3a16c941223ae24e33b62e925575669a52f7993765aadf075a8bea5decd8a836

Analysis

max time kernel
129s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-01-2022 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe
Size

312KB
MD5

e5a07be6c167ccf605ba9e6a0608e141
SHA1

d50547756f224ebaf38efc1b2e5134b6caa272ba
SHA256

449fb91c32af2d722f418ab4ee0747d0b7457ba69496b2d8f894e6045d69e1e4
SHA512

b66a844121bd42707aab3200f5e2a01765bd00ea3b958e09baeca9cd6856005a17474e72a9635184046d92205be3baf6677951fd8eb42ccebe687efb8b30f13b

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2252	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2252	rundll32.exe

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1912 created 1696 1912 WerFault.exe rundll32.exe
PID 2128 created 1932 2128 WerFault.exe rundll32.exe

description	pid	process	target process
PID 1912 created 1696	1912	WerFault.exe	rundll32.exe
PID 2128 created 1932	2128	WerFault.exe	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

61e74fd2175cb_Tue23956aa60ed.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	61e74fd2175cb_Tue23956aa60ed.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1696 rundll32.exe
1932 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1172 1696 WerFault.exe rundll32.exe
432 1932 WerFault.exe rundll32.exe

pid	process
1696	rundll32.exe
1932	rundll32.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
1172	1696	WerFault.exe	rundll32.exe
432	1932	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

432 WerFault.exe
432 WerFault.exe
1172 WerFault.exe
1172 WerFault.exe

pid	process
432	WerFault.exe
432	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	432	WerFault.exe
Token: SeBackupPrivilege	432	WerFault.exe
Token: SeRestorePrivilege	1172	WerFault.exe
Token: SeBackupPrivilege	1172	WerFault.exe
Token: SeBackupPrivilege	1172	WerFault.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

61e74fd2175cb_Tue23956aa60ed.exe61e74fd2175cb_Tue23956aa60ed.exe61e74fd2175cb_Tue23956aa60ed.exe

pid	process
1856	61e74fd2175cb_Tue23956aa60ed.exe
1856	61e74fd2175cb_Tue23956aa60ed.exe
1436	61e74fd2175cb_Tue23956aa60ed.exe
2752	61e74fd2175cb_Tue23956aa60ed.exe
1436	61e74fd2175cb_Tue23956aa60ed.exe
2752	61e74fd2175cb_Tue23956aa60ed.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

61e74fd2175cb_Tue23956aa60ed.exerundll32.exerundll32.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 1856 wrote to memory of 2752	1856	61e74fd2175cb_Tue23956aa60ed.exe	61e74fd2175cb_Tue23956aa60ed.exe
PID 1856 wrote to memory of 2752	1856	61e74fd2175cb_Tue23956aa60ed.exe	61e74fd2175cb_Tue23956aa60ed.exe
PID 1856 wrote to memory of 2752	1856	61e74fd2175cb_Tue23956aa60ed.exe	61e74fd2175cb_Tue23956aa60ed.exe
PID 1856 wrote to memory of 1436	1856	61e74fd2175cb_Tue23956aa60ed.exe	61e74fd2175cb_Tue23956aa60ed.exe
PID 1856 wrote to memory of 1436	1856	61e74fd2175cb_Tue23956aa60ed.exe	61e74fd2175cb_Tue23956aa60ed.exe
PID 1856 wrote to memory of 1436	1856	61e74fd2175cb_Tue23956aa60ed.exe	61e74fd2175cb_Tue23956aa60ed.exe
PID 1284 wrote to memory of 1932	1284	rundll32.exe	rundll32.exe
PID 1284 wrote to memory of 1932	1284	rundll32.exe	rundll32.exe
PID 1284 wrote to memory of 1932	1284	rundll32.exe	rundll32.exe
PID 2780 wrote to memory of 1696	2780	rundll32.exe	rundll32.exe
PID 2780 wrote to memory of 1696	2780	rundll32.exe	rundll32.exe
PID 2780 wrote to memory of 1696	2780	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 1696	1912	WerFault.exe	rundll32.exe
PID 1912 wrote to memory of 1696	1912	WerFault.exe	rundll32.exe
PID 2128 wrote to memory of 1932	2128	WerFault.exe	rundll32.exe
PID 2128 wrote to memory of 1932	2128	WerFault.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a
2⤵
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a
2⤵
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Loads dropped DLL
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 604
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Loads dropped DLL
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 556
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1932 -ip 1932
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1696 -ip 1696
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db.dat
MD5
4d0511c6b3fced567deda83f81c485fc

SHA1
a76a47f933f27e65fa3b6568c37a15b0dbc01b24

SHA256
27f01767425e7e0c2b00e364197be6efce57a0a9d14915fed5b18c74b4ed4f4a

SHA512
f5c778c316a9df4c42866cacad962682cd7db99b97e003841865003c162570eabcf88d922e16d1e9fdad0d40702c34c87c3a7e940f297711823063126de1e28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
MD5
4d0511c6b3fced567deda83f81c485fc

SHA1
a76a47f933f27e65fa3b6568c37a15b0dbc01b24

SHA256
27f01767425e7e0c2b00e364197be6efce57a0a9d14915fed5b18c74b4ed4f4a

SHA512
f5c778c316a9df4c42866cacad962682cd7db99b97e003841865003c162570eabcf88d922e16d1e9fdad0d40702c34c87c3a7e940f297711823063126de1e28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
MD5
128d6b829a7c440c0f414266ecbf3010

SHA1
2bb5205fb52b9fa37efd036386c24386216209d1

SHA256
85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

SHA512
c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
MD5
128d6b829a7c440c0f414266ecbf3010

SHA1
2bb5205fb52b9fa37efd036386c24386216209d1

SHA256
85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

SHA512
c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
MD5
128d6b829a7c440c0f414266ecbf3010

SHA1
2bb5205fb52b9fa37efd036386c24386216209d1

SHA256
85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

SHA512
c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
MD5
128d6b829a7c440c0f414266ecbf3010

SHA1
2bb5205fb52b9fa37efd036386c24386216209d1

SHA256
85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

SHA512
c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

Download Submit