ab2894916ee51487f4a3405783dfb37b2df98920560c11b7814970bff10feea1

General

Target

ab2894916ee51487f4a3405783dfb37b2df98920560c11b7814970bff10feea1.exe
Size

1.2MB
MD5

bff91d1335ec71ff61694b2abb06a649
SHA1

58f140da7046195745e0978d61debee3f139842f
SHA256

ab2894916ee51487f4a3405783dfb37b2df98920560c11b7814970bff10feea1
SHA512

d191e89e9f4358d1b6609f5eac2fa0e4ba221d5718d0832b3e58d423e9cd1fa07a8c82050a2fb61deea58f40433e579c3b81be185d98dc54b91583dd1f56f651
SSDEEP

24576:I/XEXjJSFHUKBjibjqNyj9wowTQ7Z6q8j6kIfEOZdVndDkRO8PcE+m4g9FX:I/oSBajgySiZ6aPZNIIK+m4g9FX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ab2894916ee51487f4a3405783dfb37b2df98920560c11b7814970bff10feea1.exe

Loads dropped DLL 3 IoCs

pid	Process
3692	rundll32.exe
220	rundll32.exe
220	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 1068	3304	ab2894916ee51487f4a3405783dfb37b2df98920560c11b7814970bff10feea1.exe	83
PID 3304 wrote to memory of 1068	3304	ab2894916ee51487f4a3405783dfb37b2df98920560c11b7814970bff10feea1.exe	83
PID 3304 wrote to memory of 1068	3304	ab2894916ee51487f4a3405783dfb37b2df98920560c11b7814970bff10feea1.exe	83
PID 1068 wrote to memory of 3692	1068	control.exe	84
PID 1068 wrote to memory of 3692	1068	control.exe	84
PID 1068 wrote to memory of 3692	1068	control.exe	84
PID 3692 wrote to memory of 3872	3692	rundll32.exe	89
PID 3692 wrote to memory of 3872	3692	rundll32.exe	89
PID 3872 wrote to memory of 220	3872	RunDll32.exe	90
PID 3872 wrote to memory of 220	3872	RunDll32.exe	90
PID 3872 wrote to memory of 220	3872	RunDll32.exe	90

C:\Users\Admin\AppData\Local\Temp\ab2894916ee51487f4a3405783dfb37b2df98920560c11b7814970bff10feea1.exe
"C:\Users\Admin\AppData\Local\Temp\ab2894916ee51487f4a3405783dfb37b2df98920560c11b7814970bff10feea1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\4xDTf~.L
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\4xDTf~.L
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\4xDTf~.L
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\4xDTf~.L
        5⤵
        Loads dropped DLL
        
        PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4xDTf~.L

Filesize
1.0MB

MD5
9007b384fe5396937d24577ee01b90e1

SHA1
e34d05c039853dfa9d6ee67a9acc0149547fe9bf

SHA256
0dbfa7ce563ebec5042d19f375e4d4f2bce1a9c43d693fc2b2bc4aef897e40dd

SHA512
b77f77fa03eede2c79d3f460381807ba025676664e073f46cff72f9d66e686b33a5028b18c1e10d62f396217b7b1fd62ea3b70a15c475bfc1993ad7648135f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\4xDtf~.L

Filesize
1.0MB

MD5
9007b384fe5396937d24577ee01b90e1

SHA1
e34d05c039853dfa9d6ee67a9acc0149547fe9bf

SHA256
0dbfa7ce563ebec5042d19f375e4d4f2bce1a9c43d693fc2b2bc4aef897e40dd

SHA512
b77f77fa03eede2c79d3f460381807ba025676664e073f46cff72f9d66e686b33a5028b18c1e10d62f396217b7b1fd62ea3b70a15c475bfc1993ad7648135f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\4xDtf~.L

Filesize
1.0MB

MD5
9007b384fe5396937d24577ee01b90e1

SHA1
e34d05c039853dfa9d6ee67a9acc0149547fe9bf

SHA256
0dbfa7ce563ebec5042d19f375e4d4f2bce1a9c43d693fc2b2bc4aef897e40dd

SHA512
b77f77fa03eede2c79d3f460381807ba025676664e073f46cff72f9d66e686b33a5028b18c1e10d62f396217b7b1fd62ea3b70a15c475bfc1993ad7648135f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\4xDtf~.L

Filesize
1.0MB

MD5
9007b384fe5396937d24577ee01b90e1

SHA1
e34d05c039853dfa9d6ee67a9acc0149547fe9bf

SHA256
0dbfa7ce563ebec5042d19f375e4d4f2bce1a9c43d693fc2b2bc4aef897e40dd

SHA512
b77f77fa03eede2c79d3f460381807ba025676664e073f46cff72f9d66e686b33a5028b18c1e10d62f396217b7b1fd62ea3b70a15c475bfc1993ad7648135f06

Download Submit
memory/220-151-0x0000000000C50000-0x0000000000C56000-memory.dmp

Filesize
24KB

Download
memory/220-148-0x0000000002420000-0x0000000002524000-memory.dmp

Filesize
1.0MB

Download
memory/220-149-0x0000000002420000-0x0000000002524000-memory.dmp

Filesize
1.0MB

Download
memory/220-152-0x00000000027F0000-0x00000000028C8000-memory.dmp

Filesize
864KB

Download
memory/220-153-0x00000000028D0000-0x0000000002992000-memory.dmp

Filesize
776KB

Download
memory/220-156-0x00000000028D0000-0x0000000002992000-memory.dmp

Filesize
776KB

Download
memory/220-157-0x00000000028D0000-0x0000000002992000-memory.dmp

Filesize
776KB

Download
memory/3692-141-0x00000000032F0000-0x00000000033B2000-memory.dmp

Filesize
776KB

Download
memory/3692-144-0x00000000032F0000-0x00000000033B2000-memory.dmp

Filesize
776KB

Download
memory/3692-145-0x00000000032F0000-0x00000000033B2000-memory.dmp

Filesize
776KB

Download
memory/3692-140-0x0000000003210000-0x00000000032E8000-memory.dmp

Filesize
864KB

Download
memory/3692-139-0x00000000030E0000-0x00000000030E6000-memory.dmp

Filesize
24KB

Download
memory/3692-137-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing