2a4cfaacba83908f50d266a0bd93df4b72eff60e378c17e716038cc89cd33185

General

Target

2a4cfaacba83908f50d266a0bd93df4b72eff60e378c17e716038cc89cd33185.exe
Size

1.6MB
MD5

10d6d8c0320f6578af0d254f77847a87
SHA1

5ad497966d4ae81e048824f4e4c67af97003780b
SHA256

2a4cfaacba83908f50d266a0bd93df4b72eff60e378c17e716038cc89cd33185
SHA512

001b2b56de82960d358dad927ff936b56cf15d014c3ecf3f077c5d993ae1642b512712e3f513b9098c805e8384727727fed300d9f2b38c93620914d2b0a9cb27
SSDEEP

24576:TlMiZMVn1db5GnUZLPmAItXYvYZrKmtLTet4Mwh0sETy22OX48FJylgHdiX47Hcd:mPPmR1gYZrKQetWUTx2i4mJUgPLM8u

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	2a4cfaacba83908f50d266a0bd93df4b72eff60e378c17e716038cc89cd33185.exe

Loads dropped DLL 3 IoCs

pid	Process
5100	rundll32.exe
5100	rundll32.exe
3292	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	2a4cfaacba83908f50d266a0bd93df4b72eff60e378c17e716038cc89cd33185.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4064	4204	2a4cfaacba83908f50d266a0bd93df4b72eff60e378c17e716038cc89cd33185.exe	86
PID 4204 wrote to memory of 4064	4204	2a4cfaacba83908f50d266a0bd93df4b72eff60e378c17e716038cc89cd33185.exe	86
PID 4204 wrote to memory of 4064	4204	2a4cfaacba83908f50d266a0bd93df4b72eff60e378c17e716038cc89cd33185.exe	86
PID 4064 wrote to memory of 5100	4064	control.exe	88
PID 4064 wrote to memory of 5100	4064	control.exe	88
PID 4064 wrote to memory of 5100	4064	control.exe	88
PID 5100 wrote to memory of 1488	5100	rundll32.exe	95
PID 5100 wrote to memory of 1488	5100	rundll32.exe	95
PID 1488 wrote to memory of 3292	1488	RunDll32.exe	96
PID 1488 wrote to memory of 3292	1488	RunDll32.exe	96
PID 1488 wrote to memory of 3292	1488	RunDll32.exe	96

C:\Users\Admin\AppData\Local\Temp\2a4cfaacba83908f50d266a0bd93df4b72eff60e378c17e716038cc89cd33185.exe
"C:\Users\Admin\AppData\Local\Temp\2a4cfaacba83908f50d266a0bd93df4b72eff60e378c17e716038cc89cd33185.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\i7ME7.CPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\i7ME7.CPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\i7ME7.CPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\i7ME7.CPl",
        5⤵
        Loads dropped DLL
        
        PID:3292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\i7ME7.CPl

Filesize
1.2MB

MD5
bb7c34d42d71dd1e9a92b4b400e998ea

SHA1
0d8542b6442d62aca5af03d5c7c1586f6f40cc41

SHA256
b60be0ee20083b48e382ed6de402a52601c3a3593a3b7edb6324f3f8c754980e

SHA512
3f93f86f65636a8ca0807565adb3198a137052a215ba0c6135dd26d0e3a79d39a784a65985a0cd086d6430549b7201640b10a30c447a593a0ac2d0251727a5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\i7mE7.cpl

Filesize
1.2MB

MD5
bb7c34d42d71dd1e9a92b4b400e998ea

SHA1
0d8542b6442d62aca5af03d5c7c1586f6f40cc41

SHA256
b60be0ee20083b48e382ed6de402a52601c3a3593a3b7edb6324f3f8c754980e

SHA512
3f93f86f65636a8ca0807565adb3198a137052a215ba0c6135dd26d0e3a79d39a784a65985a0cd086d6430549b7201640b10a30c447a593a0ac2d0251727a5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\i7mE7.cpl

Filesize
1.2MB

MD5
bb7c34d42d71dd1e9a92b4b400e998ea

SHA1
0d8542b6442d62aca5af03d5c7c1586f6f40cc41

SHA256
b60be0ee20083b48e382ed6de402a52601c3a3593a3b7edb6324f3f8c754980e

SHA512
3f93f86f65636a8ca0807565adb3198a137052a215ba0c6135dd26d0e3a79d39a784a65985a0cd086d6430549b7201640b10a30c447a593a0ac2d0251727a5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\i7mE7.cpl

Filesize
1.2MB

MD5
bb7c34d42d71dd1e9a92b4b400e998ea

SHA1
0d8542b6442d62aca5af03d5c7c1586f6f40cc41

SHA256
b60be0ee20083b48e382ed6de402a52601c3a3593a3b7edb6324f3f8c754980e

SHA512
3f93f86f65636a8ca0807565adb3198a137052a215ba0c6135dd26d0e3a79d39a784a65985a0cd086d6430549b7201640b10a30c447a593a0ac2d0251727a5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\i7mE7.cpl

Filesize
1.2MB

MD5
bb7c34d42d71dd1e9a92b4b400e998ea

SHA1
0d8542b6442d62aca5af03d5c7c1586f6f40cc41

SHA256
b60be0ee20083b48e382ed6de402a52601c3a3593a3b7edb6324f3f8c754980e

SHA512
3f93f86f65636a8ca0807565adb3198a137052a215ba0c6135dd26d0e3a79d39a784a65985a0cd086d6430549b7201640b10a30c447a593a0ac2d0251727a5e0

Download Submit
memory/3292-157-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-156-0x0000000002B30000-0x0000000002B36000-memory.dmp

Filesize
24KB

Download
memory/3292-165-0x0000000003390000-0x0000000003475000-memory.dmp

Filesize
916KB

Download
memory/3292-164-0x0000000003390000-0x0000000003475000-memory.dmp

Filesize
916KB

Download
memory/3292-161-0x0000000003390000-0x0000000003475000-memory.dmp

Filesize
916KB

Download
memory/3292-160-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-159-0x0000000003290000-0x0000000003390000-memory.dmp

Filesize
1024KB

Download
memory/5100-153-0x0000000002BA0000-0x0000000002C85000-memory.dmp

Filesize
916KB

Download
memory/5100-145-0x0000000002670000-0x000000000279C000-memory.dmp

Filesize
1.2MB

Download
memory/5100-146-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/5100-154-0x0000000002BA0000-0x0000000002C85000-memory.dmp

Filesize
916KB

Download
memory/5100-147-0x0000000002670000-0x000000000279C000-memory.dmp

Filesize
1.2MB

Download
memory/5100-150-0x0000000002BA0000-0x0000000002C85000-memory.dmp

Filesize
916KB

Download
memory/5100-149-0x0000000002AA0000-0x0000000002BA0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing