61fcbbb8c74c5c4e14db8cf5345acb1cdcdaee54f68b7f36804f83999b893a5a

General

Target

61fcbbb8c74c5c4e14db8cf5345acb1cdcdaee54f68b7f36804f83999b893a5a.exe
Size

1.6MB
MD5

d122fbe1c317a444d281499977d7a6c5
SHA1

17f116afb5b4228bdde7e13259160b7ca3fce3d2
SHA256

61fcbbb8c74c5c4e14db8cf5345acb1cdcdaee54f68b7f36804f83999b893a5a
SHA512

ecbe6936c9a9bf2a0138cb3c9510d2d00092fd308e0c8bdb3ec95ac1ea91fa8882d453f1652572d2bd3e518719c4413838218a7aedc006d37d64b144119253c0
SSDEEP

49152:dNsWhFZBfJXAE4ILZVKFFBsS3wrPHISIROJ:TsWhFZBfKEtwxXzm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	61fcbbb8c74c5c4e14db8cf5345acb1cdcdaee54f68b7f36804f83999b893a5a.exe

Loads dropped DLL 3 IoCs

pid	Process
1392	rundll32.exe
4484	rundll32.exe
4484	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3008	1612	61fcbbb8c74c5c4e14db8cf5345acb1cdcdaee54f68b7f36804f83999b893a5a.exe	85
PID 1612 wrote to memory of 3008	1612	61fcbbb8c74c5c4e14db8cf5345acb1cdcdaee54f68b7f36804f83999b893a5a.exe	85
PID 1612 wrote to memory of 3008	1612	61fcbbb8c74c5c4e14db8cf5345acb1cdcdaee54f68b7f36804f83999b893a5a.exe	85
PID 3008 wrote to memory of 1392	3008	control.exe	86
PID 3008 wrote to memory of 1392	3008	control.exe	86
PID 3008 wrote to memory of 1392	3008	control.exe	86
PID 1392 wrote to memory of 1264	1392	rundll32.exe	90
PID 1392 wrote to memory of 1264	1392	rundll32.exe	90
PID 1264 wrote to memory of 4484	1264	RunDll32.exe	91
PID 1264 wrote to memory of 4484	1264	RunDll32.exe	91
PID 1264 wrote to memory of 4484	1264	RunDll32.exe	91

C:\Users\Admin\AppData\Local\Temp\61fcbbb8c74c5c4e14db8cf5345acb1cdcdaee54f68b7f36804f83999b893a5a.exe
"C:\Users\Admin\AppData\Local\Temp\61fcbbb8c74c5c4e14db8cf5345acb1cdcdaee54f68b7f36804f83999b893a5a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\MC_TfXX.0eZ
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\MC_TfXX.0eZ
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\MC_TfXX.0eZ
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\MC_TfXX.0eZ
        5⤵
        Loads dropped DLL
        
        PID:4484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MC_TfXX.0eZ

Filesize
1.0MB

MD5
aa11b1d94b9c7acfd05b1952b4aefbe2

SHA1
666781f3d5715d19b0d866bb4698844cf587f690

SHA256
ade1065dbfc6c622c12a5a77b51671d39363c4c4d879ef32d11c529143b5bcda

SHA512
1ed4794bcc1ccfd9881d7d57e9a638896bef5a97c1fdbf6fd01ead90a315a2acaebc4760721ba159b2fdfa986d35fa6a785146daad3c88d848c8c67fdfb3095b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mC_TfxX.0eZ

Filesize
1.0MB

MD5
aa11b1d94b9c7acfd05b1952b4aefbe2

SHA1
666781f3d5715d19b0d866bb4698844cf587f690

SHA256
ade1065dbfc6c622c12a5a77b51671d39363c4c4d879ef32d11c529143b5bcda

SHA512
1ed4794bcc1ccfd9881d7d57e9a638896bef5a97c1fdbf6fd01ead90a315a2acaebc4760721ba159b2fdfa986d35fa6a785146daad3c88d848c8c67fdfb3095b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mC_TfxX.0eZ

Filesize
1.0MB

MD5
aa11b1d94b9c7acfd05b1952b4aefbe2

SHA1
666781f3d5715d19b0d866bb4698844cf587f690

SHA256
ade1065dbfc6c622c12a5a77b51671d39363c4c4d879ef32d11c529143b5bcda

SHA512
1ed4794bcc1ccfd9881d7d57e9a638896bef5a97c1fdbf6fd01ead90a315a2acaebc4760721ba159b2fdfa986d35fa6a785146daad3c88d848c8c67fdfb3095b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mC_TfxX.0eZ

Filesize
1.0MB

MD5
aa11b1d94b9c7acfd05b1952b4aefbe2

SHA1
666781f3d5715d19b0d866bb4698844cf587f690

SHA256
ade1065dbfc6c622c12a5a77b51671d39363c4c4d879ef32d11c529143b5bcda

SHA512
1ed4794bcc1ccfd9881d7d57e9a638896bef5a97c1fdbf6fd01ead90a315a2acaebc4760721ba159b2fdfa986d35fa6a785146daad3c88d848c8c67fdfb3095b

Download Submit
memory/1392-145-0x00000000032C0000-0x0000000003383000-memory.dmp

Filesize
780KB

Download
memory/1392-137-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1392-142-0x00000000032C0000-0x0000000003383000-memory.dmp

Filesize
780KB

Download
memory/1392-144-0x00000000032C0000-0x0000000003383000-memory.dmp

Filesize
780KB

Download
memory/1392-140-0x00000000031E0000-0x00000000032BA000-memory.dmp

Filesize
872KB

Download
memory/1392-139-0x0000000001520000-0x0000000001526000-memory.dmp

Filesize
24KB

Download
memory/1392-141-0x00000000032C0000-0x0000000003383000-memory.dmp

Filesize
780KB

Download
memory/4484-148-0x0000000002460000-0x0000000002567000-memory.dmp

Filesize
1.0MB

Download
memory/4484-149-0x0000000002460000-0x0000000002567000-memory.dmp

Filesize
1.0MB

Download
memory/4484-151-0x0000000002010000-0x0000000002016000-memory.dmp

Filesize
24KB

Download
memory/4484-152-0x0000000002750000-0x000000000282A000-memory.dmp

Filesize
872KB

Download
memory/4484-154-0x0000000002840000-0x0000000002903000-memory.dmp

Filesize
780KB

Download
memory/4484-156-0x0000000002840000-0x0000000002903000-memory.dmp

Filesize
780KB

Download
memory/4484-157-0x0000000002840000-0x0000000002903000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing