d35c61a3401098c3ac9710e5eeddaabaa26d966ab0acbadae1c467e2cfcdabeb

General

Target

d35c61a3401098c3ac9710e5eeddaabaa26d966ab0acbadae1c467e2cfcdabeb.exe
Size

1.4MB
MD5

2a86ef590f6d68c50b7a0f0182d43921
SHA1

9050245b755e5b858edbdf87d56fba44371b1269
SHA256

d35c61a3401098c3ac9710e5eeddaabaa26d966ab0acbadae1c467e2cfcdabeb
SHA512

ad389245206aa749c553a7a4702037be03302b7146ded4640a5468dee1ba4b730b6c3fc51800581a1666beffa956df2249e55f00175edd042f7bcbaeae682c7b
SSDEEP

24576:8cbD/e1EBDg/GBIydvwP8DbPR1vx7syRPMirHIBS9/Q3t+E+c0aNxD:8cbi6QGBI38Dbl7rRPMOIBoQ3tvXD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	d35c61a3401098c3ac9710e5eeddaabaa26d966ab0acbadae1c467e2cfcdabeb.exe

Loads dropped DLL 3 IoCs

pid	Process
1348	rundll32.exe
1348	rundll32.exe
3644	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	d35c61a3401098c3ac9710e5eeddaabaa26d966ab0acbadae1c467e2cfcdabeb.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 208	4892	d35c61a3401098c3ac9710e5eeddaabaa26d966ab0acbadae1c467e2cfcdabeb.exe	85
PID 4892 wrote to memory of 208	4892	d35c61a3401098c3ac9710e5eeddaabaa26d966ab0acbadae1c467e2cfcdabeb.exe	85
PID 4892 wrote to memory of 208	4892	d35c61a3401098c3ac9710e5eeddaabaa26d966ab0acbadae1c467e2cfcdabeb.exe	85
PID 208 wrote to memory of 1348	208	control.exe	88
PID 208 wrote to memory of 1348	208	control.exe	88
PID 208 wrote to memory of 1348	208	control.exe	88
PID 1348 wrote to memory of 2484	1348	rundll32.exe	91
PID 1348 wrote to memory of 2484	1348	rundll32.exe	91
PID 2484 wrote to memory of 3644	2484	RunDll32.exe	92
PID 2484 wrote to memory of 3644	2484	RunDll32.exe	92
PID 2484 wrote to memory of 3644	2484	RunDll32.exe	92

C:\Users\Admin\AppData\Local\Temp\d35c61a3401098c3ac9710e5eeddaabaa26d966ab0acbadae1c467e2cfcdabeb.exe
"C:\Users\Admin\AppData\Local\Temp\d35c61a3401098c3ac9710e5eeddaabaa26d966ab0acbadae1c467e2cfcdabeb.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\YSLWYTFP.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\YSLWYTFP.CPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\YSLWYTFP.CPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\YSLWYTFP.CPL",
        5⤵
        Loads dropped DLL
        
        PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YSLWYTFP.CPL

Filesize
1.2MB

MD5
cb3db10961bb75fc4806432dc3042878

SHA1
04e6cb071b68e7e040173321b5247854d78e9193

SHA256
405e3faacba9f320e2ad5b83e961bf5d108ecc0a524892d21de5ee2dc16ea4a7

SHA512
06e6431cefcefaf1b0a1b419369b5e0b677807885f4d7dcf026984451767ae0e810a7c124dc4b733b6f96470127c2145ab9266f9b8454b5c07824076fffea671

Download Submit
C:\Users\Admin\AppData\Local\Temp\ySlWyTfP.cpl

Filesize
1.2MB

MD5
cb3db10961bb75fc4806432dc3042878

SHA1
04e6cb071b68e7e040173321b5247854d78e9193

SHA256
405e3faacba9f320e2ad5b83e961bf5d108ecc0a524892d21de5ee2dc16ea4a7

SHA512
06e6431cefcefaf1b0a1b419369b5e0b677807885f4d7dcf026984451767ae0e810a7c124dc4b733b6f96470127c2145ab9266f9b8454b5c07824076fffea671

Download Submit
C:\Users\Admin\AppData\Local\Temp\ySlWyTfP.cpl

Filesize
1.2MB

MD5
cb3db10961bb75fc4806432dc3042878

SHA1
04e6cb071b68e7e040173321b5247854d78e9193

SHA256
405e3faacba9f320e2ad5b83e961bf5d108ecc0a524892d21de5ee2dc16ea4a7

SHA512
06e6431cefcefaf1b0a1b419369b5e0b677807885f4d7dcf026984451767ae0e810a7c124dc4b733b6f96470127c2145ab9266f9b8454b5c07824076fffea671

Download Submit
C:\Users\Admin\AppData\Local\Temp\ySlWyTfP.cpl

Filesize
1.2MB

MD5
cb3db10961bb75fc4806432dc3042878

SHA1
04e6cb071b68e7e040173321b5247854d78e9193

SHA256
405e3faacba9f320e2ad5b83e961bf5d108ecc0a524892d21de5ee2dc16ea4a7

SHA512
06e6431cefcefaf1b0a1b419369b5e0b677807885f4d7dcf026984451767ae0e810a7c124dc4b733b6f96470127c2145ab9266f9b8454b5c07824076fffea671

Download Submit
C:\Users\Admin\AppData\Local\Temp\ySlWyTfP.cpl

Filesize
1.2MB

MD5
cb3db10961bb75fc4806432dc3042878

SHA1
04e6cb071b68e7e040173321b5247854d78e9193

SHA256
405e3faacba9f320e2ad5b83e961bf5d108ecc0a524892d21de5ee2dc16ea4a7

SHA512
06e6431cefcefaf1b0a1b419369b5e0b677807885f4d7dcf026984451767ae0e810a7c124dc4b733b6f96470127c2145ab9266f9b8454b5c07824076fffea671

Download Submit
memory/1348-154-0x0000000002B30000-0x0000000002C11000-memory.dmp

Filesize
900KB

Download
memory/1348-147-0x0000000002680000-0x00000000027BD000-memory.dmp

Filesize
1.2MB

Download
memory/1348-149-0x0000000002A20000-0x0000000002B1A000-memory.dmp

Filesize
1000KB

Download
memory/1348-150-0x0000000002B30000-0x0000000002C11000-memory.dmp

Filesize
900KB

Download
memory/1348-151-0x0000000002B30000-0x0000000002C11000-memory.dmp

Filesize
900KB

Download
memory/1348-153-0x0000000002B30000-0x0000000002C11000-memory.dmp

Filesize
900KB

Download
memory/1348-145-0x0000000002680000-0x00000000027BD000-memory.dmp

Filesize
1.2MB

Download
memory/1348-146-0x00000000028F0000-0x00000000028F6000-memory.dmp

Filesize
24KB

Download
memory/3644-163-0x0000000003530000-0x0000000003611000-memory.dmp

Filesize
900KB

Download
memory/3644-156-0x00000000013C0000-0x00000000013C6000-memory.dmp

Filesize
24KB

Download
memory/3644-159-0x0000000003430000-0x000000000352A000-memory.dmp

Filesize
1000KB

Download
memory/3644-161-0x0000000003530000-0x0000000003611000-memory.dmp

Filesize
900KB

Download
memory/3644-157-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/3644-164-0x0000000003530000-0x0000000003611000-memory.dmp

Filesize
900KB

Download

Analysis

Sharing