9e85f7943e932ddc83d3857cf119e4805d108e24e429cee2440ad7ccc745da25

General

Target

9e85f7943e932ddc83d3857cf119e4805d108e24e429cee2440ad7ccc745da25.exe
Size

1.6MB
MD5

8cb9c5744bf5b792c0dfe7f26a43b2d9
SHA1

fab2f00c33a901061fbd8160d595e99e9a8323bb
SHA256

9e85f7943e932ddc83d3857cf119e4805d108e24e429cee2440ad7ccc745da25
SHA512

5dfff21d7958066a8aedfba87771e512d204dfd8be8abad996566f15b824c6b71a6b11292c0d27e530ee216cb6d03298b70bb725fb1d8d4fce0118f163cb9089
SSDEEP

49152:OCWhF7BfJXAEsIfENqXIkTogiT5z1DPsisP8:OCWhF7BfKEHzXG1Rs2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	9e85f7943e932ddc83d3857cf119e4805d108e24e429cee2440ad7ccc745da25.exe

Loads dropped DLL 3 IoCs

pid	Process
536	rundll32.exe
536	rundll32.exe
4224	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	9e85f7943e932ddc83d3857cf119e4805d108e24e429cee2440ad7ccc745da25.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 3536	4604	9e85f7943e932ddc83d3857cf119e4805d108e24e429cee2440ad7ccc745da25.exe	84
PID 4604 wrote to memory of 3536	4604	9e85f7943e932ddc83d3857cf119e4805d108e24e429cee2440ad7ccc745da25.exe	84
PID 4604 wrote to memory of 3536	4604	9e85f7943e932ddc83d3857cf119e4805d108e24e429cee2440ad7ccc745da25.exe	84
PID 3536 wrote to memory of 536	3536	control.exe	86
PID 3536 wrote to memory of 536	3536	control.exe	86
PID 3536 wrote to memory of 536	3536	control.exe	86
PID 536 wrote to memory of 3964	536	rundll32.exe	89
PID 536 wrote to memory of 3964	536	rundll32.exe	89
PID 3964 wrote to memory of 4224	3964	RunDll32.exe	90
PID 3964 wrote to memory of 4224	3964	RunDll32.exe	90
PID 3964 wrote to memory of 4224	3964	RunDll32.exe	90

C:\Users\Admin\AppData\Local\Temp\9e85f7943e932ddc83d3857cf119e4805d108e24e429cee2440ad7ccc745da25.exe
"C:\Users\Admin\AppData\Local\Temp\9e85f7943e932ddc83d3857cf119e4805d108e24e429cee2440ad7ccc745da25.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\WzOc.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WzOc.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\WzOc.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\WzOc.cpl",
        5⤵
        Loads dropped DLL
        
        PID:4224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WzOc.cpl

Filesize
1.0MB

MD5
f6e9c1e40fe4909e33c29737ad2bf98c

SHA1
136e70a71382b157455c55ca83f42c23732a504e

SHA256
ca4d5511062831eefd42f9aad668fd97c669a7d6883446ff39a703927e88f0a5

SHA512
2bca5d403004b0141a47285eba3ab32bd2eb9f2534d334c74df7e722f9985bad014b540adcf8ed38230488fb11470b8b5eb5ca121d1a09044c25f4341024054e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzOc.cpl

Filesize
1.0MB

MD5
f6e9c1e40fe4909e33c29737ad2bf98c

SHA1
136e70a71382b157455c55ca83f42c23732a504e

SHA256
ca4d5511062831eefd42f9aad668fd97c669a7d6883446ff39a703927e88f0a5

SHA512
2bca5d403004b0141a47285eba3ab32bd2eb9f2534d334c74df7e722f9985bad014b540adcf8ed38230488fb11470b8b5eb5ca121d1a09044c25f4341024054e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzOc.cpl

Filesize
1.0MB

MD5
f6e9c1e40fe4909e33c29737ad2bf98c

SHA1
136e70a71382b157455c55ca83f42c23732a504e

SHA256
ca4d5511062831eefd42f9aad668fd97c669a7d6883446ff39a703927e88f0a5

SHA512
2bca5d403004b0141a47285eba3ab32bd2eb9f2534d334c74df7e722f9985bad014b540adcf8ed38230488fb11470b8b5eb5ca121d1a09044c25f4341024054e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzOc.cpl

Filesize
1.0MB

MD5
f6e9c1e40fe4909e33c29737ad2bf98c

SHA1
136e70a71382b157455c55ca83f42c23732a504e

SHA256
ca4d5511062831eefd42f9aad668fd97c669a7d6883446ff39a703927e88f0a5

SHA512
2bca5d403004b0141a47285eba3ab32bd2eb9f2534d334c74df7e722f9985bad014b540adcf8ed38230488fb11470b8b5eb5ca121d1a09044c25f4341024054e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzOc.cpl

Filesize
1.0MB

MD5
f6e9c1e40fe4909e33c29737ad2bf98c

SHA1
136e70a71382b157455c55ca83f42c23732a504e

SHA256
ca4d5511062831eefd42f9aad668fd97c669a7d6883446ff39a703927e88f0a5

SHA512
2bca5d403004b0141a47285eba3ab32bd2eb9f2534d334c74df7e722f9985bad014b540adcf8ed38230488fb11470b8b5eb5ca121d1a09044c25f4341024054e

Download Submit
memory/536-153-0x0000000002BA0000-0x0000000002C6D000-memory.dmp

Filesize
820KB

Download
memory/536-145-0x00000000027A0000-0x00000000028AA000-memory.dmp

Filesize
1.0MB

Download
memory/536-149-0x0000000002AB0000-0x0000000002B94000-memory.dmp

Filesize
912KB

Download
memory/536-150-0x0000000002BA0000-0x0000000002C6D000-memory.dmp

Filesize
820KB

Download
memory/536-151-0x0000000002BA0000-0x0000000002C6D000-memory.dmp

Filesize
820KB

Download
memory/536-146-0x00000000027A0000-0x00000000028AA000-memory.dmp

Filesize
1.0MB

Download
memory/536-154-0x0000000002BA0000-0x0000000002C6D000-memory.dmp

Filesize
820KB

Download
memory/536-148-0x0000000000920000-0x0000000000926000-memory.dmp

Filesize
24KB

Download
memory/4224-156-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/4224-158-0x0000000000D40000-0x0000000000D46000-memory.dmp

Filesize
24KB

Download
memory/4224-159-0x0000000002D50000-0x0000000002E34000-memory.dmp

Filesize
912KB

Download
memory/4224-160-0x0000000002E40000-0x0000000002F0D000-memory.dmp

Filesize
820KB

Download
memory/4224-161-0x0000000002E40000-0x0000000002F0D000-memory.dmp

Filesize
820KB

Download
memory/4224-163-0x0000000002E40000-0x0000000002F0D000-memory.dmp

Filesize
820KB

Download
memory/4224-164-0x0000000002E40000-0x0000000002F0D000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing