3adf9a6f35557d2303758bbebab8570d79a1e8b7e9abe7cc2688afbf5b360dc9

General

Target

3adf9a6f35557d2303758bbebab8570d79a1e8b7e9abe7cc2688afbf5b360dc9.exe
Size

2.3MB
MD5

6a040562b87075ae8b9c41a0e389d2d9
SHA1

92a437ad815ae3e21539a9bd5c9c75112db5c998
SHA256

3adf9a6f35557d2303758bbebab8570d79a1e8b7e9abe7cc2688afbf5b360dc9
SHA512

1f9ff4d22ca23ce1cb61c2f8178f6e15de9272b6819ef8983ae5a4b7405798c095f8aea39c0ef47540b436fb6179bb66701265ed4939f76637812950d14174ff
SSDEEP

49152:XcL4/TW35sOioJgVbgX1RWZ8dLE7dJPx9PHhTgtgtX4b6nccK:XcL445v+cXeZELcdLFH0CQ2ccK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	3adf9a6f35557d2303758bbebab8570d79a1e8b7e9abe7cc2688afbf5b360dc9.exe

Loads dropped DLL 2 IoCs

pid	Process
5004	rundll32.exe
2688	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	3adf9a6f35557d2303758bbebab8570d79a1e8b7e9abe7cc2688afbf5b360dc9.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 1128	4160	3adf9a6f35557d2303758bbebab8570d79a1e8b7e9abe7cc2688afbf5b360dc9.exe	84
PID 4160 wrote to memory of 1128	4160	3adf9a6f35557d2303758bbebab8570d79a1e8b7e9abe7cc2688afbf5b360dc9.exe	84
PID 4160 wrote to memory of 1128	4160	3adf9a6f35557d2303758bbebab8570d79a1e8b7e9abe7cc2688afbf5b360dc9.exe	84
PID 1128 wrote to memory of 5004	1128	control.exe	86
PID 1128 wrote to memory of 5004	1128	control.exe	86
PID 1128 wrote to memory of 5004	1128	control.exe	86
PID 5004 wrote to memory of 4940	5004	rundll32.exe	94
PID 5004 wrote to memory of 4940	5004	rundll32.exe	94
PID 4940 wrote to memory of 2688	4940	RunDll32.exe	95
PID 4940 wrote to memory of 2688	4940	RunDll32.exe	95
PID 4940 wrote to memory of 2688	4940	RunDll32.exe	95

C:\Users\Admin\AppData\Local\Temp\3adf9a6f35557d2303758bbebab8570d79a1e8b7e9abe7cc2688afbf5b360dc9.exe
"C:\Users\Admin\AppData\Local\Temp\3adf9a6f35557d2303758bbebab8570d79a1e8b7e9abe7cc2688afbf5b360dc9.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\0Mr4Dz.cPl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\0Mr4Dz.cPl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\0Mr4Dz.cPl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\0Mr4Dz.cPl",
        5⤵
        Loads dropped DLL
        
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0Mr4Dz.cpl

Filesize
2.0MB

MD5
d3c47af0e632fd977b33d4f5b09b3347

SHA1
e581523b289f9e533efe83417e2c1f33f08037a2

SHA256
38b5f0f67d791f0fe953c180f99c8f5a2aa3d996e2054fad64e0f9acfd2c1c67

SHA512
b506162062b5b5df9952fd372138a42d9e30afb77b7377abb0b6ce91217b2a3f874668eca1375ca696e0ed8bb6628dbfa25410e2c90ed4cfc63c3f479d238b51

Download Submit
memory/2688-28-0x0000000003080000-0x00000000031A9000-memory.dmp

Filesize
1.2MB

Download
memory/2688-44-0x00000000785F0000-0x00000000785F4000-memory.dmp

Filesize
16KB

Download
memory/2688-43-0x0000000000A70000-0x0000000000A72000-memory.dmp

Filesize
8KB

Download
memory/2688-42-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download
memory/2688-39-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download
memory/2688-38-0x0000000004F70000-0x000000000506E000-memory.dmp

Filesize
1016KB

Download
memory/2688-36-0x00000000031B0000-0x00000000032BD000-memory.dmp

Filesize
1.1MB

Download
memory/2688-32-0x00000000031B0000-0x00000000032BD000-memory.dmp

Filesize
1.1MB

Download
memory/2688-29-0x00000000031B0000-0x00000000032BD000-memory.dmp

Filesize
1.1MB

Download
memory/5004-15-0x0000000002B90000-0x0000000002C9D000-memory.dmp

Filesize
1.1MB

Download
memory/5004-22-0x0000000004A50000-0x0000000004B5A000-memory.dmp

Filesize
1.0MB

Download
memory/5004-21-0x0000000004950000-0x0000000004A4E000-memory.dmp

Filesize
1016KB

Download
memory/5004-20-0x0000000002CA0000-0x000000000494F000-memory.dmp

Filesize
28.7MB

Download
memory/5004-19-0x0000000002B90000-0x0000000002C9D000-memory.dmp

Filesize
1.1MB

Download
memory/5004-16-0x0000000010000000-0x0000000010205000-memory.dmp

Filesize
2.0MB

Download
memory/5004-12-0x0000000002B90000-0x0000000002C9D000-memory.dmp

Filesize
1.1MB

Download
memory/5004-11-0x0000000002A60000-0x0000000002B89000-memory.dmp

Filesize
1.2MB

Download
memory/5004-9-0x0000000010000000-0x0000000010205000-memory.dmp

Filesize
2.0MB

Download
memory/5004-8-0x0000000000D60000-0x0000000000D66000-memory.dmp

Filesize
24KB

Download
memory/5004-49-0x0000000004A50000-0x0000000004B5A000-memory.dmp

Filesize
1.0MB

Download
memory/5004-50-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing