2b932d8740418e2ca0ffd86c19a194e0e9e73bef0758c5182c8d582c65074e99

Analysis

max time kernel
7s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e75b6eeeab3631bb5132ff5d8b37274761c9abde15d76c853a8dbd8ce811c46b.exe
Size

293KB
MD5

3a87456630da7362cc15e14b18047caf
SHA1

7da577c53cfe7cd79c56f7bed9b1ff7d26245075
SHA256

e75b6eeeab3631bb5132ff5d8b37274761c9abde15d76c853a8dbd8ce811c46b
SHA512

881a721992076c222c2caefd43ea5fa0b032fe313661989b982d3db7156d8396b9f000ed2b466ca6cbbbc6c6c079a681af8c4dd2e84461ab2a86067c6a395b80
SSDEEP

6144:0hKBmh9L7xLmywFKId798LL2oQyerjwb5a:hB+nxUd798LjQyeU5a

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4836	rovwer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	e75b6eeeab3631bb5132ff5d8b37274761c9abde15d76c853a8dbd8ce811c46b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4900	4888	WerFault.exe	16

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5016	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4836	4888	e75b6eeeab3631bb5132ff5d8b37274761c9abde15d76c853a8dbd8ce811c46b.exe	86
PID 4888 wrote to memory of 4836	4888	e75b6eeeab3631bb5132ff5d8b37274761c9abde15d76c853a8dbd8ce811c46b.exe	86
PID 4888 wrote to memory of 4836	4888	e75b6eeeab3631bb5132ff5d8b37274761c9abde15d76c853a8dbd8ce811c46b.exe	86

C:\Users\Admin\AppData\Local\Temp\e75b6eeeab3631bb5132ff5d8b37274761c9abde15d76c853a8dbd8ce811c46b.exe
"C:\Users\Admin\AppData\Local\Temp\e75b6eeeab3631bb5132ff5d8b37274761c9abde15d76c853a8dbd8ce811c46b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe"
  2⤵
  - Executes dropped EXE
  PID:4836
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:5016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1192
  2⤵
  - Program crash
  PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4888 -ip 4888
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
101KB

MD5
3d144cf8c69c65608b0b84a9d7150ba7

SHA1
1f744dde612d0324b56a7bd5b85b39596bf86740

SHA256
fa1eceaf621293f1ec02a27933a3763e08732a0d03ef63b34edb89dbcad4dd2a

SHA512
4a675e9931e1dab1e2e1ed222df7b95373a8f5cbb5641296ab133a6054026245753566636c7a3fd344b30a12ab4b6b6272f11976c79acccc3d40fceea46e4bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe

Filesize
64KB

MD5
254e04bafada88bef458108bd57d6e0c

SHA1
7ca82609bb72735751e513a23cea3b4e99842150

SHA256
0d4b0efe86179220c27ebe733c568124a23bd450ae79b8b23b08620077de9852

SHA512
fd56190f04e6870a29bbb12a3a64dfc8b4d99a95f98af01eea88cbe4ff64328ac071841b201530dd67e2e48afdc1ec6ec08da8e9ed4a874d26226039932c07f0

Download Submit
memory/4836-141-0x0000000002CA6000-0x0000000002CC4000-memory.dmp

Filesize
120KB

Download
memory/4836-142-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/4836-143-0x0000000002CA6000-0x0000000002CC4000-memory.dmp

Filesize
120KB

Download
memory/4836-144-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/4888-134-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/4888-133-0x0000000002D90000-0x0000000002DCA000-memory.dmp

Filesize
232KB

Download
memory/4888-138-0x0000000002DE7000-0x0000000002E05000-memory.dmp

Filesize
120KB

Download
memory/4888-139-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/4888-132-0x0000000002DE7000-0x0000000002E05000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads