121b288917d42f2f22ad2901e253f87215ea016f94a5d0bfd59aea08fd89b925

General

Target

1b19170f48afc0bb302febe594d817221fc8bceaeea38f75244b50f1ce448ee0.exe
Size

2.8MB
MD5

7284dd8c7e79f7f5187e058f1349d4d9
SHA1

e78a7d6a865b65a1b723e5f47d9edb430b4d907b
SHA256

1b19170f48afc0bb302febe594d817221fc8bceaeea38f75244b50f1ce448ee0
SHA512

d9d6ac9ac6a703340992ae94d831d71afddc80cfd29dfc98e3d92cf35db1f88592118fd99cd95e8b9e5f3cd1e389c7e24da96735f45ad63a378ef27686b9e384
SSDEEP

49152:yebJV3NdosCTpKteTlA49R3idS/L849cFIzF5pGuijDIiAJuM05:yebJxo8teT64v3QS/L8ScoF55intOLg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation	1b19170f48afc0bb302febe594d817221fc8bceaeea38f75244b50f1ce448ee0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
5004	rundll32.exe
4892	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 4552	668	1b19170f48afc0bb302febe594d817221fc8bceaeea38f75244b50f1ce448ee0.exe	89
PID 668 wrote to memory of 4552	668	1b19170f48afc0bb302febe594d817221fc8bceaeea38f75244b50f1ce448ee0.exe	89
PID 668 wrote to memory of 4552	668	1b19170f48afc0bb302febe594d817221fc8bceaeea38f75244b50f1ce448ee0.exe	89
PID 4552 wrote to memory of 2632	4552	cmd.exe	93
PID 4552 wrote to memory of 2632	4552	cmd.exe	93
PID 4552 wrote to memory of 2632	4552	cmd.exe	93
PID 2632 wrote to memory of 5004	2632	control.exe	95
PID 2632 wrote to memory of 5004	2632	control.exe	95
PID 2632 wrote to memory of 5004	2632	control.exe	95
PID 5004 wrote to memory of 1268	5004	rundll32.exe	101
PID 5004 wrote to memory of 1268	5004	rundll32.exe	101
PID 1268 wrote to memory of 4892	1268	RunDll32.exe	102
PID 1268 wrote to memory of 4892	1268	RunDll32.exe	102
PID 1268 wrote to memory of 4892	1268	RunDll32.exe	102

C:\Users\Admin\AppData\Local\Temp\1b19170f48afc0bb302febe594d817221fc8bceaeea38f75244b50f1ce448ee0.exe
"C:\Users\Admin\AppData\Local\Temp\1b19170f48afc0bb302febe594d817221fc8bceaeea38f75244b50f1ce448ee0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z7556729C\3MB.BAt" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7z7556729C\0iTjQR.Cpl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7556729C\0iTjQR.Cpl",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7z7556729C\0iTjQR.Cpl",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7z7556729C\0iTjQR.Cpl",
        6⤵
        Loads dropped DLL
        
        PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z7556729C\0iTjQR.Cpl

Filesize
2.2MB

MD5
fe459fbb01d8054a7b973c6a8fcb728d

SHA1
39b1babc66edad7f5d68554f7adf14e088e691f1

SHA256
324cad054d09b3fd583c88d1b587927a878cd98ef4d966b7b1c1c204c3887ace

SHA512
8f54af7decc5f7fd76db16d80ddc11f195609f3d512825e08ab5b9e222aa216530b37e4c13c9bc9f927e2f064dec4ffe941a75248bbe146167c9a2a7d925e56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7556729C\0iTjQR.Cpl

Filesize
3.2MB

MD5
79776e2f980b13f15c1a70fe2f951db0

SHA1
655ae8998b76b392a1bd9a421737f25698cb1788

SHA256
e768f7423227956b964a515ec12a8572a7950327df747c28b81136b28d0b8c5e

SHA512
b26a1879d88ab90b76027f1f8eef68ce5a86e154a11171d13e5e0da3f9e52a403528450a65ad2e21e3cd08163468842796eec13a3a41209c7a402be2bf89e71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z7556729C\3MB.BAt

Filesize
91B

MD5
c15261626e67f61d8d59ae08023b00ab

SHA1
c50e2684cdc5bed3e69c54bdf36aa7e1e30f6940

SHA256
ea6f5131a0788bcc9f027b8afbecaa46c40e721739d3ecba601cab5bcdcdd887

SHA512
eb450e6122c91e1f1425a2af2b1e356c5c1666c6f4e0afec1f015f14b1e4b8be05461a7dedebe1451a0df68ae6997a55e534aca4163f8501e66d8c843c56af78

Download Submit
memory/4892-19-0x00000000027E0000-0x00000000027E6000-memory.dmp

Filesize
24KB

Download
memory/4892-27-0x0000000002AB0000-0x0000000002BD9000-memory.dmp

Filesize
1.2MB

Download
memory/4892-26-0x0000000002AB0000-0x0000000002BD9000-memory.dmp

Filesize
1.2MB

Download
memory/4892-23-0x0000000002AB0000-0x0000000002BD9000-memory.dmp

Filesize
1.2MB

Download
memory/4892-22-0x0000000002950000-0x0000000002A96000-memory.dmp

Filesize
1.3MB

Download
memory/5004-10-0x0000000010000000-0x0000000010333000-memory.dmp

Filesize
3.2MB

Download
memory/5004-17-0x0000000003270000-0x0000000003399000-memory.dmp

Filesize
1.2MB

Download
memory/5004-16-0x0000000003270000-0x0000000003399000-memory.dmp

Filesize
1.2MB

Download
memory/5004-13-0x0000000003270000-0x0000000003399000-memory.dmp

Filesize
1.2MB

Download
memory/5004-12-0x0000000003120000-0x0000000003266000-memory.dmp

Filesize
1.3MB

Download
memory/5004-9-0x0000000002880000-0x0000000002886000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing