9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0

General

Target

9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe
Size

1.9MB
MD5

2af29bc7d67f65add890bede62d7ba50
SHA1

4158f8b6f8378767ed1a658ea0e2db11eafcd1fc
SHA256

9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0
SHA512

a4a87fb974d01524d05a7c0c7e71908521ae57ed3103bfe60d9ad6cc83fb4fea45d870ca8284be5e0451eb5bc79845209fe4795fdafdeea19af8a15c582ef623
SSDEEP

49152:wWhr59BfJXAE+USYqWcQYlrUOx5l+tlJcrxEfXghaE30L6aTESjog:wWhrPBfKE7zYYOxcLcCfQQEE3TESJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe

Loads dropped DLL 2 IoCs

pid	Process
2308	rundll32.exe
828	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 1612	4892	9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe	83
PID 4892 wrote to memory of 1612	4892	9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe	83
PID 4892 wrote to memory of 1612	4892	9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe	83
PID 1612 wrote to memory of 2308	1612	control.exe	86
PID 1612 wrote to memory of 2308	1612	control.exe	86
PID 1612 wrote to memory of 2308	1612	control.exe	86
PID 2308 wrote to memory of 3224	2308	rundll32.exe	89
PID 2308 wrote to memory of 3224	2308	rundll32.exe	89
PID 3224 wrote to memory of 828	3224	RunDll32.exe	90
PID 3224 wrote to memory of 828	3224	RunDll32.exe	90
PID 3224 wrote to memory of 828	3224	RunDll32.exe	90

C:\Users\Admin\AppData\Local\Temp\9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe
"C:\Users\Admin\AppData\Local\Temp\9096068c8ad3b4f5327494e6c3d55c5caa3240507fe20939433b841862f44bd0.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL",
        5⤵
        Loads dropped DLL
        
        PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VHsVS~c9.cpL

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhsVs~c9.cpl

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhsVs~c9.cpl

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhsVs~c9.cpl

Filesize
1.4MB

MD5
f2db5d943fd3c00201c223cd3800c75f

SHA1
bf13930ce7a84f9fa02463f354eeed68dd8e96d3

SHA256
02c6b69497516f64fbe1c7975238a857904c4db1f9cfd852cb81845bf86a78f3

SHA512
ea49547497011856041ad91c8c0a10e8abb6bb188d7046c24f6e5d53e2393ee3250c1167f2e7d7e6ae82c7d3d2dae76b16e699998d2c6a2ad73f04b4b06c8613

Download Submit
memory/828-30-0x0000000002CA0000-0x0000000002D8A000-memory.dmp

Filesize
936KB

Download
memory/828-29-0x0000000002CA0000-0x0000000002D8A000-memory.dmp

Filesize
936KB

Download
memory/828-26-0x0000000002CA0000-0x0000000002D8A000-memory.dmp

Filesize
936KB

Download
memory/828-25-0x0000000002B90000-0x0000000002C93000-memory.dmp

Filesize
1.0MB

Download
memory/828-21-0x0000000000AE0000-0x0000000000AE6000-memory.dmp

Filesize
24KB

Download
memory/2308-11-0x0000000000D60000-0x0000000000D66000-memory.dmp

Filesize
24KB

Download
memory/2308-19-0x0000000000EE0000-0x0000000000FCA000-memory.dmp

Filesize
936KB

Download
memory/2308-18-0x0000000000EE0000-0x0000000000FCA000-memory.dmp

Filesize
936KB

Download
memory/2308-15-0x0000000000EE0000-0x0000000000FCA000-memory.dmp

Filesize
936KB

Download
memory/2308-14-0x00000000029B0000-0x0000000002AB3000-memory.dmp

Filesize
1.0MB

Download
memory/2308-12-0x0000000010000000-0x0000000010161000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing