f002b8c38d96b9aad9d7a9e693da95cf90f085313a38619134c964d0ed600cfd

General

Target

f002b8c38d96b9aad9d7a9e693da95cf90f085313a38619134c964d0ed600cfd.exe
Size

1.3MB
MD5

68ea1aee55be7782878f81072d1cd1e3
SHA1

08514104bf3f80f3a3e76000f4cb27f1bb7bb99a
SHA256

f002b8c38d96b9aad9d7a9e693da95cf90f085313a38619134c964d0ed600cfd
SHA512

3f392a809e8dfd4dc39fc78bd4d87bbfb4d8a5c5e241badb8e8aacb9a9dc82c9ebae198a82d8f0a0d542fe1fa54e146d55ec0614d81f0e0e491eca438670a9ec
SSDEEP

24576:gJr8tE+gHqLmZOdhJstcebAwkFJEOyVgDD0yA8D1wWgTqSTqf:gJ4NL7Jstc1CmDH2FuSe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	f002b8c38d96b9aad9d7a9e693da95cf90f085313a38619134c964d0ed600cfd.exe

Loads dropped DLL 4 IoCs

pid	Process
4772	rundll32.exe
4772	rundll32.exe
2152	rundll32.exe
2152	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	f002b8c38d96b9aad9d7a9e693da95cf90f085313a38619134c964d0ed600cfd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 3360	2928	f002b8c38d96b9aad9d7a9e693da95cf90f085313a38619134c964d0ed600cfd.exe	88
PID 2928 wrote to memory of 3360	2928	f002b8c38d96b9aad9d7a9e693da95cf90f085313a38619134c964d0ed600cfd.exe	88
PID 2928 wrote to memory of 3360	2928	f002b8c38d96b9aad9d7a9e693da95cf90f085313a38619134c964d0ed600cfd.exe	88
PID 3360 wrote to memory of 4772	3360	control.exe	90
PID 3360 wrote to memory of 4772	3360	control.exe	90
PID 3360 wrote to memory of 4772	3360	control.exe	90
PID 4772 wrote to memory of 3992	4772	rundll32.exe	93
PID 4772 wrote to memory of 3992	4772	rundll32.exe	93
PID 3992 wrote to memory of 2152	3992	RunDll32.exe	94
PID 3992 wrote to memory of 2152	3992	RunDll32.exe	94
PID 3992 wrote to memory of 2152	3992	RunDll32.exe	94

C:\Users\Admin\AppData\Local\Temp\f002b8c38d96b9aad9d7a9e693da95cf90f085313a38619134c964d0ed600cfd.exe
"C:\Users\Admin\AppData\Local\Temp\f002b8c38d96b9aad9d7a9e693da95cf90f085313a38619134c964d0ed600cfd.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\XAUI.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XAUI.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XAUI.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\XAUI.cpl",
        5⤵
        Loads dropped DLL
        
        PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XAUI.cpl

Filesize
1.0MB

MD5
af490b55d846dd6641b9b32139a862db

SHA1
d2deff112dee544725c0f93936241629eb707dae

SHA256
7c229b26b3547537de79583da23a5ebf3c4118aa52ecc8d8de0785310ce95235

SHA512
bdee2927f4d89e68f4b5f7bcb675f8ab12f494cf6b18c973b5a8fbb2674d6e61180b6fac929c31258366afb3659abfc42c9c036a794c74e78c255c4afda21108

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaUi.cpl

Filesize
1.0MB

MD5
af490b55d846dd6641b9b32139a862db

SHA1
d2deff112dee544725c0f93936241629eb707dae

SHA256
7c229b26b3547537de79583da23a5ebf3c4118aa52ecc8d8de0785310ce95235

SHA512
bdee2927f4d89e68f4b5f7bcb675f8ab12f494cf6b18c973b5a8fbb2674d6e61180b6fac929c31258366afb3659abfc42c9c036a794c74e78c255c4afda21108

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaUi.cpl

Filesize
1.0MB

MD5
af490b55d846dd6641b9b32139a862db

SHA1
d2deff112dee544725c0f93936241629eb707dae

SHA256
7c229b26b3547537de79583da23a5ebf3c4118aa52ecc8d8de0785310ce95235

SHA512
bdee2927f4d89e68f4b5f7bcb675f8ab12f494cf6b18c973b5a8fbb2674d6e61180b6fac929c31258366afb3659abfc42c9c036a794c74e78c255c4afda21108

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaUi.cpl

Filesize
1.0MB

MD5
af490b55d846dd6641b9b32139a862db

SHA1
d2deff112dee544725c0f93936241629eb707dae

SHA256
7c229b26b3547537de79583da23a5ebf3c4118aa52ecc8d8de0785310ce95235

SHA512
bdee2927f4d89e68f4b5f7bcb675f8ab12f494cf6b18c973b5a8fbb2674d6e61180b6fac929c31258366afb3659abfc42c9c036a794c74e78c255c4afda21108

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaUi.cpl

Filesize
1.0MB

MD5
af490b55d846dd6641b9b32139a862db

SHA1
d2deff112dee544725c0f93936241629eb707dae

SHA256
7c229b26b3547537de79583da23a5ebf3c4118aa52ecc8d8de0785310ce95235

SHA512
bdee2927f4d89e68f4b5f7bcb675f8ab12f494cf6b18c973b5a8fbb2674d6e61180b6fac929c31258366afb3659abfc42c9c036a794c74e78c255c4afda21108

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaUi.cpl

Filesize
1.0MB

MD5
af490b55d846dd6641b9b32139a862db

SHA1
d2deff112dee544725c0f93936241629eb707dae

SHA256
7c229b26b3547537de79583da23a5ebf3c4118aa52ecc8d8de0785310ce95235

SHA512
bdee2927f4d89e68f4b5f7bcb675f8ab12f494cf6b18c973b5a8fbb2674d6e61180b6fac929c31258366afb3659abfc42c9c036a794c74e78c255c4afda21108

Download Submit
memory/2152-165-0x0000000003450000-0x000000000351D000-memory.dmp

Filesize
820KB

Download
memory/2152-163-0x0000000003450000-0x000000000351D000-memory.dmp

Filesize
820KB

Download
memory/2152-161-0x0000000003360000-0x0000000003443000-memory.dmp

Filesize
908KB

Download
memory/2152-160-0x0000000002D50000-0x0000000002D56000-memory.dmp

Filesize
24KB

Download
memory/2152-158-0x0000000002C30000-0x0000000002D35000-memory.dmp

Filesize
1.0MB

Download
memory/2152-166-0x0000000003450000-0x000000000351D000-memory.dmp

Filesize
820KB

Download
memory/2152-157-0x0000000002C30000-0x0000000002D35000-memory.dmp

Filesize
1.0MB

Download
memory/4772-146-0x0000000003250000-0x0000000003355000-memory.dmp

Filesize
1.0MB

Download
memory/4772-154-0x00000000036C0000-0x000000000378D000-memory.dmp

Filesize
820KB

Download
memory/4772-153-0x00000000036C0000-0x000000000378D000-memory.dmp

Filesize
820KB

Download
memory/4772-151-0x00000000036C0000-0x000000000378D000-memory.dmp

Filesize
820KB

Download
memory/4772-150-0x00000000036C0000-0x000000000378D000-memory.dmp

Filesize
820KB

Download
memory/4772-149-0x00000000035D0000-0x00000000036B3000-memory.dmp

Filesize
908KB

Download
memory/4772-148-0x0000000002ED0000-0x0000000002ED6000-memory.dmp

Filesize
24KB

Download
memory/4772-145-0x0000000003250000-0x0000000003355000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing