d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f

General

Target

d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe
Size

1.7MB
MD5

0d5c92dfc31c339132277e964f82f1bf
SHA1

681485d93709a698b28431cff17c3df7e50bf42d
SHA256

d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f
SHA512

a9801b621ca9cdffa01aab71d4f1793221f5a84a69051536a54d3460d0ffd01e4735b1a0e5636ef52719e34dc28d120987d154143cf37229d7e5546eaeae1b4b
SSDEEP

49152:OCWhF7BfJXAEsXH9bEJTOBwnnlbKHE9tH6Yh9G3QQq5O:OCWhF7BfKECEJThnlbOEvH689rN5O

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe

Loads dropped DLL 2 IoCs

pid	Process
1868	rundll32.exe
2084	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 2508	4408	d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe	86
PID 4408 wrote to memory of 2508	4408	d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe	86
PID 4408 wrote to memory of 2508	4408	d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe	86
PID 2508 wrote to memory of 1868	2508	control.exe	88
PID 2508 wrote to memory of 1868	2508	control.exe	88
PID 2508 wrote to memory of 1868	2508	control.exe	88
PID 1868 wrote to memory of 2848	1868	rundll32.exe	93
PID 1868 wrote to memory of 2848	1868	rundll32.exe	93
PID 2848 wrote to memory of 2084	2848	RunDll32.exe	94
PID 2848 wrote to memory of 2084	2848	RunDll32.exe	94
PID 2848 wrote to memory of 2084	2848	RunDll32.exe	94

C:\Users\Admin\AppData\Local\Temp\d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe
"C:\Users\Admin\AppData\Local\Temp\d02ca6cc79e5b759daa5412b01f98590edaf9a002a46002c71019d6fcc032e9f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~URV.cPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~URV.cPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~URV.cPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~URV.cPL",
        5⤵
        Loads dropped DLL
        
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~URV.cPL

Filesize
1.3MB

MD5
18aff3e4889a949829bc9db91bac2d79

SHA1
b3c1b0d0057828348cea1cb8e3ed88d347fdf6c8

SHA256
bc6c612c9ca5e9e50c9ef1474ee587b93a8997fce9fa5b70b0ab63a85f0fe4ed

SHA512
1a6d0de77c5eae138bda671a92f0b575a53eaa50fe4497891dd2fb0b28930a412e62ca5c530cac5b04521039c803c61634a119c43eae19e090bd6801667bfdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\~URV.cpl

Filesize
1.3MB

MD5
18aff3e4889a949829bc9db91bac2d79

SHA1
b3c1b0d0057828348cea1cb8e3ed88d347fdf6c8

SHA256
bc6c612c9ca5e9e50c9ef1474ee587b93a8997fce9fa5b70b0ab63a85f0fe4ed

SHA512
1a6d0de77c5eae138bda671a92f0b575a53eaa50fe4497891dd2fb0b28930a412e62ca5c530cac5b04521039c803c61634a119c43eae19e090bd6801667bfdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\~URV.cpl

Filesize
1.3MB

MD5
18aff3e4889a949829bc9db91bac2d79

SHA1
b3c1b0d0057828348cea1cb8e3ed88d347fdf6c8

SHA256
bc6c612c9ca5e9e50c9ef1474ee587b93a8997fce9fa5b70b0ab63a85f0fe4ed

SHA512
1a6d0de77c5eae138bda671a92f0b575a53eaa50fe4497891dd2fb0b28930a412e62ca5c530cac5b04521039c803c61634a119c43eae19e090bd6801667bfdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\~URV.cpl

Filesize
1.3MB

MD5
18aff3e4889a949829bc9db91bac2d79

SHA1
b3c1b0d0057828348cea1cb8e3ed88d347fdf6c8

SHA256
bc6c612c9ca5e9e50c9ef1474ee587b93a8997fce9fa5b70b0ab63a85f0fe4ed

SHA512
1a6d0de77c5eae138bda671a92f0b575a53eaa50fe4497891dd2fb0b28930a412e62ca5c530cac5b04521039c803c61634a119c43eae19e090bd6801667bfdef

Download Submit
memory/1868-151-0x0000000003520000-0x0000000003606000-memory.dmp

Filesize
920KB

Download
memory/1868-147-0x0000000003420000-0x000000000351F000-memory.dmp

Filesize
1020KB

Download
memory/1868-148-0x0000000003520000-0x0000000003606000-memory.dmp

Filesize
920KB

Download
memory/1868-149-0x0000000003520000-0x0000000003606000-memory.dmp

Filesize
920KB

Download
memory/1868-144-0x0000000002C90000-0x0000000002C96000-memory.dmp

Filesize
24KB

Download
memory/1868-152-0x0000000003520000-0x0000000003606000-memory.dmp

Filesize
920KB

Download
memory/1868-145-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2084-154-0x0000000002D30000-0x0000000002D36000-memory.dmp

Filesize
24KB

Download
memory/2084-158-0x0000000002E70000-0x0000000002F6F000-memory.dmp

Filesize
1020KB

Download
memory/2084-160-0x0000000002F80000-0x0000000003066000-memory.dmp

Filesize
920KB

Download
memory/2084-162-0x0000000002F80000-0x0000000003066000-memory.dmp

Filesize
920KB

Download
memory/2084-163-0x0000000002F80000-0x0000000003066000-memory.dmp

Filesize
920KB

Download

Analysis

Sharing