015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f

General

Target

015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe
Size

2.3MB
MD5

f14b54c6e41545c8ba51629183431d1d
SHA1

758aa4668d2206d3a80308ecd2fecae459fed07e
SHA256

015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f
SHA512

d25744c0a1185205641d3f0199bea923d4224e43ea91f371782424339c4d56bd92efe41de3c3f026bf72f5d1e6d324aff3a1d737fade6ae56d2aa3632f899fee
SSDEEP

49152:anGImUlx7X/pQ2P6p6rVzCOKPec313JYbcBKUd+IAWgLqGWQy:aGIfXha29COKWc31ZkcBuIA/Li

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe

Loads dropped DLL 2 IoCs

pid	Process
872	rundll32.exe
1696	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings	015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 3684	3420	015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe	88
PID 3420 wrote to memory of 3684	3420	015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe	88
PID 3420 wrote to memory of 3684	3420	015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe	88
PID 3684 wrote to memory of 872	3684	control.exe	91
PID 3684 wrote to memory of 872	3684	control.exe	91
PID 3684 wrote to memory of 872	3684	control.exe	91
PID 872 wrote to memory of 4700	872	rundll32.exe	94
PID 872 wrote to memory of 4700	872	rundll32.exe	94
PID 4700 wrote to memory of 1696	4700	RunDll32.exe	95
PID 4700 wrote to memory of 1696	4700	RunDll32.exe	95
PID 4700 wrote to memory of 1696	4700	RunDll32.exe	95

C:\Users\Admin\AppData\Local\Temp\015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe
"C:\Users\Admin\AppData\Local\Temp\015a36adeafc759d8034813bff44559ef28060351dd0e8750b87fdf12802e82f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\_d8c4M1.CPL",
        5⤵
        Loads dropped DLL
        
        PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_d8c4M1.cpl

Filesize
2.0MB

MD5
4516fffb265c3011e2750a255b382363

SHA1
cd74ae4c5424e4f529e29bbd22c4bddadcbdf7dd

SHA256
3dddf9d138c67c29b932605e99bcfbb712e5dc219df9d845c5aaf25bbbc6ba08

SHA512
3c9a4fda5d7a52b660a05d2a82f9f00332aa5bee545d8668653260ae257a608d1b2ff11bc4ffbd16797e6246b3fa02a222c183f0556e797273e19b037b7c47c3

Download Submit
memory/872-24-0x0000000004180000-0x000000000427C000-memory.dmp

Filesize
1008KB

Download
memory/872-12-0x0000000010000000-0x000000001020A000-memory.dmp

Filesize
2.0MB

Download
memory/872-52-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/872-15-0x00000000032E0000-0x00000000033E9000-memory.dmp

Filesize
1.0MB

Download
memory/872-51-0x0000000004180000-0x000000000427C000-memory.dmp

Filesize
1008KB

Download
memory/872-18-0x00000000032E0000-0x00000000033E9000-memory.dmp

Filesize
1.0MB

Download
memory/872-19-0x0000000010000000-0x000000001020A000-memory.dmp

Filesize
2.0MB

Download
memory/872-20-0x00000000032E0000-0x00000000033E9000-memory.dmp

Filesize
1.0MB

Download
memory/872-21-0x00000000033F0000-0x0000000004076000-memory.dmp

Filesize
12.5MB

Download
memory/872-22-0x0000000004080000-0x000000000417C000-memory.dmp

Filesize
1008KB

Download
memory/872-23-0x0000000004180000-0x000000000427C000-memory.dmp

Filesize
1008KB

Download
memory/872-11-0x0000000000FD0000-0x0000000000FD6000-memory.dmp

Filesize
24KB

Download
memory/872-14-0x00000000031B0000-0x00000000032D7000-memory.dmp

Filesize
1.2MB

Download
memory/872-17-0x00000000032E0000-0x00000000033E9000-memory.dmp

Filesize
1.0MB

Download
memory/1696-31-0x0000000003070000-0x0000000003179000-memory.dmp

Filesize
1.0MB

Download
memory/1696-33-0x0000000003070000-0x0000000003179000-memory.dmp

Filesize
1.0MB

Download
memory/1696-34-0x0000000003070000-0x0000000003179000-memory.dmp

Filesize
1.0MB

Download
memory/1696-37-0x0000000003070000-0x0000000003179000-memory.dmp

Filesize
1.0MB

Download
memory/1696-39-0x0000000003E10000-0x0000000003F0C000-memory.dmp

Filesize
1008KB

Download
memory/1696-41-0x0000000003F10000-0x000000000400C000-memory.dmp

Filesize
1008KB

Download
memory/1696-43-0x0000000003F10000-0x000000000400C000-memory.dmp

Filesize
1008KB

Download
memory/1696-44-0x0000000000930000-0x0000000000942000-memory.dmp

Filesize
72KB

Download
memory/1696-45-0x0000000017A00000-0x0000000017A4B000-memory.dmp

Filesize
300KB

Download
memory/1696-30-0x0000000002F40000-0x0000000003067000-memory.dmp

Filesize
1.2MB

Download
memory/1696-27-0x0000000000E90000-0x0000000000E96000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing