18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8

General

Target

18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8.exe
Size

177KB
MD5

038ad47c0e89f42b66ed2a72a70b1812
SHA1

ee504abfd0369f274e8347b2b592b9c546cf825c
SHA256

18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8
SHA512

21f25d832ea5022887c7e50c01724a2567f55fd3482221b8f0525eafe6cbf30a9eca4b2f2dae687e34cabc4cc9de921fecbb42afb54a1ab03456667d634d3e95
SSDEEP

3072:7hxkoCDLHmrAntgPGjuod42yS51XFnndUKiXNb:NwDjmrqlNH/Xlndhy

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8.exe

Loads dropped DLL 7 IoCs

pid	Process
1956	18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8.exe
4780	WerFault.exe
4728	WerFault.exe
4164	WerFault.exe
1480	WerFault.exe
1216	WerFault.exe
4556	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4728	1956	WerFault.exe	79
1480	1956	WerFault.exe	79
4556	1956	WerFault.exe	79

Runs .reg file with regedit 1 IoCs

pid	Process
3016	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1956	18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8.exe
1956	18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 3312	1956	18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8.exe	80
PID 1956 wrote to memory of 3312	1956	18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8.exe	80
PID 1956 wrote to memory of 3312	1956	18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8.exe	80
PID 3312 wrote to memory of 3016	3312	regedt32.exe	81
PID 3312 wrote to memory of 3016	3312	regedt32.exe	81
PID 3312 wrote to memory of 3016	3312	regedt32.exe	81

C:\Users\Admin\AppData\Local\Temp\18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8.exe
"C:\Users\Admin\AppData\Local\Temp\18655503f0c9d381006e25bdc856d6a0364be810ff16cebc26b53eddd7641ee8.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\regedt32.exe
  "C:\Windows\System32\regedt32.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 616
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:4728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 876
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1020
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1956 -ip 1956
1⤵
- Loads dropped DLL
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1956 -ip 1956
1⤵
- Loads dropped DLL
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1956 -ip 1956
1⤵
- Loads dropped DLL
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Iterra\T03emp03.reg

Filesize
217B

MD5
f16a588a88f4f9476edd54660d7da17a

SHA1
50c1175e1dd84c1e862e7c939d435165d8a0d3aa

SHA256
da01ec8e811f530899a7e4c31f997d40a9be135c99245c07063c49fc09cd0fe9

SHA512
3677fe5f54923d804ec35f7c08c9b1937c4b1d16c51c2d661c5872c1d2d914740b15eb1f8d907839e281b87f9e409e8cf254057cfbf11087bc7e024a379c2dfc

Download Submit
C:\Users\Admin\Documents\Iterra\mxhiajf.dll

Filesize
41KB

MD5
530c4079c568f5f9163fa9b2c7f1a678

SHA1
5eb96e204991664a4d3b2b17cf7756714179cb65

SHA256
349f8c958b7ac3f3c8ff08543145e7cc9b044fd676d879da11b026cd72b884e5

SHA512
27f90798ba757fbc4320248f093fe107ccad090319b35929291c7353f6878df43f8045715682b4d27f3efccef9bd37293a0ac4c3640a4d0093485689efa98596

Download Submit
C:\Users\Admin\Documents\Iterra\mxhiajf.dll

Filesize
41KB

MD5
530c4079c568f5f9163fa9b2c7f1a678

SHA1
5eb96e204991664a4d3b2b17cf7756714179cb65

SHA256
349f8c958b7ac3f3c8ff08543145e7cc9b044fd676d879da11b026cd72b884e5

SHA512
27f90798ba757fbc4320248f093fe107ccad090319b35929291c7353f6878df43f8045715682b4d27f3efccef9bd37293a0ac4c3640a4d0093485689efa98596

Download Submit
C:\Users\Admin\Documents\Iterra\mxhiajf.dll

Filesize
41KB

MD5
530c4079c568f5f9163fa9b2c7f1a678

SHA1
5eb96e204991664a4d3b2b17cf7756714179cb65

SHA256
349f8c958b7ac3f3c8ff08543145e7cc9b044fd676d879da11b026cd72b884e5

SHA512
27f90798ba757fbc4320248f093fe107ccad090319b35929291c7353f6878df43f8045715682b4d27f3efccef9bd37293a0ac4c3640a4d0093485689efa98596

Download Submit
C:\Users\Admin\Documents\Iterra\mxhiajf.dll

Filesize
41KB

MD5
530c4079c568f5f9163fa9b2c7f1a678

SHA1
5eb96e204991664a4d3b2b17cf7756714179cb65

SHA256
349f8c958b7ac3f3c8ff08543145e7cc9b044fd676d879da11b026cd72b884e5

SHA512
27f90798ba757fbc4320248f093fe107ccad090319b35929291c7353f6878df43f8045715682b4d27f3efccef9bd37293a0ac4c3640a4d0093485689efa98596

Download Submit
C:\Users\Admin\Documents\Iterra\mxhiajf.dll

Filesize
41KB

MD5
530c4079c568f5f9163fa9b2c7f1a678

SHA1
5eb96e204991664a4d3b2b17cf7756714179cb65

SHA256
349f8c958b7ac3f3c8ff08543145e7cc9b044fd676d879da11b026cd72b884e5

SHA512
27f90798ba757fbc4320248f093fe107ccad090319b35929291c7353f6878df43f8045715682b4d27f3efccef9bd37293a0ac4c3640a4d0093485689efa98596

Download Submit
C:\Users\Admin\Documents\Iterra\mxhiajf.dll

Filesize
41KB

MD5
530c4079c568f5f9163fa9b2c7f1a678

SHA1
5eb96e204991664a4d3b2b17cf7756714179cb65

SHA256
349f8c958b7ac3f3c8ff08543145e7cc9b044fd676d879da11b026cd72b884e5

SHA512
27f90798ba757fbc4320248f093fe107ccad090319b35929291c7353f6878df43f8045715682b4d27f3efccef9bd37293a0ac4c3640a4d0093485689efa98596

Download Submit
C:\Users\Admin\Documents\Iterra\mxhiajf.dll

Filesize
41KB

MD5
530c4079c568f5f9163fa9b2c7f1a678

SHA1
5eb96e204991664a4d3b2b17cf7756714179cb65

SHA256
349f8c958b7ac3f3c8ff08543145e7cc9b044fd676d879da11b026cd72b884e5

SHA512
27f90798ba757fbc4320248f093fe107ccad090319b35929291c7353f6878df43f8045715682b4d27f3efccef9bd37293a0ac4c3640a4d0093485689efa98596

Download Submit
memory/1956-139-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-132-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3016-135-0x0000000000000000-mapping.dmp

Download
memory/3312-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing