0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d

General

Target

0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe
Size

1.8MB
MD5

8b5937861b7cae2b0ed67954876a2f36
SHA1

d50360ecc36c057fea9945653cfa21c75e8edd70
SHA256

0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d
SHA512

f01fe493d293dc0a7770381efdf00e0ed2754d367ea90a7dc7dbcaedb463207c3abcb92651e2c3c5f4726aae7d3a7bf88899798721273cf060fd7ef379aabad7
SSDEEP

49152:wWhr59BfJXAE+UKuPzCClp/XbRD3mCZBeHtTU:wWhrPBfKEBPzxPbR7pGlU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe

Loads dropped DLL 2 IoCs

pid	Process
392	rundll32.exe
3908	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 640	1728	0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe	83
PID 1728 wrote to memory of 640	1728	0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe	83
PID 1728 wrote to memory of 640	1728	0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe	83
PID 640 wrote to memory of 392	640	control.exe	86
PID 640 wrote to memory of 392	640	control.exe	86
PID 640 wrote to memory of 392	640	control.exe	86
PID 392 wrote to memory of 1460	392	rundll32.exe	94
PID 392 wrote to memory of 1460	392	rundll32.exe	94
PID 1460 wrote to memory of 3908	1460	RunDll32.exe	95
PID 1460 wrote to memory of 3908	1460	RunDll32.exe	95
PID 1460 wrote to memory of 3908	1460	RunDll32.exe	95

C:\Users\Admin\AppData\Local\Temp\0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe
"C:\Users\Admin\AppData\Local\Temp\0bb58f7faefbecd371678e0f349eb3730d5d6f3dbead43c84e4bf18dddc2a76d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\XIGH2R.CpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XIGH2R.CpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XIGH2R.CpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\XIGH2R.CpL",
        5⤵
        Loads dropped DLL
        
        PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XIGH2R.CpL

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\XiGH2r.cpl

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\XiGH2r.cpl

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\XiGH2r.cpl

Filesize
1.4MB

MD5
2a1bb0d88fd8808762a44c26d6c5a380

SHA1
83a468cacb6d29e9bddfa66f9050f96b0fab2166

SHA256
efeb5327bea24c412600c7159d1b574c13e6e87bd7529c58f91eae17911df536

SHA512
f93d11ae80bcb56e69bb6bb0cb4935519e201c8c099856f945c32b9594106081c3f88d64f524b515570166b84a9276622004545034784e865447ab0232099ace

Download Submit
memory/392-11-0x0000000000810000-0x0000000000816000-memory.dmp

Filesize
24KB

Download
memory/392-14-0x0000000002810000-0x000000000291C000-memory.dmp

Filesize
1.0MB

Download
memory/392-15-0x0000000002920000-0x0000000002A12000-memory.dmp

Filesize
968KB

Download
memory/392-18-0x0000000002920000-0x0000000002A12000-memory.dmp

Filesize
968KB

Download
memory/392-19-0x0000000002920000-0x0000000002A12000-memory.dmp

Filesize
968KB

Download
memory/392-12-0x0000000010000000-0x0000000010161000-memory.dmp

Filesize
1.4MB

Download
memory/3908-21-0x0000000000CD0000-0x0000000000CD6000-memory.dmp

Filesize
24KB

Download
memory/3908-25-0x0000000002EB0000-0x0000000002FBC000-memory.dmp

Filesize
1.0MB

Download
memory/3908-26-0x0000000002FC0000-0x00000000030B2000-memory.dmp

Filesize
968KB

Download
memory/3908-29-0x0000000002FC0000-0x00000000030B2000-memory.dmp

Filesize
968KB

Download
memory/3908-30-0x0000000002FC0000-0x00000000030B2000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing