cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d

General

Target

cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
Size

23KB
MD5

03250f6af647666a21b24e1136ac1e90
SHA1

a8c7a75959bf728af158f8c4454c2821fa6ef506
SHA256

cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d
SHA512

193258cec8fca0f1573696323f161be0456546e4a5532a3e432e4776419bdf1f758c1cd7ab75b0e451af0cccde86a056d2ca09c99d8993efa1ba562352106a20
SSDEEP

384:H+nJ9SCyR1kH+8Q+Wg8Hgl0fuwiR6hV8pBuGrkms+xngUIESuubqebx0ekOB6J5:H+nJ+16+7+8ASWwiR6f8buGNLxRIESJm

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\wbosakji.sys	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
944	woauolt.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thunder5.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thunder5.exe\Debugger = "svchost.exe"	rundll32.exe

Deletes itself 1 IoCs

pid	Process
960	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
904	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
904	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\361kary = "C:\\Windows\\system32\\woauolt.exe"	woauolt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\361kary = "C:\\Windows\\system32\\woauolt.exe"	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	woauolt.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\woauolt.exe	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
File created	C:\Windows\SysWOW64\woauolt.exe	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\doscmda.dll	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
1340	rundll32.exe
904	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
944	woauolt.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1340	1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	26
PID 1424 wrote to memory of 1340	1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	26
PID 1424 wrote to memory of 1340	1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	26
PID 1424 wrote to memory of 1340	1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	26
PID 1424 wrote to memory of 1340	1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	26
PID 1424 wrote to memory of 1340	1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	26
PID 1424 wrote to memory of 1340	1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	26
PID 1424 wrote to memory of 904	1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	27
PID 1424 wrote to memory of 904	1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	27
PID 1424 wrote to memory of 904	1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	27
PID 1424 wrote to memory of 904	1424	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	27
PID 904 wrote to memory of 944	904	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	28
PID 904 wrote to memory of 944	904	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	28
PID 904 wrote to memory of 944	904	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	28
PID 904 wrote to memory of 944	904	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	28
PID 944 wrote to memory of 956	944	woauolt.exe	29
PID 944 wrote to memory of 956	944	woauolt.exe	29
PID 944 wrote to memory of 956	944	woauolt.exe	29
PID 944 wrote to memory of 956	944	woauolt.exe	29
PID 904 wrote to memory of 960	904	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	30
PID 904 wrote to memory of 960	904	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	30
PID 904 wrote to memory of 960	904	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	30
PID 904 wrote to memory of 960	904	cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe	30

C:\Users\Admin\AppData\Local\Temp\cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
"C:\Users\Admin\AppData\Local\Temp\cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\doscmda.dll MyEntryPoint
  2⤵
  - Drops file in Drivers directory
  - Sets file execution options in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Users\Admin\AppData\Local\Temp\cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
  C:\Users\Admin\AppData\Local\Temp\cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\woauolt.exe
    C:\Windows\system32\woauolt.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c del C:\Windows\system32\woauolt.exe
      4⤵
      PID:956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\Users\Admin\AppData\Local\Temp\cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d.exe
    3⤵
    - Deletes itself
    PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\woauolt.exe

Filesize
23KB

MD5
03250f6af647666a21b24e1136ac1e90

SHA1
a8c7a75959bf728af158f8c4454c2821fa6ef506

SHA256
cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d

SHA512
193258cec8fca0f1573696323f161be0456546e4a5532a3e432e4776419bdf1f758c1cd7ab75b0e451af0cccde86a056d2ca09c99d8993efa1ba562352106a20

Download Submit
C:\Windows\SysWOW64\woauolt.exe

Filesize
23KB

MD5
03250f6af647666a21b24e1136ac1e90

SHA1
a8c7a75959bf728af158f8c4454c2821fa6ef506

SHA256
cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d

SHA512
193258cec8fca0f1573696323f161be0456546e4a5532a3e432e4776419bdf1f758c1cd7ab75b0e451af0cccde86a056d2ca09c99d8993efa1ba562352106a20

Download Submit
C:\Windows\doscmda.dll

Filesize
44KB

MD5
73b503a394b6250bac9a0295548bb51c

SHA1
3e8ffeba62243b7305baf6010e5782f3a84ddd13

SHA256
d528004ba0b37aaef005d0972b6c71e2923712b3f3b43faa557d37f1a5ffcf78

SHA512
32481a749962b440e181b1754e7d765c3e521692eda926ff1c390c0bdf16add5c329ddff14d4994ed5b0ad0dd26a5cb9abb322320d2621ab20107fedd5eeb97b

Download Submit
\Windows\SysWOW64\woauolt.exe

Filesize
23KB

MD5
03250f6af647666a21b24e1136ac1e90

SHA1
a8c7a75959bf728af158f8c4454c2821fa6ef506

SHA256
cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d

SHA512
193258cec8fca0f1573696323f161be0456546e4a5532a3e432e4776419bdf1f758c1cd7ab75b0e451af0cccde86a056d2ca09c99d8993efa1ba562352106a20

Download Submit
\Windows\SysWOW64\woauolt.exe

Filesize
23KB

MD5
03250f6af647666a21b24e1136ac1e90

SHA1
a8c7a75959bf728af158f8c4454c2821fa6ef506

SHA256
cd3045933d96b0bc6fca41c2e8df4367dabc23e8a5f7fbb2a3e399b892b3b52d

SHA512
193258cec8fca0f1573696323f161be0456546e4a5532a3e432e4776419bdf1f758c1cd7ab75b0e451af0cccde86a056d2ca09c99d8993efa1ba562352106a20

Download Submit
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads