341e4ed476b233a4d86441c0362017ce8adea1011e32f2af006b43a42545a858

General

Target

341e4ed476b233a4d86441c0362017ce8adea1011e32f2af006b43a42545a858.exe
Size

1.7MB
MD5

499d97c32204b0fab09c93f602b53726
SHA1

d557717f94342840fe0aaa78129f7de5e4a98d16
SHA256

341e4ed476b233a4d86441c0362017ce8adea1011e32f2af006b43a42545a858
SHA512

356bbc1d0f60cad9c59fac3e858d86f8009518e5c1d9f5a904d24dce284d7c0823d37180ce881bbf0a7965d7c7ec3b5255ed20861dce1c773277a2cb1ac1b919
SSDEEP

49152:W+Whq+BfJXAEExkSDjuQE8HspIB+Z5yHnUEFFSqdK/qKH:W+Whq+BfKE+vDjuh8HsLMnnSq9KH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	341e4ed476b233a4d86441c0362017ce8adea1011e32f2af006b43a42545a858.exe

Loads dropped DLL 2 IoCs

pid	Process
2984	rundll32.exe
64	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	341e4ed476b233a4d86441c0362017ce8adea1011e32f2af006b43a42545a858.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 1184	4328	341e4ed476b233a4d86441c0362017ce8adea1011e32f2af006b43a42545a858.exe	86
PID 4328 wrote to memory of 1184	4328	341e4ed476b233a4d86441c0362017ce8adea1011e32f2af006b43a42545a858.exe	86
PID 4328 wrote to memory of 1184	4328	341e4ed476b233a4d86441c0362017ce8adea1011e32f2af006b43a42545a858.exe	86
PID 1184 wrote to memory of 2984	1184	control.exe	88
PID 1184 wrote to memory of 2984	1184	control.exe	88
PID 1184 wrote to memory of 2984	1184	control.exe	88
PID 2984 wrote to memory of 3468	2984	rundll32.exe	89
PID 2984 wrote to memory of 3468	2984	rundll32.exe	89
PID 3468 wrote to memory of 64	3468	RunDll32.exe	90
PID 3468 wrote to memory of 64	3468	RunDll32.exe	90
PID 3468 wrote to memory of 64	3468	RunDll32.exe	90

C:\Users\Admin\AppData\Local\Temp\341e4ed476b233a4d86441c0362017ce8adea1011e32f2af006b43a42545a858.exe
"C:\Users\Admin\AppData\Local\Temp\341e4ed476b233a4d86441c0362017ce8adea1011e32f2af006b43a42545a858.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\GNzYOrs.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\GNzYOrs.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\GNzYOrs.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\GNzYOrs.cpL",
        5⤵
        Loads dropped DLL
        
        PID:64

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GNzYOrs.cpL

Filesize
1.1MB

MD5
42f22bc83d191897a07fa111618071c4

SHA1
52f2be8e1a7ded03fb05f0c49871df58b70f9d6a

SHA256
ac4316d1cbe434a6a107590b85446f51605a4d1935a317df7f7799971c4c5711

SHA512
b7763a57efd186c87df875779e0d14070ce47bbb6e8fde3e46a6d7deceec326cb0a32f86d6ddc7f97c7272fd8f4f40c0ba0ccb05232f4554cac96bf2eb2dba55

Download Submit
C:\Users\Admin\AppData\Local\Temp\GNzYOrs.cpl

Filesize
1.1MB

MD5
42f22bc83d191897a07fa111618071c4

SHA1
52f2be8e1a7ded03fb05f0c49871df58b70f9d6a

SHA256
ac4316d1cbe434a6a107590b85446f51605a4d1935a317df7f7799971c4c5711

SHA512
b7763a57efd186c87df875779e0d14070ce47bbb6e8fde3e46a6d7deceec326cb0a32f86d6ddc7f97c7272fd8f4f40c0ba0ccb05232f4554cac96bf2eb2dba55

Download Submit
C:\Users\Admin\AppData\Local\Temp\GNzYOrs.cpl

Filesize
1.1MB

MD5
42f22bc83d191897a07fa111618071c4

SHA1
52f2be8e1a7ded03fb05f0c49871df58b70f9d6a

SHA256
ac4316d1cbe434a6a107590b85446f51605a4d1935a317df7f7799971c4c5711

SHA512
b7763a57efd186c87df875779e0d14070ce47bbb6e8fde3e46a6d7deceec326cb0a32f86d6ddc7f97c7272fd8f4f40c0ba0ccb05232f4554cac96bf2eb2dba55

Download Submit
C:\Users\Admin\AppData\Local\Temp\GNzYOrs.cpl

Filesize
1.1MB

MD5
42f22bc83d191897a07fa111618071c4

SHA1
52f2be8e1a7ded03fb05f0c49871df58b70f9d6a

SHA256
ac4316d1cbe434a6a107590b85446f51605a4d1935a317df7f7799971c4c5711

SHA512
b7763a57efd186c87df875779e0d14070ce47bbb6e8fde3e46a6d7deceec326cb0a32f86d6ddc7f97c7272fd8f4f40c0ba0ccb05232f4554cac96bf2eb2dba55

Download Submit
memory/64-164-0x0000000002FB0000-0x0000000003097000-memory.dmp

Filesize
924KB

Download
memory/64-163-0x0000000002FB0000-0x0000000003097000-memory.dmp

Filesize
924KB

Download
memory/64-160-0x0000000002FB0000-0x0000000003097000-memory.dmp

Filesize
924KB

Download
memory/64-159-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

Filesize
1024KB

Download
memory/64-157-0x0000000000F10000-0x0000000000F16000-memory.dmp

Filesize
24KB

Download
memory/2984-144-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2984-153-0x0000000003370000-0x0000000003457000-memory.dmp

Filesize
924KB

Download
memory/2984-152-0x0000000003370000-0x0000000003457000-memory.dmp

Filesize
924KB

Download
memory/2984-149-0x0000000003370000-0x0000000003457000-memory.dmp

Filesize
924KB

Download
memory/2984-148-0x0000000003270000-0x0000000003370000-memory.dmp

Filesize
1024KB

Download
memory/2984-146-0x0000000001320000-0x0000000001326000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing