d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f

Analysis

max time kernel
141s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2023, 13:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe
Size

1.7MB
MD5

0d5c92dfc31c339132277e964f82f1bf
SHA1

681485d93709a698b28431cff17c3df7e50bf42d
SHA256

d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f
SHA512

a9801b621ca9cdffa01aab71d4f1793221f5a84a69051536a54d3460d0ffd01e4735b1a0e5636ef52719e34dc28d120987d154143cf37229d7e5546eaeae1b4b
SSDEEP

49152:OCWhF7BfJXAEsXH9bEJTOBwnnlbKHE9tH6Yh9G3QQq5O:OCWhF7BfKECEJThnlbOEvH689rN5O

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe

Loads dropped DLL 2 IoCs

pid	Process
1868	rundll32.exe
2084	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 2508	4408	d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe	86
PID 4408 wrote to memory of 2508	4408	d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe	86
PID 4408 wrote to memory of 2508	4408	d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe	86
PID 2508 wrote to memory of 1868	2508	control.exe	88
PID 2508 wrote to memory of 1868	2508	control.exe	88
PID 2508 wrote to memory of 1868	2508	control.exe	88
PID 1868 wrote to memory of 2848	1868	rundll32.exe	93
PID 1868 wrote to memory of 2848	1868	rundll32.exe	93
PID 2848 wrote to memory of 2084	2848	RunDll32.exe	94
PID 2848 wrote to memory of 2084	2848	RunDll32.exe	94
PID 2848 wrote to memory of 2084	2848	RunDll32.exe	94

C:\Users\Admin\AppData\Local\Temp\d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe
"C:\Users\Admin\AppData\Local\Temp\d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~URV.cPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~URV.cPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~URV.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~URV.cPL",
        5⤵
        Loads dropped DLL
        
        PID:2084

Network

DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

254.178.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.178.238.8.in-addr.arpa

IN PTR

Response
DNS

134.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

63.13.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

63.13.109.52.in-addr.arpa

IN PTR

Response
DNS

58.99.105.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.99.105.20.in-addr.arpa

IN PTR

Response
DNS

200.74.101.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.74.101.95.in-addr.arpa

IN PTR

Response

200.74.101.95.in-addr.arpa

IN PTR

a95-101-74-200deploystaticakamaitechnologiescom
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

192.98.74.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

192.98.74.40.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

254.178.238.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.178.238.8.in-addr.arpa
8.8.8.8:53

134.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

134.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

63.13.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

63.13.109.52.in-addr.arpa
8.8.8.8:53

58.99.105.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

58.99.105.20.in-addr.arpa
8.8.8.8:53

200.74.101.95.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

200.74.101.95.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

192.98.74.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

192.98.74.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~URV.cPL

Filesize
1.3MB

MD5
18aff3e4889a949829bc9db91bac2d79

SHA1
b3c1b0d0057828348cea1cb8e3ed88d347fdf6c8

SHA256
bc6c612c9ca5e9e50c9ef1474ee587b93a8997fce9fa5b70b0ab63a85f0fe4ed

SHA512
1a6d0de77c5eae138bda671a92f0b575a53eaa50fe4497891dd2fb0b28930a412e62ca5c530cac5b04521039c803c61634a119c43eae19e090bd6801667bfdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\~URV.cpl

Filesize
1.3MB

MD5
18aff3e4889a949829bc9db91bac2d79

SHA1
b3c1b0d0057828348cea1cb8e3ed88d347fdf6c8

SHA256
bc6c612c9ca5e9e50c9ef1474ee587b93a8997fce9fa5b70b0ab63a85f0fe4ed

SHA512
1a6d0de77c5eae138bda671a92f0b575a53eaa50fe4497891dd2fb0b28930a412e62ca5c530cac5b04521039c803c61634a119c43eae19e090bd6801667bfdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\~URV.cpl

Filesize
1.3MB

MD5
18aff3e4889a949829bc9db91bac2d79

SHA1
b3c1b0d0057828348cea1cb8e3ed88d347fdf6c8

SHA256
bc6c612c9ca5e9e50c9ef1474ee587b93a8997fce9fa5b70b0ab63a85f0fe4ed

SHA512
1a6d0de77c5eae138bda671a92f0b575a53eaa50fe4497891dd2fb0b28930a412e62ca5c530cac5b04521039c803c61634a119c43eae19e090bd6801667bfdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\~URV.cpl

Filesize
1.3MB

MD5
18aff3e4889a949829bc9db91bac2d79

SHA1
b3c1b0d0057828348cea1cb8e3ed88d347fdf6c8

SHA256
bc6c612c9ca5e9e50c9ef1474ee587b93a8997fce9fa5b70b0ab63a85f0fe4ed

SHA512
1a6d0de77c5eae138bda671a92f0b575a53eaa50fe4497891dd2fb0b28930a412e62ca5c530cac5b04521039c803c61634a119c43eae19e090bd6801667bfdef

Download Submit
memory/1868-151-0x0000000003520000-0x0000000003606000-memory.dmp

Filesize
920KB

Download
memory/1868-147-0x0000000003420000-0x000000000351F000-memory.dmp

Filesize
1020KB

Download
memory/1868-148-0x0000000003520000-0x0000000003606000-memory.dmp

Filesize
920KB

Download
memory/1868-149-0x0000000003520000-0x0000000003606000-memory.dmp

Filesize
920KB

Download
memory/1868-144-0x0000000002C90000-0x0000000002C96000-memory.dmp

Filesize
24KB

Download
memory/1868-152-0x0000000003520000-0x0000000003606000-memory.dmp

Filesize
920KB

Download
memory/1868-145-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2084-154-0x0000000002D30000-0x0000000002D36000-memory.dmp

Filesize
24KB

Download
memory/2084-158-0x0000000002E70000-0x0000000002F6F000-memory.dmp

Filesize
1020KB

Download
memory/2084-160-0x0000000002F80000-0x0000000003066000-memory.dmp

Filesize
920KB

Download
memory/2084-162-0x0000000002F80000-0x0000000003066000-memory.dmp

Filesize
920KB

Download
memory/2084-163-0x0000000002F80000-0x0000000003066000-memory.dmp

Filesize
920KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.