582150ba4379122253eeb2a1a7ace968394ee7e566f0d0d794f6ba7d937037d5

General

Target

data64_6.exe
Size

1.9MB
MD5

182baf929b35d5d63747617d2007c77a
SHA1

0dfe91ab115ed862b48b1e4006a44e86c33eb772
SHA256

582150ba4379122253eeb2a1a7ace968394ee7e566f0d0d794f6ba7d937037d5
SHA512

55bab5bbec04389f94f297843f7fcb4d71173c8f1f6e5007b6a2eaf5d937f50f9b2d9f61f983c86b20d342a4a4cb6691e23c3a0322575c826d23b55ee61a19f7
SSDEEP

49152:084cMQyRcf9HmjMbS4b08WrjXM6pzM6MGaU9PPIbnllyuA:6cMQyW9GX4MXBGyZPynXyB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	data64_6.exe

Loads dropped DLL 4 IoCs

pid	Process
3620	rundll32.exe
3620	rundll32.exe
1088	rundll32.exe
1088	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings	data64_6.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 3368	1788	data64_6.exe	86
PID 1788 wrote to memory of 3368	1788	data64_6.exe	86
PID 1788 wrote to memory of 3368	1788	data64_6.exe	86
PID 3368 wrote to memory of 3620	3368	control.exe	88
PID 3368 wrote to memory of 3620	3368	control.exe	88
PID 3368 wrote to memory of 3620	3368	control.exe	88
PID 3620 wrote to memory of 2248	3620	rundll32.exe	97
PID 3620 wrote to memory of 2248	3620	rundll32.exe	97
PID 2248 wrote to memory of 1088	2248	RunDll32.exe	98
PID 2248 wrote to memory of 1088	2248	RunDll32.exe	98
PID 2248 wrote to memory of 1088	2248	RunDll32.exe	98

C:\Users\Admin\AppData\Local\Temp\data64_6.exe
"C:\Users\Admin\AppData\Local\Temp\data64_6.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\vNN6.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\vNN6.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\vNN6.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\vNN6.cpl",
        5⤵
        Loads dropped DLL
        
        PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vNN6.cpl

Filesize
2.4MB

MD5
56c188ca285aee639d71fde9fee3a509

SHA1
a40fd871f035e2b635af266b17023d58f3eb803e

SHA256
5d3bb7982d03ebacf05e59667ef41f8453d321be74245730b99d95023e52956f

SHA512
72b05b5af83c5957db2e7dd9a46e65c27eb8c175efcab6ca7675a7f3832bb1e668b689cc9afbd8400b46ab5d5b0804dc2f837ac9c34e732a3b9e7b0947c624ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnN6.cpl

Filesize
2.4MB

MD5
56c188ca285aee639d71fde9fee3a509

SHA1
a40fd871f035e2b635af266b17023d58f3eb803e

SHA256
5d3bb7982d03ebacf05e59667ef41f8453d321be74245730b99d95023e52956f

SHA512
72b05b5af83c5957db2e7dd9a46e65c27eb8c175efcab6ca7675a7f3832bb1e668b689cc9afbd8400b46ab5d5b0804dc2f837ac9c34e732a3b9e7b0947c624ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnN6.cpl

Filesize
2.4MB

MD5
56c188ca285aee639d71fde9fee3a509

SHA1
a40fd871f035e2b635af266b17023d58f3eb803e

SHA256
5d3bb7982d03ebacf05e59667ef41f8453d321be74245730b99d95023e52956f

SHA512
72b05b5af83c5957db2e7dd9a46e65c27eb8c175efcab6ca7675a7f3832bb1e668b689cc9afbd8400b46ab5d5b0804dc2f837ac9c34e732a3b9e7b0947c624ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnN6.cpl

Filesize
2.4MB

MD5
56c188ca285aee639d71fde9fee3a509

SHA1
a40fd871f035e2b635af266b17023d58f3eb803e

SHA256
5d3bb7982d03ebacf05e59667ef41f8453d321be74245730b99d95023e52956f

SHA512
72b05b5af83c5957db2e7dd9a46e65c27eb8c175efcab6ca7675a7f3832bb1e668b689cc9afbd8400b46ab5d5b0804dc2f837ac9c34e732a3b9e7b0947c624ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnN6.cpl

Filesize
2.4MB

MD5
56c188ca285aee639d71fde9fee3a509

SHA1
a40fd871f035e2b635af266b17023d58f3eb803e

SHA256
5d3bb7982d03ebacf05e59667ef41f8453d321be74245730b99d95023e52956f

SHA512
72b05b5af83c5957db2e7dd9a46e65c27eb8c175efcab6ca7675a7f3832bb1e668b689cc9afbd8400b46ab5d5b0804dc2f837ac9c34e732a3b9e7b0947c624ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnN6.cpl

Filesize
2.4MB

MD5
56c188ca285aee639d71fde9fee3a509

SHA1
a40fd871f035e2b635af266b17023d58f3eb803e

SHA256
5d3bb7982d03ebacf05e59667ef41f8453d321be74245730b99d95023e52956f

SHA512
72b05b5af83c5957db2e7dd9a46e65c27eb8c175efcab6ca7675a7f3832bb1e668b689cc9afbd8400b46ab5d5b0804dc2f837ac9c34e732a3b9e7b0947c624ad

Download Submit
memory/1088-167-0x0000000002DC0000-0x0000000002E68000-memory.dmp

Filesize
672KB

Download
memory/1088-169-0x0000000002DC0000-0x0000000002E68000-memory.dmp

Filesize
672KB

Download
memory/1088-160-0x00000000028E0000-0x0000000002A7B000-memory.dmp

Filesize
1.6MB

Download
memory/1088-166-0x0000000002DC0000-0x0000000002E68000-memory.dmp

Filesize
672KB

Download
memory/1088-165-0x0000000002D00000-0x0000000002DBD000-memory.dmp

Filesize
756KB

Download
memory/1088-162-0x00000000022F0000-0x0000000002552000-memory.dmp

Filesize
2.4MB

Download
memory/1088-161-0x0000000002BC0000-0x0000000002CFC000-memory.dmp

Filesize
1.2MB

Download
memory/1088-171-0x0000000002DC0000-0x0000000002E68000-memory.dmp

Filesize
672KB

Download
memory/1088-173-0x0000000002BC0000-0x0000000002CFC000-memory.dmp

Filesize
1.2MB

Download
memory/1088-158-0x00000000022F0000-0x0000000002552000-memory.dmp

Filesize
2.4MB

Download
memory/3620-147-0x0000000003220000-0x000000000335C000-memory.dmp

Filesize
1.2MB

Download
memory/3620-155-0x0000000003420000-0x00000000034C8000-memory.dmp

Filesize
672KB

Download
memory/3620-154-0x0000000003420000-0x00000000034C8000-memory.dmp

Filesize
672KB

Download
memory/3620-152-0x0000000003420000-0x00000000034C8000-memory.dmp

Filesize
672KB

Download
memory/3620-151-0x0000000003420000-0x00000000034C8000-memory.dmp

Filesize
672KB

Download
memory/3620-150-0x0000000003360000-0x000000000341D000-memory.dmp

Filesize
756KB

Download
memory/3620-148-0x0000000002A30000-0x0000000002C92000-memory.dmp

Filesize
2.4MB

Download
memory/3620-146-0x0000000002F40000-0x00000000030DB000-memory.dmp

Filesize
1.6MB

Download
memory/3620-145-0x0000000002A30000-0x0000000002C92000-memory.dmp

Filesize
2.4MB

Download
memory/3620-175-0x0000000003220000-0x000000000335C000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing