f119b7640320562056782c6c372d4c5da077d6eb9b596f6cd89483a1dc19a3fb

General

Target

f119b7640320562056782c6c372d4c5da077d6eb9b596f6cd89483a1dc19a3fb.exe
Size

1.5MB
MD5

4746303dc2aaeba2e65e6019a39f6e96
SHA1

4bab3ebae6965f80fcc0f523d34b7c080188e036
SHA256

f119b7640320562056782c6c372d4c5da077d6eb9b596f6cd89483a1dc19a3fb
SHA512

d7cd1f9b8911f416898b1f093738f14e6fd005d796dae9ce2000cfcfa33e9adf557ed290c45c7d4ac9a119c46d41e66bf2b988061f1bf6f9b41a2262c9979d7b
SSDEEP

24576:gJr8tE+gHqpMywB/fFodh1M0R3lxkgGcYLvuhI2PwDNsWN46Mq4ehEe4Q:gJ4NpMyMdodHVx8LWhIwmNsWN2q4ehEQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	f119b7640320562056782c6c372d4c5da077d6eb9b596f6cd89483a1dc19a3fb.exe

Loads dropped DLL 3 IoCs

pid	Process
1156	rundll32.exe
1156	rundll32.exe
900	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	f119b7640320562056782c6c372d4c5da077d6eb9b596f6cd89483a1dc19a3fb.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 4364	4100	f119b7640320562056782c6c372d4c5da077d6eb9b596f6cd89483a1dc19a3fb.exe	87
PID 4100 wrote to memory of 4364	4100	f119b7640320562056782c6c372d4c5da077d6eb9b596f6cd89483a1dc19a3fb.exe	87
PID 4100 wrote to memory of 4364	4100	f119b7640320562056782c6c372d4c5da077d6eb9b596f6cd89483a1dc19a3fb.exe	87
PID 4364 wrote to memory of 1156	4364	control.exe	89
PID 4364 wrote to memory of 1156	4364	control.exe	89
PID 4364 wrote to memory of 1156	4364	control.exe	89
PID 1156 wrote to memory of 2284	1156	rundll32.exe	90
PID 1156 wrote to memory of 2284	1156	rundll32.exe	90
PID 2284 wrote to memory of 900	2284	RunDll32.exe	91
PID 2284 wrote to memory of 900	2284	RunDll32.exe	91
PID 2284 wrote to memory of 900	2284	RunDll32.exe	91

C:\Users\Admin\AppData\Local\Temp\f119b7640320562056782c6c372d4c5da077d6eb9b596f6cd89483a1dc19a3fb.exe
"C:\Users\Admin\AppData\Local\Temp\f119b7640320562056782c6c372d4c5da077d6eb9b596f6cd89483a1dc19a3fb.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\Vh4O.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Vh4O.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Vh4O.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\Vh4O.cpL",
        5⤵
        Loads dropped DLL
        
        PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vh4O.cpL

Filesize
1.3MB

MD5
fc299c0551969404f888488a4d3d88bb

SHA1
f4e529765e995a645653763e3bf2cb6506618ed9

SHA256
35463cebf563b66b495e48922d069a8fbcfcf61b25acdac334dc2166e79bf89c

SHA512
61de8ce42bbf5adedbfd7d999bba6e340b713bc949ed17be283056bcccd9fb0223bb7ca5a4678f7bb8bea59c99e30d9d4835ea59eaf6f9f37a7a91344163780a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vh4O.cpl

Filesize
1.3MB

MD5
fc299c0551969404f888488a4d3d88bb

SHA1
f4e529765e995a645653763e3bf2cb6506618ed9

SHA256
35463cebf563b66b495e48922d069a8fbcfcf61b25acdac334dc2166e79bf89c

SHA512
61de8ce42bbf5adedbfd7d999bba6e340b713bc949ed17be283056bcccd9fb0223bb7ca5a4678f7bb8bea59c99e30d9d4835ea59eaf6f9f37a7a91344163780a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vh4O.cpl

Filesize
1.3MB

MD5
fc299c0551969404f888488a4d3d88bb

SHA1
f4e529765e995a645653763e3bf2cb6506618ed9

SHA256
35463cebf563b66b495e48922d069a8fbcfcf61b25acdac334dc2166e79bf89c

SHA512
61de8ce42bbf5adedbfd7d999bba6e340b713bc949ed17be283056bcccd9fb0223bb7ca5a4678f7bb8bea59c99e30d9d4835ea59eaf6f9f37a7a91344163780a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vh4O.cpl

Filesize
1.3MB

MD5
fc299c0551969404f888488a4d3d88bb

SHA1
f4e529765e995a645653763e3bf2cb6506618ed9

SHA256
35463cebf563b66b495e48922d069a8fbcfcf61b25acdac334dc2166e79bf89c

SHA512
61de8ce42bbf5adedbfd7d999bba6e340b713bc949ed17be283056bcccd9fb0223bb7ca5a4678f7bb8bea59c99e30d9d4835ea59eaf6f9f37a7a91344163780a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vh4O.cpl

Filesize
1.3MB

MD5
fc299c0551969404f888488a4d3d88bb

SHA1
f4e529765e995a645653763e3bf2cb6506618ed9

SHA256
35463cebf563b66b495e48922d069a8fbcfcf61b25acdac334dc2166e79bf89c

SHA512
61de8ce42bbf5adedbfd7d999bba6e340b713bc949ed17be283056bcccd9fb0223bb7ca5a4678f7bb8bea59c99e30d9d4835ea59eaf6f9f37a7a91344163780a

Download Submit
memory/900-164-0x0000000003190000-0x0000000003276000-memory.dmp

Filesize
920KB

Download
memory/900-163-0x0000000003190000-0x0000000003276000-memory.dmp

Filesize
920KB

Download
memory/900-161-0x0000000003190000-0x0000000003276000-memory.dmp

Filesize
920KB

Download
memory/900-160-0x0000000003190000-0x0000000003276000-memory.dmp

Filesize
920KB

Download
memory/900-159-0x0000000003090000-0x000000000318D000-memory.dmp

Filesize
1012KB

Download
memory/900-158-0x0000000002980000-0x0000000002986000-memory.dmp

Filesize
24KB

Download
memory/900-156-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1156-147-0x0000000002760000-0x00000000028B3000-memory.dmp

Filesize
1.3MB

Download
memory/1156-154-0x0000000002C40000-0x0000000002D26000-memory.dmp

Filesize
920KB

Download
memory/1156-153-0x0000000002C40000-0x0000000002D26000-memory.dmp

Filesize
920KB

Download
memory/1156-151-0x0000000002C40000-0x0000000002D26000-memory.dmp

Filesize
920KB

Download
memory/1156-150-0x0000000002C40000-0x0000000002D26000-memory.dmp

Filesize
920KB

Download
memory/1156-149-0x0000000002B40000-0x0000000002C3D000-memory.dmp

Filesize
1012KB

Download
memory/1156-146-0x0000000000A60000-0x0000000000A66000-memory.dmp

Filesize
24KB

Download
memory/1156-145-0x0000000002760000-0x00000000028B3000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing