6adada5196edb692dd6dc245ef9a24459371d292a7e09cafabe15afc60d55de1

General

Target

6adada5196edb692dd6dc245ef9a24459371d292a7e09cafabe15afc60d55de1.exe
Size

1.6MB
MD5

f8e51d2987bbdeaed78cfb09ed7ad527
SHA1

6efbfd56bfcc9fa44a8f09ffc6f38a5f920eca38
SHA256

6adada5196edb692dd6dc245ef9a24459371d292a7e09cafabe15afc60d55de1
SHA512

ff8659d962927e5cdbf3b070d561dabd800d94a9a7a27bf085fc3dab464077f47d8688563e7f19dfc4794b255dc5350884551e010063e8fe393a2c45b09653bd
SSDEEP

49152:W+Whq+BfJXAEE9/+RV/d5j66WvsrDZURYxgvkI:W+Whq+BfKEJRV/jok9SvkI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	6adada5196edb692dd6dc245ef9a24459371d292a7e09cafabe15afc60d55de1.exe

Loads dropped DLL 3 IoCs

pid	Process
2260	rundll32.exe
2260	rundll32.exe
4496	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	6adada5196edb692dd6dc245ef9a24459371d292a7e09cafabe15afc60d55de1.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 948	4044	6adada5196edb692dd6dc245ef9a24459371d292a7e09cafabe15afc60d55de1.exe	84
PID 4044 wrote to memory of 948	4044	6adada5196edb692dd6dc245ef9a24459371d292a7e09cafabe15afc60d55de1.exe	84
PID 4044 wrote to memory of 948	4044	6adada5196edb692dd6dc245ef9a24459371d292a7e09cafabe15afc60d55de1.exe	84
PID 948 wrote to memory of 2260	948	control.exe	86
PID 948 wrote to memory of 2260	948	control.exe	86
PID 948 wrote to memory of 2260	948	control.exe	86
PID 2260 wrote to memory of 2704	2260	rundll32.exe	87
PID 2260 wrote to memory of 2704	2260	rundll32.exe	87
PID 2704 wrote to memory of 4496	2704	RunDll32.exe	88
PID 2704 wrote to memory of 4496	2704	RunDll32.exe	88
PID 2704 wrote to memory of 4496	2704	RunDll32.exe	88

C:\Users\Admin\AppData\Local\Temp\6adada5196edb692dd6dc245ef9a24459371d292a7e09cafabe15afc60d55de1.exe
"C:\Users\Admin\AppData\Local\Temp\6adada5196edb692dd6dc245ef9a24459371d292a7e09cafabe15afc60d55de1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\iXP4.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\iXP4.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\iXP4.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\iXP4.cpl",
        5⤵
        Loads dropped DLL
        
        PID:4496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iXP4.cpl

Filesize
1.1MB

MD5
9eab288cdb6a275c6963d8db7f289e34

SHA1
a3427b3930fb3dae6a18d85f2a115ba70a6310e9

SHA256
b0915769671365d4fc39ca2b91c68528cb9f4d7eb92980e9b9805530123b26a5

SHA512
3da4a5b2b9001cf2c64b24341463ad9c8a83e63404371a9b7f6326647e62be9ac5c2eaab750cd0c575c4a1b0935c49cf6c039b6d4b0591a32c262b5ff74856c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixp4.cpl

Filesize
1.1MB

MD5
9eab288cdb6a275c6963d8db7f289e34

SHA1
a3427b3930fb3dae6a18d85f2a115ba70a6310e9

SHA256
b0915769671365d4fc39ca2b91c68528cb9f4d7eb92980e9b9805530123b26a5

SHA512
3da4a5b2b9001cf2c64b24341463ad9c8a83e63404371a9b7f6326647e62be9ac5c2eaab750cd0c575c4a1b0935c49cf6c039b6d4b0591a32c262b5ff74856c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixp4.cpl

Filesize
1.1MB

MD5
9eab288cdb6a275c6963d8db7f289e34

SHA1
a3427b3930fb3dae6a18d85f2a115ba70a6310e9

SHA256
b0915769671365d4fc39ca2b91c68528cb9f4d7eb92980e9b9805530123b26a5

SHA512
3da4a5b2b9001cf2c64b24341463ad9c8a83e63404371a9b7f6326647e62be9ac5c2eaab750cd0c575c4a1b0935c49cf6c039b6d4b0591a32c262b5ff74856c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixp4.cpl

Filesize
1.1MB

MD5
9eab288cdb6a275c6963d8db7f289e34

SHA1
a3427b3930fb3dae6a18d85f2a115ba70a6310e9

SHA256
b0915769671365d4fc39ca2b91c68528cb9f4d7eb92980e9b9805530123b26a5

SHA512
3da4a5b2b9001cf2c64b24341463ad9c8a83e63404371a9b7f6326647e62be9ac5c2eaab750cd0c575c4a1b0935c49cf6c039b6d4b0591a32c262b5ff74856c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixp4.cpl

Filesize
1.1MB

MD5
9eab288cdb6a275c6963d8db7f289e34

SHA1
a3427b3930fb3dae6a18d85f2a115ba70a6310e9

SHA256
b0915769671365d4fc39ca2b91c68528cb9f4d7eb92980e9b9805530123b26a5

SHA512
3da4a5b2b9001cf2c64b24341463ad9c8a83e63404371a9b7f6326647e62be9ac5c2eaab750cd0c575c4a1b0935c49cf6c039b6d4b0591a32c262b5ff74856c3

Download Submit
memory/2260-153-0x0000000002A60000-0x0000000002B39000-memory.dmp

Filesize
868KB

Download
memory/2260-145-0x0000000000EB0000-0x0000000000FCD000-memory.dmp

Filesize
1.1MB

Download
memory/2260-149-0x0000000000D80000-0x0000000000D86000-memory.dmp

Filesize
24KB

Download
memory/2260-150-0x0000000002A60000-0x0000000002B39000-memory.dmp

Filesize
868KB

Download
memory/2260-151-0x0000000002A60000-0x0000000002B39000-memory.dmp

Filesize
868KB

Download
memory/2260-146-0x0000000000EB0000-0x0000000000FCD000-memory.dmp

Filesize
1.1MB

Download
memory/2260-154-0x0000000002A60000-0x0000000002B39000-memory.dmp

Filesize
868KB

Download
memory/2260-148-0x0000000002970000-0x0000000002A5F000-memory.dmp

Filesize
956KB

Download
memory/4496-156-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4496-158-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/4496-159-0x0000000003260000-0x000000000334F000-memory.dmp

Filesize
956KB

Download
memory/4496-160-0x0000000003360000-0x0000000003439000-memory.dmp

Filesize
868KB

Download
memory/4496-161-0x0000000003360000-0x0000000003439000-memory.dmp

Filesize
868KB

Download
memory/4496-163-0x0000000003360000-0x0000000003439000-memory.dmp

Filesize
868KB

Download
memory/4496-164-0x0000000003360000-0x0000000003439000-memory.dmp

Filesize
868KB

Download

Analysis

Sharing