a738367f93bfb0cf25b5c027b48e6c113d51a4d943ef9bccdbe69ea40b19016d

General

Target

ec6afcb293fcdccc66eaa852e9ca99f6d149561553eeafa14b23d64f9c939407.exe
Size

2.4MB
MD5

2bb57dd857aaa733ca04880990a6cc94
SHA1

f7964765a5dea62a4ce454eb714e73a7fb9753b4
SHA256

ec6afcb293fcdccc66eaa852e9ca99f6d149561553eeafa14b23d64f9c939407
SHA512

1e24d6569484c228e0fe8683f61f25e96a0056c8cf948fbeaae1f00968467c8dad3ae2275968b10f2d9b0080bde8276da48577a7afd8c255764b6fb7d3b3be8a
SSDEEP

49152:ISDAS/DRzE6hOrWPuL30CtNlTNHsl0L2LLX38dTQcKqcLi2t5412VG2d2uKc4PRm:ISDA0hEdWGL30AlhHOo2LT6TQno0qK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	ec6afcb293fcdccc66eaa852e9ca99f6d149561553eeafa14b23d64f9c939407.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	rundll32.exe
4024	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 412	3648	ec6afcb293fcdccc66eaa852e9ca99f6d149561553eeafa14b23d64f9c939407.exe	86
PID 3648 wrote to memory of 412	3648	ec6afcb293fcdccc66eaa852e9ca99f6d149561553eeafa14b23d64f9c939407.exe	86
PID 3648 wrote to memory of 412	3648	ec6afcb293fcdccc66eaa852e9ca99f6d149561553eeafa14b23d64f9c939407.exe	86
PID 412 wrote to memory of 408	412	cmd.exe	89
PID 412 wrote to memory of 408	412	cmd.exe	89
PID 412 wrote to memory of 408	412	cmd.exe	89
PID 408 wrote to memory of 2220	408	control.exe	90
PID 408 wrote to memory of 2220	408	control.exe	90
PID 408 wrote to memory of 2220	408	control.exe	90
PID 2220 wrote to memory of 664	2220	rundll32.exe	91
PID 2220 wrote to memory of 664	2220	rundll32.exe	91
PID 664 wrote to memory of 4024	664	RunDll32.exe	92
PID 664 wrote to memory of 4024	664	RunDll32.exe	92
PID 664 wrote to memory of 4024	664	RunDll32.exe	92

C:\Users\Admin\AppData\Local\Temp\ec6afcb293fcdccc66eaa852e9ca99f6d149561553eeafa14b23d64f9c939407.exe
"C:\Users\Admin\AppData\Local\Temp\ec6afcb293fcdccc66eaa852e9ca99f6d149561553eeafa14b23d64f9c939407.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z7EEB6E40\3rXlAjY.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\SysWOW64\control.exe
    cONTROl "C:\Users\Admin\AppData\Local\Temp\7z7EEB6E40\JAtrH.X9i"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7EEB6E40\JAtrH.X9i"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7EEB6E40\JAtrH.X9i"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:664
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z7EEB6E40\JAtrH.X9i"
        6⤵
        Loads dropped DLL
        
        PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z7EEB6E40\3rXlAjY.bat

Filesize
28B

MD5
d7ccc3079b14bfc98b71e231f63a18f3

SHA1
bf09701ad9a0901eea10f5620b812c23ece1d6f4

SHA256
789be5dfd4d96d5f5c20d38b100fc1cdc04d3913d8f5ee6a6723428e424e79c4

SHA512
cb0f291bfefd0e57f94d205149dbf5c503021850b4a696109c9edab78da90e0c376d7d0072631f2f502e3756cdacada24881b4844b66cc5153c71fedfec093b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7EEB6E40\JAtrH.X9i

Filesize
2.5MB

MD5
69f67d30dfa020a5199fc7ac434651bc

SHA1
85eb70742bb67ae6f634bf63a820b9121d733a66

SHA256
5824f29e207cbb3f764bb2c23155e48cf8e22b0dcdb6ca3f9382b8cbe0c6e38c

SHA512
6152b2c1c66048652a0fbaa6a6a000d37987a4e9b7c253c7349eb177578988fb1f68d737c167972ab16f5a487844e5e138232969aaa4b371c3396d12b790cd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7EEB6E40\JAtrh.X9i

Filesize
2.5MB

MD5
69f67d30dfa020a5199fc7ac434651bc

SHA1
85eb70742bb67ae6f634bf63a820b9121d733a66

SHA256
5824f29e207cbb3f764bb2c23155e48cf8e22b0dcdb6ca3f9382b8cbe0c6e38c

SHA512
6152b2c1c66048652a0fbaa6a6a000d37987a4e9b7c253c7349eb177578988fb1f68d737c167972ab16f5a487844e5e138232969aaa4b371c3396d12b790cd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7EEB6E40\JAtrh.X9i

Filesize
2.5MB

MD5
69f67d30dfa020a5199fc7ac434651bc

SHA1
85eb70742bb67ae6f634bf63a820b9121d733a66

SHA256
5824f29e207cbb3f764bb2c23155e48cf8e22b0dcdb6ca3f9382b8cbe0c6e38c

SHA512
6152b2c1c66048652a0fbaa6a6a000d37987a4e9b7c253c7349eb177578988fb1f68d737c167972ab16f5a487844e5e138232969aaa4b371c3396d12b790cd0d

Download Submit
memory/2220-9-0x0000000002D30000-0x0000000002D36000-memory.dmp

Filesize
24KB

Download
memory/2220-12-0x0000000003490000-0x0000000003595000-memory.dmp

Filesize
1.0MB

Download
memory/2220-13-0x00000000035A0000-0x000000000368A000-memory.dmp

Filesize
936KB

Download
memory/2220-16-0x00000000035A0000-0x000000000368A000-memory.dmp

Filesize
936KB

Download
memory/2220-17-0x00000000035A0000-0x000000000368A000-memory.dmp

Filesize
936KB

Download
memory/2220-10-0x0000000010000000-0x0000000010275000-memory.dmp

Filesize
2.5MB

Download
memory/4024-19-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/4024-22-0x00000000027E0000-0x00000000028E5000-memory.dmp

Filesize
1.0MB

Download
memory/4024-23-0x00000000028F0000-0x00000000029DA000-memory.dmp

Filesize
936KB

Download
memory/4024-26-0x00000000028F0000-0x00000000029DA000-memory.dmp

Filesize
936KB

Download
memory/4024-27-0x00000000028F0000-0x00000000029DA000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing