dd4431e123571acf42fba15bf0c3066cd62d6d55c1f9eb55d9a32b2256eebe19

General

Target

dd4431e123571acf42fba15bf0c3066cd62d6d55c1f9eb55d9a32b2256eebe19.exe
Size

1.6MB
MD5

0086e6e6b06a52ae52ae433b14b2b2fe
SHA1

33d27959533f8418fdac0914d2e27996440b6239
SHA256

dd4431e123571acf42fba15bf0c3066cd62d6d55c1f9eb55d9a32b2256eebe19
SHA512

fe0a4fe0e9694bfe4624b277802b23003ee6187fec6dd704196b5bc68e89d2aa0487d7e4bb24d7695437e8a52d676529ba029cf7c3920d72034e9ef93ff56710
SSDEEP

49152:OCWhF7BfJXAEsk4Bd8lJ8gNNV085zx+s7T6j7ma:OCWhF7BfKE2jqJ8KA85zx+sf6jqa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	dd4431e123571acf42fba15bf0c3066cd62d6d55c1f9eb55d9a32b2256eebe19.exe

Loads dropped DLL 3 IoCs

pid	Process
3608	rundll32.exe
3608	rundll32.exe
1668	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 4316	1180	dd4431e123571acf42fba15bf0c3066cd62d6d55c1f9eb55d9a32b2256eebe19.exe	84
PID 1180 wrote to memory of 4316	1180	dd4431e123571acf42fba15bf0c3066cd62d6d55c1f9eb55d9a32b2256eebe19.exe	84
PID 1180 wrote to memory of 4316	1180	dd4431e123571acf42fba15bf0c3066cd62d6d55c1f9eb55d9a32b2256eebe19.exe	84
PID 4316 wrote to memory of 3608	4316	control.exe	85
PID 4316 wrote to memory of 3608	4316	control.exe	85
PID 4316 wrote to memory of 3608	4316	control.exe	85
PID 3608 wrote to memory of 1764	3608	rundll32.exe	91
PID 3608 wrote to memory of 1764	3608	rundll32.exe	91
PID 1764 wrote to memory of 1668	1764	RunDll32.exe	92
PID 1764 wrote to memory of 1668	1764	RunDll32.exe	92
PID 1764 wrote to memory of 1668	1764	RunDll32.exe	92

C:\Users\Admin\AppData\Local\Temp\dd4431e123571acf42fba15bf0c3066cd62d6d55c1f9eb55d9a32b2256eebe19.exe
"C:\Users\Admin\AppData\Local\Temp\dd4431e123571acf42fba15bf0c3066cd62d6d55c1f9eb55d9a32b2256eebe19.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\PP899OF.C
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\PP899OF.C
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\PP899OF.C
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\PP899OF.C
        5⤵
        Loads dropped DLL
        
        PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PP899OF.C

Filesize
1.0MB

MD5
052ce852f8bbc9c16ad83add6bb67b06

SHA1
c6c264270df6b2b480d02f380a91531ef752a51f

SHA256
6c5154eca9c3e8fd3a963a81c5437b4733179b590991bb5137a7e83200f4e061

SHA512
f59449fdcc801500d512919d3dee7092aa146cf6b6a00cb804871d45868e43a48c79ecfc0650078f6127aee2a0687b34061a944e4c395f34400d46055d5af371

Download Submit
C:\Users\Admin\AppData\Local\Temp\pp899OF.C

Filesize
1.0MB

MD5
052ce852f8bbc9c16ad83add6bb67b06

SHA1
c6c264270df6b2b480d02f380a91531ef752a51f

SHA256
6c5154eca9c3e8fd3a963a81c5437b4733179b590991bb5137a7e83200f4e061

SHA512
f59449fdcc801500d512919d3dee7092aa146cf6b6a00cb804871d45868e43a48c79ecfc0650078f6127aee2a0687b34061a944e4c395f34400d46055d5af371

Download Submit
C:\Users\Admin\AppData\Local\Temp\pp899OF.C

Filesize
1.0MB

MD5
052ce852f8bbc9c16ad83add6bb67b06

SHA1
c6c264270df6b2b480d02f380a91531ef752a51f

SHA256
6c5154eca9c3e8fd3a963a81c5437b4733179b590991bb5137a7e83200f4e061

SHA512
f59449fdcc801500d512919d3dee7092aa146cf6b6a00cb804871d45868e43a48c79ecfc0650078f6127aee2a0687b34061a944e4c395f34400d46055d5af371

Download Submit
C:\Users\Admin\AppData\Local\Temp\pp899OF.C

Filesize
1.0MB

MD5
052ce852f8bbc9c16ad83add6bb67b06

SHA1
c6c264270df6b2b480d02f380a91531ef752a51f

SHA256
6c5154eca9c3e8fd3a963a81c5437b4733179b590991bb5137a7e83200f4e061

SHA512
f59449fdcc801500d512919d3dee7092aa146cf6b6a00cb804871d45868e43a48c79ecfc0650078f6127aee2a0687b34061a944e4c395f34400d46055d5af371

Download Submit
memory/1668-158-0x0000000002FA0000-0x000000000306D000-memory.dmp

Filesize
820KB

Download
memory/1668-157-0x0000000002FA0000-0x000000000306D000-memory.dmp

Filesize
820KB

Download
memory/1668-155-0x0000000002FA0000-0x000000000306D000-memory.dmp

Filesize
820KB

Download
memory/1668-153-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/1668-152-0x0000000002EB0000-0x0000000002F93000-memory.dmp

Filesize
908KB

Download
memory/1668-151-0x0000000002750000-0x0000000002756000-memory.dmp

Filesize
24KB

Download
memory/1668-149-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/3608-139-0x0000000002620000-0x0000000002728000-memory.dmp

Filesize
1.0MB

Download
memory/3608-147-0x0000000002B80000-0x0000000002C4D000-memory.dmp

Filesize
820KB

Download
memory/3608-146-0x0000000002B80000-0x0000000002C4D000-memory.dmp

Filesize
820KB

Download
memory/3608-144-0x0000000002B80000-0x0000000002C4D000-memory.dmp

Filesize
820KB

Download
memory/3608-143-0x0000000002B80000-0x0000000002C4D000-memory.dmp

Filesize
820KB

Download
memory/3608-142-0x0000000002870000-0x0000000002953000-memory.dmp

Filesize
908KB

Download
memory/3608-141-0x00000000009B0000-0x00000000009B6000-memory.dmp

Filesize
24KB

Download
memory/3608-138-0x0000000002620000-0x0000000002728000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing