aca6edd680afbc1d7e815a97df52b0bdcafdf4c19fab6d8c9d7f06de8e365824

General

Target

aca6edd680afbc1d7e815a97df52b0bdcafdf4c19fab6d8c9d7f06de8e365824.exe
Size

1.7MB
MD5

1fbc617f0732d2d1250d47e58bec3fbf
SHA1

a8b4715877fd90b1b5973dd7cbfabc80b571cf28
SHA256

aca6edd680afbc1d7e815a97df52b0bdcafdf4c19fab6d8c9d7f06de8e365824
SHA512

1d83facb626eaaeb43a0086ce0b5fd6cc2cd8b977cf62fac5fa763fb319204c6b72ad9a2accb14c7d70a3b279e189dbee77bfd80730c610ac75a31939be65390
SSDEEP

49152:NPPtRcJk8MraYwlia3PAPCVoDEaToGStNz1:NOk8M1woaoPCVoD/ERNz1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	aca6edd680afbc1d7e815a97df52b0bdcafdf4c19fab6d8c9d7f06de8e365824.exe

Loads dropped DLL 2 IoCs

pid	Process
1072	rundll32.exe
3780	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings	aca6edd680afbc1d7e815a97df52b0bdcafdf4c19fab6d8c9d7f06de8e365824.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 1760	1396	aca6edd680afbc1d7e815a97df52b0bdcafdf4c19fab6d8c9d7f06de8e365824.exe	87
PID 1396 wrote to memory of 1760	1396	aca6edd680afbc1d7e815a97df52b0bdcafdf4c19fab6d8c9d7f06de8e365824.exe	87
PID 1396 wrote to memory of 1760	1396	aca6edd680afbc1d7e815a97df52b0bdcafdf4c19fab6d8c9d7f06de8e365824.exe	87
PID 1760 wrote to memory of 1072	1760	control.exe	89
PID 1760 wrote to memory of 1072	1760	control.exe	89
PID 1760 wrote to memory of 1072	1760	control.exe	89
PID 1072 wrote to memory of 3768	1072	rundll32.exe	96
PID 1072 wrote to memory of 3768	1072	rundll32.exe	96
PID 3768 wrote to memory of 3780	3768	RunDll32.exe	97
PID 3768 wrote to memory of 3780	3768	RunDll32.exe	97
PID 3768 wrote to memory of 3780	3768	RunDll32.exe	97

C:\Users\Admin\AppData\Local\Temp\aca6edd680afbc1d7e815a97df52b0bdcafdf4c19fab6d8c9d7f06de8e365824.exe
"C:\Users\Admin\AppData\Local\Temp\aca6edd680afbc1d7e815a97df52b0bdcafdf4c19fab6d8c9d7f06de8e365824.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\A8pDBZ.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\A8pDBZ.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\A8pDBZ.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3768
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\A8pDBZ.cpL",
        5⤵
        Loads dropped DLL
        
        PID:3780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A8pDBZ.cpL

Filesize
1.3MB

MD5
b3df78b736a207b32ad17fc68000a069

SHA1
fbdc9df1945294ef0a0828c2ae9b7fcdbce7f969

SHA256
cc019df4cb7cc2ee07ee82cc9ac414a2855c6f744e22e8ca492fd1dd78011b5c

SHA512
ad220128c282e77013e3093bb84c5dd282d6f765e63858689daa99bf9a8bd14f06329899142f05d60c8cdca9b4cb8c8f84ecf9388770afff3c93dc37a670c249

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8pDBZ.cpl

Filesize
1.3MB

MD5
b3df78b736a207b32ad17fc68000a069

SHA1
fbdc9df1945294ef0a0828c2ae9b7fcdbce7f969

SHA256
cc019df4cb7cc2ee07ee82cc9ac414a2855c6f744e22e8ca492fd1dd78011b5c

SHA512
ad220128c282e77013e3093bb84c5dd282d6f765e63858689daa99bf9a8bd14f06329899142f05d60c8cdca9b4cb8c8f84ecf9388770afff3c93dc37a670c249

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8pDBZ.cpl

Filesize
1.3MB

MD5
b3df78b736a207b32ad17fc68000a069

SHA1
fbdc9df1945294ef0a0828c2ae9b7fcdbce7f969

SHA256
cc019df4cb7cc2ee07ee82cc9ac414a2855c6f744e22e8ca492fd1dd78011b5c

SHA512
ad220128c282e77013e3093bb84c5dd282d6f765e63858689daa99bf9a8bd14f06329899142f05d60c8cdca9b4cb8c8f84ecf9388770afff3c93dc37a670c249

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8pDBZ.cpl

Filesize
1.3MB

MD5
b3df78b736a207b32ad17fc68000a069

SHA1
fbdc9df1945294ef0a0828c2ae9b7fcdbce7f969

SHA256
cc019df4cb7cc2ee07ee82cc9ac414a2855c6f744e22e8ca492fd1dd78011b5c

SHA512
ad220128c282e77013e3093bb84c5dd282d6f765e63858689daa99bf9a8bd14f06329899142f05d60c8cdca9b4cb8c8f84ecf9388770afff3c93dc37a670c249

Download Submit
memory/1072-152-0x0000000003410000-0x0000000003503000-memory.dmp

Filesize
972KB

Download
memory/1072-147-0x0000000003300000-0x000000000340E000-memory.dmp

Filesize
1.1MB

Download
memory/1072-148-0x0000000003410000-0x0000000003503000-memory.dmp

Filesize
972KB

Download
memory/1072-151-0x0000000003410000-0x0000000003503000-memory.dmp

Filesize
972KB

Download
memory/1072-144-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1072-145-0x0000000002CD0000-0x0000000002CD6000-memory.dmp

Filesize
24KB

Download
memory/3780-155-0x0000000002420000-0x0000000002426000-memory.dmp

Filesize
24KB

Download
memory/3780-157-0x0000000002B40000-0x0000000002C4E000-memory.dmp

Filesize
1.1MB

Download
memory/3780-158-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/3780-159-0x0000000002C50000-0x0000000002D43000-memory.dmp

Filesize
972KB

Download
memory/3780-162-0x0000000002C50000-0x0000000002D43000-memory.dmp

Filesize
972KB

Download
memory/3780-163-0x0000000002C50000-0x0000000002D43000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing