ce25d714f9abaa7b25a0ff9c98ffdca1ab932be952264b716f4b5887f438b578

General

Target

ce25d714f9abaa7b25a0ff9c98ffdca1ab932be952264b716f4b5887f438b578.exe
Size

1.5MB
MD5

54f1edc5d105cdd121d697fe2d866f16
SHA1

11a489f32a13d87c039563e4640c958d35878478
SHA256

ce25d714f9abaa7b25a0ff9c98ffdca1ab932be952264b716f4b5887f438b578
SHA512

2fd785739281bfacba1e8575d8691a0ffcf1407c35c205d3bfa627bae8df7164baa53206d643c3ede706cbffb7afed3e001733e949fb1756b39109594db8b231
SSDEEP

24576:WiIy60hvWIUiQjUo7zOh3Dgrf5Ji0uLFNgZCxgCqIwZr64RuVb83QCIi2SX/h8gm:mbzI3DgtJTuLrg2LSReLCI6jNA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	ce25d714f9abaa7b25a0ff9c98ffdca1ab932be952264b716f4b5887f438b578.exe

Loads dropped DLL 3 IoCs

pid	Process
3704	rundll32.exe
1532	rundll32.exe
1532	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 3876	404	ce25d714f9abaa7b25a0ff9c98ffdca1ab932be952264b716f4b5887f438b578.exe	86
PID 404 wrote to memory of 3876	404	ce25d714f9abaa7b25a0ff9c98ffdca1ab932be952264b716f4b5887f438b578.exe	86
PID 404 wrote to memory of 3876	404	ce25d714f9abaa7b25a0ff9c98ffdca1ab932be952264b716f4b5887f438b578.exe	86
PID 3876 wrote to memory of 3704	3876	control.exe	87
PID 3876 wrote to memory of 3704	3876	control.exe	87
PID 3876 wrote to memory of 3704	3876	control.exe	87
PID 3704 wrote to memory of 1128	3704	rundll32.exe	94
PID 3704 wrote to memory of 1128	3704	rundll32.exe	94
PID 1128 wrote to memory of 1532	1128	RunDll32.exe	95
PID 1128 wrote to memory of 1532	1128	RunDll32.exe	95
PID 1128 wrote to memory of 1532	1128	RunDll32.exe	95

C:\Users\Admin\AppData\Local\Temp\ce25d714f9abaa7b25a0ff9c98ffdca1ab932be952264b716f4b5887f438b578.exe
"C:\Users\Admin\AppData\Local\Temp\ce25d714f9abaa7b25a0ff9c98ffdca1ab932be952264b716f4b5887f438b578.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\YRX44.w
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\YRX44.w
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\YRX44.w
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\YRX44.w
        5⤵
        Loads dropped DLL
        
        PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YRX44.w

Filesize
1.1MB

MD5
5c4edc865e3c30aea8ea9211aa42b06c

SHA1
a5b68c06155a9bf901e7bc9ff46f76ad63dcfc53

SHA256
369c804a46a85483c7c61ea8c48a74d1a85230da23ba5b001b9886d46ec68cce

SHA512
e5e1d9476f6ac260a230f1c5be7539f094f37932d78d14a3d0745fd679e51b73d2e2b9fdc556fda989d765b1db629bbdb1ca155b6865fc5930d16503f259c2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRx44.w

Filesize
1.1MB

MD5
5c4edc865e3c30aea8ea9211aa42b06c

SHA1
a5b68c06155a9bf901e7bc9ff46f76ad63dcfc53

SHA256
369c804a46a85483c7c61ea8c48a74d1a85230da23ba5b001b9886d46ec68cce

SHA512
e5e1d9476f6ac260a230f1c5be7539f094f37932d78d14a3d0745fd679e51b73d2e2b9fdc556fda989d765b1db629bbdb1ca155b6865fc5930d16503f259c2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRx44.w

Filesize
1.1MB

MD5
5c4edc865e3c30aea8ea9211aa42b06c

SHA1
a5b68c06155a9bf901e7bc9ff46f76ad63dcfc53

SHA256
369c804a46a85483c7c61ea8c48a74d1a85230da23ba5b001b9886d46ec68cce

SHA512
e5e1d9476f6ac260a230f1c5be7539f094f37932d78d14a3d0745fd679e51b73d2e2b9fdc556fda989d765b1db629bbdb1ca155b6865fc5930d16503f259c2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRx44.w

Filesize
1.1MB

MD5
5c4edc865e3c30aea8ea9211aa42b06c

SHA1
a5b68c06155a9bf901e7bc9ff46f76ad63dcfc53

SHA256
369c804a46a85483c7c61ea8c48a74d1a85230da23ba5b001b9886d46ec68cce

SHA512
e5e1d9476f6ac260a230f1c5be7539f094f37932d78d14a3d0745fd679e51b73d2e2b9fdc556fda989d765b1db629bbdb1ca155b6865fc5930d16503f259c2f2

Download Submit
memory/1532-151-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/1532-149-0x0000000002590000-0x00000000026B0000-memory.dmp

Filesize
1.1MB

Download
memory/1532-150-0x0000000002590000-0x00000000026B0000-memory.dmp

Filesize
1.1MB

Download
memory/1532-155-0x00000000028D0000-0x00000000029B5000-memory.dmp

Filesize
916KB

Download
memory/1532-156-0x0000000000C10000-0x0000000000CDE000-memory.dmp

Filesize
824KB

Download
memory/1532-159-0x0000000000C10000-0x0000000000CDE000-memory.dmp

Filesize
824KB

Download
memory/1532-160-0x0000000000C10000-0x0000000000CDE000-memory.dmp

Filesize
824KB

Download
memory/3704-142-0x00000000031E0000-0x00000000032AE000-memory.dmp

Filesize
824KB

Download
memory/3704-145-0x00000000031E0000-0x00000000032AE000-memory.dmp

Filesize
824KB

Download
memory/3704-146-0x00000000031E0000-0x00000000032AE000-memory.dmp

Filesize
824KB

Download
memory/3704-141-0x00000000030F0000-0x00000000031D5000-memory.dmp

Filesize
916KB

Download
memory/3704-139-0x0000000002A70000-0x0000000002A76000-memory.dmp

Filesize
24KB

Download
memory/3704-137-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing