a86b643db1f8e45cdee2e925

SHA1
f56a0927622726f6575c4f01b89db4635ccde2fb

SHA256
3839dbfec8c99734572156973b8f6518e159c9e3c9ea256181844b6997107700

SHA512
4e4b472ec8a45a2faf032204c077fdab9992312155624e7c4171cadfe72637c825033d9a3d7acc343002c525ac66578f2e9bd8ed38ad039a2e4d6011aea200e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixzMrXe.cpl

Filesize
1.1MB

MD5
904efa58a86b643db1f8e45cdee2e925

SHA1
f56a0927622726f6575c4f01b89db4635ccde2fb

SHA256
3839dbfec8c99734572156973b8f6518e159c9e3c9ea256181844b6997107700

SHA512
4e4b472ec8a45a2faf032204c077fdab9992312155624e7c4171cadfe72637c825033d9a3d7acc343002c525ac66578f2e9bd8ed38ad039a2e4d6011aea200e9

Download Submit
memory/2560-154-0x0000000002A80000-0x0000000002B57000-memory.dmp

Filesize
860KB

Download
memory/2560-148-0x00000000007B0000-0x00000000007B6000-memory.dmp

Filesize
24KB

Download
memory/2560-149-0x0000000002990000-0x0000000002A7C000-memory.dmp

Filesize
944KB

Download
memory/2560-150-0x0000000002A80000-0x0000000002B57000-memory.dmp

Filesize
860KB

Download
memory/2560-151-0x0000000002A80000-0x0000000002B57000-memory.dmp

Filesize
860KB

Download
memory/2560-153-0x0000000002A80000-0x0000000002B57000-memory.dmp

Filesize
860KB

Download
memory/2560-145-0x00000000025C0000-0x00000000026D8000-memory.dmp

Filesize
1.1MB

Download
memory/2560-146-0x00000000025C0000-0x00000000026D8000-memory.dmp

Filesize
1.1MB

Download
memory/4444-163-0x0000000003210000-0x00000000032E7000-memory.dmp

Filesize
860KB

Download
memory/4444-158-0x0000000002A30000-0x0000000002A36000-memory.dmp

Filesize
24KB

Download
memory/4444-159-0x0000000003120000-0x000000000320C000-memory.dmp

Filesize
944KB

Download
memory/4444-161-0x0000000003210000-0x00000000032E7000-memory.dmp

Filesize
860KB

Download
memory/4444-156-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4444-164-0x0000000003210000-0x00000000032E7000-memory.dmp

Filesize
860KB

Download

Analysis

Sharing