2646dd01581c1813f0478a25051ca4edac5e5c4fedcbd1ac0b4ca758426ec52d

General

Target

743231862cd5eebccceec6420da8d849.exe
Size

1.5MB
MD5

743231862cd5eebccceec6420da8d849
SHA1

010f3f295fa5a40b5d153dc7cedd8b9b8161df4f
SHA256

2646dd01581c1813f0478a25051ca4edac5e5c4fedcbd1ac0b4ca758426ec52d
SHA512

bd754600efa22147b6106ac93af24fadccfb56a69a0d4b1a2b02ac4ccf5a03e4f463e4246e51751a680c4110201a86595574c5f1250b1324eab112cb67cf9fb4
SSDEEP

49152:qDkUjj/ll6POkDpovMg/M9e7qz0HqFXGySqo:q4UFQ/DpeV/MXpFXGL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation	743231862cd5eebccceec6420da8d849.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	rundll32.exe
440	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\Local Settings	743231862cd5eebccceec6420da8d849.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 4424	1292	743231862cd5eebccceec6420da8d849.exe	84
PID 1292 wrote to memory of 4424	1292	743231862cd5eebccceec6420da8d849.exe	84
PID 1292 wrote to memory of 4424	1292	743231862cd5eebccceec6420da8d849.exe	84
PID 4424 wrote to memory of 2260	4424	control.exe	86
PID 4424 wrote to memory of 2260	4424	control.exe	86
PID 4424 wrote to memory of 2260	4424	control.exe	86
PID 2260 wrote to memory of 4168	2260	rundll32.exe	92
PID 2260 wrote to memory of 4168	2260	rundll32.exe	92
PID 4168 wrote to memory of 440	4168	RunDll32.exe	93
PID 4168 wrote to memory of 440	4168	RunDll32.exe	93
PID 4168 wrote to memory of 440	4168	RunDll32.exe	93

C:\Users\Admin\AppData\Local\Temp\743231862cd5eebccceec6420da8d849.exe
"C:\Users\Admin\AppData\Local\Temp\743231862cd5eebccceec6420da8d849.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7ICMkG_G.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7ICMkG_G.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7ICMkG_G.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4168
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7ICMkG_G.CpL",
        5⤵
        Loads dropped DLL
        
        PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ICMkG_G.CpL

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ICMkg_G.cpl

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ICMkg_G.cpl

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ICMkg_G.cpl

Filesize
1.6MB

MD5
c0c571dd662aab0a16a3f34d76fd9708

SHA1
a2eb9a11ee29c7b5f8e9cfee65db172d6d7566eb

SHA256
db5963c31dd229cc9929b1ced823ccfb4e078112887df9242cc9dcc8618d214f

SHA512
4de79325d0806960b9ee415179a8618d0a765a23f4f639a1073a25714d16ff8c2d4cf78941cc642faa64edabc621236bb5aac007b18a484d822ed84af412e633

Download Submit
memory/440-162-0x0000000002E70000-0x0000000002F56000-memory.dmp

Filesize
920KB

Download
memory/440-161-0x0000000002E70000-0x0000000002F56000-memory.dmp

Filesize
920KB

Download
memory/440-158-0x0000000002E70000-0x0000000002F56000-memory.dmp

Filesize
920KB

Download
memory/440-157-0x0000000002AD0000-0x0000000002BD0000-memory.dmp

Filesize
1024KB

Download
memory/440-156-0x00000000009E0000-0x00000000009E6000-memory.dmp

Filesize
24KB

Download
memory/2260-144-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-152-0x0000000002F60000-0x0000000003046000-memory.dmp

Filesize
920KB

Download
memory/2260-151-0x0000000002F60000-0x0000000003046000-memory.dmp

Filesize
920KB

Download
memory/2260-148-0x0000000002F60000-0x0000000003046000-memory.dmp

Filesize
920KB

Download
memory/2260-147-0x0000000002BB0000-0x0000000002CB0000-memory.dmp

Filesize
1024KB

Download
memory/2260-146-0x0000000002BA0000-0x0000000002BA6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing