0321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 14:18

Target

tmp.exe
Size

320KB
MD5

1aaea333f1a2b0870df8c506b237eff7
SHA1

5f94408a89c401e2a3d7f59d03c1b98d68d855e2
SHA256

0321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7
SHA512

e717f1abb1215a7323dc12e79ef55e926bbb4181e4a77677460cb7289a812536f745828dd06029245fb1cfdd689e42941a7e1ae70fbbf6655b27f7d168e62328
SSDEEP

6144:GfEB4rDaA1co4Ql1YDuYEktDiaAQq26IMJ7nzf5mMO+Cv4M60kWwU:Gu4z1coh3YDuYEktvZFyrrzPCZjknU

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

rovwer.exe

pid process

3604 rovwer.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1740 4124 WerFault.exe tmp.exe

pid	process
3604	rovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp.exe

pid	pid_target	process	target process
1740	4124	WerFault.exe	tmp.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 4124 wrote to memory of 3604	4124	tmp.exe	rovwer.exe
PID 4124 wrote to memory of 3604	4124	tmp.exe	rovwer.exe
PID 4124 wrote to memory of 3604	4124	tmp.exe	rovwer.exe

C:\Users\Admin\AppData\Local\Temp\965f310d06\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\965f310d06\rovwer.exe"
2⤵
- Executes dropped EXE
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1284
2⤵
- Program crash
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4124 -ip 4124
1⤵
PID:4644

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\965f310d06\rovwer.exe
Filesize
320KB

MD5
1aaea333f1a2b0870df8c506b237eff7

SHA1
5f94408a89c401e2a3d7f59d03c1b98d68d855e2

SHA256
0321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7

SHA512
e717f1abb1215a7323dc12e79ef55e926bbb4181e4a77677460cb7289a812536f745828dd06029245fb1cfdd689e42941a7e1ae70fbbf6655b27f7d168e62328

Download Submit
C:\Users\Admin\AppData\Local\Temp\965f310d06\rovwer.exe
Filesize
320KB

MD5
1aaea333f1a2b0870df8c506b237eff7

SHA1
5f94408a89c401e2a3d7f59d03c1b98d68d855e2

SHA256
0321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7

SHA512
e717f1abb1215a7323dc12e79ef55e926bbb4181e4a77677460cb7289a812536f745828dd06029245fb1cfdd689e42941a7e1ae70fbbf6655b27f7d168e62328

Download Submit
memory/3604-135-0x0000000000000000-mapping.dmp

Download
memory/4124-132-0x0000000000849000-0x0000000000867000-memory.dmp

Filesize
120KB

Download
memory/4124-133-0x00000000001C0000-0x00000000001FA000-memory.dmp

Filesize
232KB

Download
memory/4124-134-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/4124-138-0x0000000000849000-0x0000000000867000-memory.dmp

Filesize
120KB

Download
memory/4124-139-0x00000000001C0000-0x00000000001FA000-memory.dmp

Filesize
232KB

Download
memory/4124-140-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download