93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640

General

Target

93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe
Size

2.7MB
MD5

53f70c63e11b5b2592cc2760fa9f7ee0
SHA1

cd2c69037ce17669d30db004a4723b49d652735a
SHA256

93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640
SHA512

8ba0a65d0cbae880818d3f6d3a24c3448066cf9fcdb3e1b754881f2cea650f489ca0b573a9b2622b8129e0f18994a7590a9471e5d933dee506779e01c9235e99
SSDEEP

49152:jmoGDAgI3W2saAWO9aYB74+pK7CB1x4IF+A5iD9A1TK36A85v8:jmoaI3sa4O+oCSj/sO6A8i

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	rundll32.exe
4056	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3604	4944	93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe	88
PID 4944 wrote to memory of 3604	4944	93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe	88
PID 4944 wrote to memory of 3604	4944	93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe	88
PID 3604 wrote to memory of 2220	3604	control.exe	91
PID 3604 wrote to memory of 2220	3604	control.exe	91
PID 3604 wrote to memory of 2220	3604	control.exe	91
PID 2220 wrote to memory of 4024	2220	rundll32.exe	98
PID 2220 wrote to memory of 4024	2220	rundll32.exe	98
PID 4024 wrote to memory of 4056	4024	RunDll32.exe	99
PID 4024 wrote to memory of 4056	4024	RunDll32.exe	99
PID 4024 wrote to memory of 4056	4024	RunDll32.exe	99

C:\Users\Admin\AppData\Local\Temp\93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe
"C:\Users\Admin\AppData\Local\Temp\93865cbe0beeac4b9db9824d62f42baca5fff42a7cc839ed915886fd4a49f640.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4024
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\DsVk3.cPl",
        5⤵
        Loads dropped DLL
        
        PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DsVk3.cpl

Filesize
2.8MB

MD5
dd67d27c548f4a84fffa7ef1dfd05cf6

SHA1
1e5b28747eb11a0d1b3486a97f0b66066222c3d2

SHA256
044bde60642d879badd2b050ced2227c474d72c53bb88a43fb12424f97581ad9

SHA512
a25775c112c34c0edcb82319ca19ea22572827870780137376b324e191877e6c827f44ada4fa3eabf5c34339ade78933a2430b8192a12ec2f7d69a68741de8d3

Download Submit
memory/2220-12-0x0000000010000000-0x00000000102D9000-memory.dmp

Filesize
2.8MB

Download
memory/2220-11-0x00000000010A0000-0x00000000010A6000-memory.dmp

Filesize
24KB

Download
memory/2220-14-0x00000000032A0000-0x00000000033B5000-memory.dmp

Filesize
1.1MB

Download
memory/2220-16-0x00000000033C0000-0x00000000034BA000-memory.dmp

Filesize
1000KB

Download
memory/2220-15-0x00000000033C0000-0x00000000034BA000-memory.dmp

Filesize
1000KB

Download
memory/2220-18-0x00000000033C0000-0x00000000034BA000-memory.dmp

Filesize
1000KB

Download
memory/2220-19-0x0000000010000000-0x00000000102D9000-memory.dmp

Filesize
2.8MB

Download
memory/2220-24-0x00000000033C0000-0x00000000034BA000-memory.dmp

Filesize
1000KB

Download
memory/2220-25-0x00000000034C0000-0x0000000004A70000-memory.dmp

Filesize
21.7MB

Download
memory/2220-26-0x0000000004A70000-0x0000000004B5C000-memory.dmp

Filesize
944KB

Download
memory/2220-27-0x0000000004B60000-0x0000000004C51000-memory.dmp

Filesize
964KB

Download
memory/2220-28-0x0000000004B60000-0x0000000004C51000-memory.dmp

Filesize
964KB

Download
memory/4056-32-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

Filesize
24KB

Download
memory/4056-34-0x0000000002DC0000-0x0000000002ED5000-memory.dmp

Filesize
1.1MB

Download
memory/4056-36-0x0000000002EE0000-0x0000000002FDA000-memory.dmp

Filesize
1000KB

Download
memory/4056-38-0x0000000002EE0000-0x0000000002FDA000-memory.dmp

Filesize
1000KB

Download
memory/4056-44-0x0000000002EE0000-0x0000000002FDA000-memory.dmp

Filesize
1000KB

Download
memory/4056-46-0x0000000004590000-0x000000000467C000-memory.dmp

Filesize
944KB

Download
memory/4056-48-0x0000000004680000-0x0000000004771000-memory.dmp

Filesize
964KB

Download
memory/4056-50-0x0000000004680000-0x0000000004771000-memory.dmp

Filesize
964KB

Download
memory/4056-51-0x0000000000670000-0x0000000000672000-memory.dmp

Filesize
8KB

Download
memory/4056-52-0x0000000028190000-0x0000000028194000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing