Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 14:18
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220812-en
General
-
Target
tmp.exe
-
Size
320KB
-
MD5
1aaea333f1a2b0870df8c506b237eff7
-
SHA1
5f94408a89c401e2a3d7f59d03c1b98d68d855e2
-
SHA256
0321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7
-
SHA512
e717f1abb1215a7323dc12e79ef55e926bbb4181e4a77677460cb7289a812536f745828dd06029245fb1cfdd689e42941a7e1ae70fbbf6655b27f7d168e62328
-
SSDEEP
6144:GfEB4rDaA1co4Ql1YDuYEktDiaAQq26IMJ7nzf5mMO+Cv4M60kWwU:Gu4z1coh3YDuYEktvZFyrrzPCZjknU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rovwer.exepid process 3604 rovwer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1740 4124 WerFault.exe tmp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
tmp.exedescription pid process target process PID 4124 wrote to memory of 3604 4124 tmp.exe rovwer.exe PID 4124 wrote to memory of 3604 4124 tmp.exe rovwer.exe PID 4124 wrote to memory of 3604 4124 tmp.exe rovwer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\965f310d06\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\965f310d06\rovwer.exe"2⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 12842⤵
- Program crash
PID:1740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4124 -ip 41241⤵PID:4644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\965f310d06\rovwer.exeFilesize
320KB
MD51aaea333f1a2b0870df8c506b237eff7
SHA15f94408a89c401e2a3d7f59d03c1b98d68d855e2
SHA2560321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7
SHA512e717f1abb1215a7323dc12e79ef55e926bbb4181e4a77677460cb7289a812536f745828dd06029245fb1cfdd689e42941a7e1ae70fbbf6655b27f7d168e62328
-
C:\Users\Admin\AppData\Local\Temp\965f310d06\rovwer.exeFilesize
320KB
MD51aaea333f1a2b0870df8c506b237eff7
SHA15f94408a89c401e2a3d7f59d03c1b98d68d855e2
SHA2560321da385d5c03cea287316cabb9190060cdb444a9816121ede86ec31bcbfdc7
SHA512e717f1abb1215a7323dc12e79ef55e926bbb4181e4a77677460cb7289a812536f745828dd06029245fb1cfdd689e42941a7e1ae70fbbf6655b27f7d168e62328
-
memory/3604-135-0x0000000000000000-mapping.dmp
-
memory/4124-132-0x0000000000849000-0x0000000000867000-memory.dmpFilesize
120KB
-
memory/4124-133-0x00000000001C0000-0x00000000001FA000-memory.dmpFilesize
232KB
-
memory/4124-134-0x0000000000400000-0x00000000007F6000-memory.dmpFilesize
4.0MB
-
memory/4124-138-0x0000000000849000-0x0000000000867000-memory.dmpFilesize
120KB
-
memory/4124-139-0x00000000001C0000-0x00000000001FA000-memory.dmpFilesize
232KB
-
memory/4124-140-0x0000000000400000-0x00000000007F6000-memory.dmpFilesize
4.0MB