e073c444db7d35e299ad27860f180001b8b8f30b0bc322f91e08d2c3ff69e2ac

General

Target

2121bb382dba90ca0e780820eba937ea93bba1de1214ec4512bf7f4502037186.exe
Size

2.2MB
MD5

b0a57b92cae07ae3cad328836c68e96b
SHA1

c0780cfe1ce52bd8c87c73a4e2887a3f6981dde9
SHA256

2121bb382dba90ca0e780820eba937ea93bba1de1214ec4512bf7f4502037186
SHA512

5de9d7742947728a628de98adb83fae539e0c1263a44a21ac68865c9429a740bfb19ade16a6c419fad952abb15425d8a68d4a17d5687d116dc2afb40d5742148
SSDEEP

49152:UJGiWtEQM6lmdgfnmQaRyzFOmukuffX4gMUuxmQ2T+wSHSqrxShmVJyOBWJB:UIioEQJugfnfa85OUufnyxx2T+w1qrgn

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	2121bb382dba90ca0e780820eba937ea93bba1de1214ec4512bf7f4502037186.exe

Loads dropped DLL 2 IoCs

pid	Process
4564	rundll32.exe
3880	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	2121bb382dba90ca0e780820eba937ea93bba1de1214ec4512bf7f4502037186.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 3928	1272	2121bb382dba90ca0e780820eba937ea93bba1de1214ec4512bf7f4502037186.exe	91
PID 1272 wrote to memory of 3928	1272	2121bb382dba90ca0e780820eba937ea93bba1de1214ec4512bf7f4502037186.exe	91
PID 1272 wrote to memory of 3928	1272	2121bb382dba90ca0e780820eba937ea93bba1de1214ec4512bf7f4502037186.exe	91
PID 3928 wrote to memory of 4564	3928	control.exe	93
PID 3928 wrote to memory of 4564	3928	control.exe	93
PID 3928 wrote to memory of 4564	3928	control.exe	93
PID 4564 wrote to memory of 3048	4564	rundll32.exe	98
PID 4564 wrote to memory of 3048	4564	rundll32.exe	98
PID 3048 wrote to memory of 3880	3048	RunDll32.exe	99
PID 3048 wrote to memory of 3880	3048	RunDll32.exe	99
PID 3048 wrote to memory of 3880	3048	RunDll32.exe	99

C:\Users\Admin\AppData\Local\Temp\2121bb382dba90ca0e780820eba937ea93bba1de1214ec4512bf7f4502037186.exe
"C:\Users\Admin\AppData\Local\Temp\2121bb382dba90ca0e780820eba937ea93bba1de1214ec4512bf7f4502037186.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7zS8F4A22C7\Av5~k.CPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS8F4A22C7\Av5~k.CPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS8F4A22C7\Av5~k.CPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zS8F4A22C7\Av5~k.CPl",
        5⤵
        Loads dropped DLL
        
        PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8F4A22C7\Av5~k.CPl

Filesize
309KB

MD5
f888ccf38e434f26809f760839cb6e40

SHA1
9c77f2f9ed0e5618ee801ecabda755d38d9bef7b

SHA256
d653e3a432b35edb5527c3586db2b27c8ff8153369e74cd7b573a943e1e2865b

SHA512
7e356a6c6589a8188cce9c10235a05dd1a8f0c39b4beb42434bb8d2c0185c1c71ea246e61d3ab1b619c1e62c620b7552e00a48135e40a749679b723cc72d19e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F4A22C7\Av5~k.CPl

Filesize
144KB

MD5
acbba6e2f224df37e2dad22c19544f20

SHA1
35c986c055874371fa25f49d4f1ae5f1c2316196

SHA256
5cc106d3b0249578682a7a84c4461bd2ff3e1878b834e96ede0e68668f02c567

SHA512
a6e74ab0bffa0010063535f980609df25286fc3d3dd4312814c231b6605ee2ee97452723de461103fe9eef3071a7a69943161a2c55c26dde3eff16e4ca944de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F4A22C7\Av5~k.CPl

Filesize
545KB

MD5
7a83d5488392c99fef584b37e16fa702

SHA1
ce3b40aebeec6cb24a5e82bb95459be4db731c09

SHA256
45c570ed0271bba7d3bfa651d09ff2de7c1066ae16bfa8c0222377c23f78b6b5

SHA512
a7b7d0f6ff144238b400012581d252fc6acccd4b5e82263061f3cddc83e5ff72d754279bf7b88a1bbedbb485db0ad8b66b825f6cab57a52a41fa94eaa94655c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F4A22C7\Av5~k.CPl

Filesize
401KB

MD5
5954a73dd757bebccac770ea8efb586f

SHA1
4e0d56001c8cc3c5016b3c31d2e0f95262382962

SHA256
fda96b8e94a2e9123eb2b0e78b68996d627de3ee51f75b5563e4bf405129aaaf

SHA512
75ed2dd1e2daeb76a57256b647737fa2a6336ab829f4075a5a5b602f323ee1f72de66241fde3d957e1fcab52dc06134c77c7d5246819d49aae0f71298ec2f5e9

Download Submit
memory/3880-29-0x0000000002C90000-0x0000000002D9F000-memory.dmp

Filesize
1.1MB

Download
memory/3880-26-0x0000000002C90000-0x0000000002D9F000-memory.dmp

Filesize
1.1MB

Download
memory/3880-28-0x0000000002C90000-0x0000000002D9F000-memory.dmp

Filesize
1.1MB

Download
memory/3880-24-0x0000000002B60000-0x0000000002C8D000-memory.dmp

Filesize
1.2MB

Download
memory/3880-21-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/4564-12-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/4564-19-0x00000000028D0000-0x00000000029DF000-memory.dmp

Filesize
1.1MB

Download
memory/4564-15-0x00000000028D0000-0x00000000029DF000-memory.dmp

Filesize
1.1MB

Download
memory/4564-16-0x00000000028D0000-0x00000000029DF000-memory.dmp

Filesize
1.1MB

Download
memory/4564-18-0x00000000028D0000-0x00000000029DF000-memory.dmp

Filesize
1.1MB

Download
memory/4564-14-0x00000000027A0000-0x00000000028CD000-memory.dmp

Filesize
1.2MB

Download
memory/4564-11-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing