30dca270cd1f189ea57fef9f5a7bc6545ad4cb4b7661db037e84b8391b14c2c6

General

Target

30dca270cd1f189ea57fef9f5a7bc6545ad4cb4b7661db037e84b8391b14c2c6.exe
Size

1.4MB
MD5

af1f21ad36e87d6653386eadf5e16e8a
SHA1

3b626fc74126bdc244a6716ebafdb77a538c6dff
SHA256

30dca270cd1f189ea57fef9f5a7bc6545ad4cb4b7661db037e84b8391b14c2c6
SHA512

26f654eae982188805b64a5db959cce77e6e0a29cc4c1d7e0595510be78ccb66d0898248ee6453a8f44cd2d00707741b6644cc2d1fdfd47f966e2052f35d6d34
SSDEEP

24576:gJr8tE+gHqEgLfIlIDkjz4hU9bQL5wfI0R1dtJ4iirbwnPVQp9MzTIu:gJ4NEgLfoIuz4G9sL5wrRf8GNQp96ku

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	30dca270cd1f189ea57fef9f5a7bc6545ad4cb4b7661db037e84b8391b14c2c6.exe

Loads dropped DLL 4 IoCs

pid	Process
4548	rundll32.exe
4548	rundll32.exe
4036	rundll32.exe
4036	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	30dca270cd1f189ea57fef9f5a7bc6545ad4cb4b7661db037e84b8391b14c2c6.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 4868	2480	30dca270cd1f189ea57fef9f5a7bc6545ad4cb4b7661db037e84b8391b14c2c6.exe	85
PID 2480 wrote to memory of 4868	2480	30dca270cd1f189ea57fef9f5a7bc6545ad4cb4b7661db037e84b8391b14c2c6.exe	85
PID 2480 wrote to memory of 4868	2480	30dca270cd1f189ea57fef9f5a7bc6545ad4cb4b7661db037e84b8391b14c2c6.exe	85
PID 4868 wrote to memory of 4548	4868	control.exe	87
PID 4868 wrote to memory of 4548	4868	control.exe	87
PID 4868 wrote to memory of 4548	4868	control.exe	87
PID 4548 wrote to memory of 1468	4548	rundll32.exe	92
PID 4548 wrote to memory of 1468	4548	rundll32.exe	92
PID 1468 wrote to memory of 4036	1468	RunDll32.exe	93
PID 1468 wrote to memory of 4036	1468	RunDll32.exe	93
PID 1468 wrote to memory of 4036	1468	RunDll32.exe	93

C:\Users\Admin\AppData\Local\Temp\30dca270cd1f189ea57fef9f5a7bc6545ad4cb4b7661db037e84b8391b14c2c6.exe
"C:\Users\Admin\AppData\Local\Temp\30dca270cd1f189ea57fef9f5a7bc6545ad4cb4b7661db037e84b8391b14c2c6.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\AISbRr3.Cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\AISbRr3.Cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\AISbRr3.Cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\AISbRr3.Cpl",
        5⤵
        Loads dropped DLL
        
        PID:4036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AISbRr3.Cpl

Filesize
1.1MB

MD5
2957247e631af037ba91f197536b60c9

SHA1
07b0e07c5c4b56e4e9ea3990dffc89ec8a7f5445

SHA256
b1c4d3abc98e88e9429ead2a594b0ac34d6effa38bcd0b5f20d4353390b99502

SHA512
0ca2ce8d35c0b75bfb65eca8b6427d822f0f90df72a5a046589de162ef66c5330284553501365d08a097cb952297add5dc1d2e9ab16d6eab292ecf2ffa79f98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AISbrr3.cpl

Filesize
1.1MB

MD5
2957247e631af037ba91f197536b60c9

SHA1
07b0e07c5c4b56e4e9ea3990dffc89ec8a7f5445

SHA256
b1c4d3abc98e88e9429ead2a594b0ac34d6effa38bcd0b5f20d4353390b99502

SHA512
0ca2ce8d35c0b75bfb65eca8b6427d822f0f90df72a5a046589de162ef66c5330284553501365d08a097cb952297add5dc1d2e9ab16d6eab292ecf2ffa79f98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AISbrr3.cpl

Filesize
1.1MB

MD5
2957247e631af037ba91f197536b60c9

SHA1
07b0e07c5c4b56e4e9ea3990dffc89ec8a7f5445

SHA256
b1c4d3abc98e88e9429ead2a594b0ac34d6effa38bcd0b5f20d4353390b99502

SHA512
0ca2ce8d35c0b75bfb65eca8b6427d822f0f90df72a5a046589de162ef66c5330284553501365d08a097cb952297add5dc1d2e9ab16d6eab292ecf2ffa79f98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AISbrr3.cpl

Filesize
1.1MB

MD5
2957247e631af037ba91f197536b60c9

SHA1
07b0e07c5c4b56e4e9ea3990dffc89ec8a7f5445

SHA256
b1c4d3abc98e88e9429ead2a594b0ac34d6effa38bcd0b5f20d4353390b99502

SHA512
0ca2ce8d35c0b75bfb65eca8b6427d822f0f90df72a5a046589de162ef66c5330284553501365d08a097cb952297add5dc1d2e9ab16d6eab292ecf2ffa79f98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AISbrr3.cpl

Filesize
1.1MB

MD5
2957247e631af037ba91f197536b60c9

SHA1
07b0e07c5c4b56e4e9ea3990dffc89ec8a7f5445

SHA256
b1c4d3abc98e88e9429ead2a594b0ac34d6effa38bcd0b5f20d4353390b99502

SHA512
0ca2ce8d35c0b75bfb65eca8b6427d822f0f90df72a5a046589de162ef66c5330284553501365d08a097cb952297add5dc1d2e9ab16d6eab292ecf2ffa79f98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AISbrr3.cpl

Filesize
1.1MB

MD5
2957247e631af037ba91f197536b60c9

SHA1
07b0e07c5c4b56e4e9ea3990dffc89ec8a7f5445

SHA256
b1c4d3abc98e88e9429ead2a594b0ac34d6effa38bcd0b5f20d4353390b99502

SHA512
0ca2ce8d35c0b75bfb65eca8b6427d822f0f90df72a5a046589de162ef66c5330284553501365d08a097cb952297add5dc1d2e9ab16d6eab292ecf2ffa79f98f

Download Submit
memory/4036-166-0x0000000002C30000-0x0000000002CF8000-memory.dmp

Filesize
800KB

Download
memory/4036-164-0x0000000002C30000-0x0000000002CF8000-memory.dmp

Filesize
800KB

Download
memory/4036-162-0x0000000002B50000-0x0000000002C2F000-memory.dmp

Filesize
892KB

Download
memory/4036-160-0x0000000000A40000-0x0000000000A46000-memory.dmp

Filesize
24KB

Download
memory/4036-158-0x0000000002800000-0x0000000002922000-memory.dmp

Filesize
1.1MB

Download
memory/4036-157-0x0000000002800000-0x0000000002922000-memory.dmp

Filesize
1.1MB

Download
memory/4036-167-0x0000000002C30000-0x0000000002CF8000-memory.dmp

Filesize
800KB

Download
memory/4548-146-0x00000000026B0000-0x00000000027D2000-memory.dmp

Filesize
1.1MB

Download
memory/4548-154-0x0000000002AE0000-0x0000000002BA8000-memory.dmp

Filesize
800KB

Download
memory/4548-153-0x0000000002AE0000-0x0000000002BA8000-memory.dmp

Filesize
800KB

Download
memory/4548-151-0x0000000002AE0000-0x0000000002BA8000-memory.dmp

Filesize
800KB

Download
memory/4548-150-0x0000000002AE0000-0x0000000002BA8000-memory.dmp

Filesize
800KB

Download
memory/4548-149-0x0000000002A00000-0x0000000002ADF000-memory.dmp

Filesize
892KB

Download
memory/4548-148-0x0000000002340000-0x0000000002346000-memory.dmp

Filesize
24KB

Download
memory/4548-145-0x00000000026B0000-0x00000000027D2000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing