73f29ea1622c7db0305c05834ac18fe3c2854ae55f7c624fb1e7b9b88d4f33b3

General

Target

73f29ea1622c7db0305c05834ac18fe3c2854ae55f7c624fb1e7b9b88d4f33b3.exe
Size

3.6MB
MD5

1dca8891cdd7bfa6b748134232b38c07
SHA1

a97242a7eb5fcf4952f7313a681186e74f113d9d
SHA256

73f29ea1622c7db0305c05834ac18fe3c2854ae55f7c624fb1e7b9b88d4f33b3
SHA512

6c23b7dc09520ee5d9a48c8918d81d1a03d2bbb60316246097ff2036e37ceadd0ec6f00f91e3aa9cfa9529ee910a168463ad7192782a6b65e6fb5cc0d1c199fa
SSDEEP

98304:ZwBQ23K62SraWmZ13kXx6uHfmHbSlnaWLuZWila:KQWK62uYjkB63HuaEuZWila

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
50	3464	rundll32.exe
57	3464	rundll32.exe
66	3464	rundll32.exe
68	3464	rundll32.exe
73	3464	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
3464	rundll32.exe
3464	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4056	860	WerFault.exe	82

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 3464	860	73f29ea1622c7db0305c05834ac18fe3c2854ae55f7c624fb1e7b9b88d4f33b3.exe	83
PID 860 wrote to memory of 3464	860	73f29ea1622c7db0305c05834ac18fe3c2854ae55f7c624fb1e7b9b88d4f33b3.exe	83
PID 860 wrote to memory of 3464	860	73f29ea1622c7db0305c05834ac18fe3c2854ae55f7c624fb1e7b9b88d4f33b3.exe	83

C:\Users\Admin\AppData\Local\Temp\73f29ea1622c7db0305c05834ac18fe3c2854ae55f7c624fb1e7b9b88d4f33b3.exe
"C:\Users\Admin\AppData\Local\Temp\73f29ea1622c7db0305c05834ac18fe3c2854ae55f7c624fb1e7b9b88d4f33b3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Checks processor information in registry
  PID:3464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 484
  2⤵
  - Program crash
  PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 860 -ip 860
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll

Filesize
4.3MB

MD5
0b8302becf8aecf8565d6d74a2441499

SHA1
20d3a02bae1ba9fdb8f0c5d4a0d3db80b9b171f9

SHA256
bddaaed9682bffa1b463af6308c89fa3c5d354655e481c1a2294e77f813e1485

SHA512
09f6a3a8b42c7adace343a486bb9c92f0d0bae5f660a2388639929166f9674ac04b878a9ac0432766e9ca56c14a0c68b19b7518f62ad8c953cb3196b9c491b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll

Filesize
4.3MB

MD5
0b8302becf8aecf8565d6d74a2441499

SHA1
20d3a02bae1ba9fdb8f0c5d4a0d3db80b9b171f9

SHA256
bddaaed9682bffa1b463af6308c89fa3c5d354655e481c1a2294e77f813e1485

SHA512
09f6a3a8b42c7adace343a486bb9c92f0d0bae5f660a2388639929166f9674ac04b878a9ac0432766e9ca56c14a0c68b19b7518f62ad8c953cb3196b9c491b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Serpodtudpwhhta.dll

Filesize
4.3MB

MD5
0b8302becf8aecf8565d6d74a2441499

SHA1
20d3a02bae1ba9fdb8f0c5d4a0d3db80b9b171f9

SHA256
bddaaed9682bffa1b463af6308c89fa3c5d354655e481c1a2294e77f813e1485

SHA512
09f6a3a8b42c7adace343a486bb9c92f0d0bae5f660a2388639929166f9674ac04b878a9ac0432766e9ca56c14a0c68b19b7518f62ad8c953cb3196b9c491b78

Download Submit
memory/860-132-0x00000000025BA000-0x000000000293F000-memory.dmp

Filesize
3.5MB

Download
memory/860-133-0x0000000002940000-0x0000000002E25000-memory.dmp

Filesize
4.9MB

Download
memory/860-134-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/860-135-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/860-143-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3464-140-0x0000000002650000-0x0000000002AA7000-memory.dmp

Filesize
4.3MB

Download
memory/3464-141-0x0000000002650000-0x0000000002AA7000-memory.dmp

Filesize
4.3MB

Download
memory/3464-142-0x0000000002650000-0x0000000002AA7000-memory.dmp

Filesize
4.3MB

Download
memory/3464-144-0x00000000039C0000-0x000000000450D000-memory.dmp

Filesize
11.3MB

Download
memory/3464-145-0x00000000039C0000-0x000000000450D000-memory.dmp

Filesize
11.3MB

Download
memory/3464-146-0x00000000039C0000-0x000000000450D000-memory.dmp

Filesize
11.3MB

Download
memory/3464-147-0x0000000004610000-0x0000000004750000-memory.dmp

Filesize
1.2MB

Download
memory/3464-148-0x0000000004610000-0x0000000004750000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing