d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d

Analysis

max time kernel
171s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
Size

151KB
MD5

44667825e4463f2eef4410a36e4f442c
SHA1

6acf2b01f4f8bd5af3837a486ee2ae7df5b3d4f0
SHA256

d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d
SHA512

952c56f36dea369179ef30a57710030534fa1ff4d26d8d6a40eccb26343418d0d1e4a19545f0693c4a99f15ba56d05bff31a75bea3ddfb590173da7f5b0215b2
SSDEEP

1536:0289yVVa3PIZ2otlrcKEFHQ10KgxQ19KKp5l5QWLHGQ84V6oDF+CuR1p35sHUndm:zn2otlrlGw1tl1lLj84V6WF+3P5dnd

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe

Loads dropped DLL 5 IoCs

pid	Process
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
4276	WerFault.exe
1940	WerFault.exe
4312	WerFault.exe
1844	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1940	3416	WerFault.exe	79
1844	3416	WerFault.exe	79

Runs .reg file with regedit 1 IoCs

pid	Process
2500	regedit.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 3404	3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe	80
PID 3416 wrote to memory of 3404	3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe	80
PID 3416 wrote to memory of 3404	3416	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe	80
PID 3404 wrote to memory of 2500	3404	regedt32.exe	81
PID 3404 wrote to memory of 2500	3404	regedt32.exe	81
PID 3404 wrote to memory of 2500	3404	regedt32.exe	81

C:\Users\Admin\AppData\Local\Temp\d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
"C:\Users\Admin\AppData\Local\Temp\d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\SysWOW64\regedt32.exe
  "C:\Windows\System32\regedt32.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1264
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1260
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3416 -ip 3416
1⤵
- Loads dropped DLL
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3416 -ip 3416
1⤵
- Loads dropped DLL
PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Iterra\T03emp03.reg

Filesize
217B

MD5
005150af521acc28c89f8d247570661e

SHA1
a041c35b13466c810fb5b86a18391b6005ebdf4f

SHA256
5d0a0a606e004b4fbf23c42b82d9c288146e50b662b396c62a944e19d2f79bf4

SHA512
0ba47438731a53af35f14f2cc9ddc929ba2ef1e5d88f6a73cd7bee6afa5e9e9a925267f2a7e1731389ff6364690651df3a801d49265c89f6a3d5bf00226a49e5

Download Submit
C:\Users\Admin\Documents\Iterra\jqbagqm.dll

Filesize
40KB

MD5
d89da90af381ca3bb669566bc5133231

SHA1
66ab6602dd5302ab5fe5a1aaa1495d102dbc2205

SHA256
caf9f0142ec78eeba1f73b8bfbf2d6e3ed0bde79a9c57c2b291f413607882698

SHA512
52b30ccfcba93ae396f1a935db1a2969afaa0cb9131a288cf36161f7525ced08dd056e75a7cc1a66bd008a31068fcbc2c81e7c077f1b5de0a6387d947f69dc50

Download Submit
C:\Users\Admin\Documents\Iterra\jqbagqm.dll

Filesize
40KB

MD5
d89da90af381ca3bb669566bc5133231

SHA1
66ab6602dd5302ab5fe5a1aaa1495d102dbc2205

SHA256
caf9f0142ec78eeba1f73b8bfbf2d6e3ed0bde79a9c57c2b291f413607882698

SHA512
52b30ccfcba93ae396f1a935db1a2969afaa0cb9131a288cf36161f7525ced08dd056e75a7cc1a66bd008a31068fcbc2c81e7c077f1b5de0a6387d947f69dc50

Download Submit
C:\Users\Admin\Documents\Iterra\jqbagqm.dll

Filesize
40KB

MD5
d89da90af381ca3bb669566bc5133231

SHA1
66ab6602dd5302ab5fe5a1aaa1495d102dbc2205

SHA256
caf9f0142ec78eeba1f73b8bfbf2d6e3ed0bde79a9c57c2b291f413607882698

SHA512
52b30ccfcba93ae396f1a935db1a2969afaa0cb9131a288cf36161f7525ced08dd056e75a7cc1a66bd008a31068fcbc2c81e7c077f1b5de0a6387d947f69dc50

Download Submit
C:\Users\Admin\Documents\Iterra\jqbagqm.dll

Filesize
40KB

MD5
d89da90af381ca3bb669566bc5133231

SHA1
66ab6602dd5302ab5fe5a1aaa1495d102dbc2205

SHA256
caf9f0142ec78eeba1f73b8bfbf2d6e3ed0bde79a9c57c2b291f413607882698

SHA512
52b30ccfcba93ae396f1a935db1a2969afaa0cb9131a288cf36161f7525ced08dd056e75a7cc1a66bd008a31068fcbc2c81e7c077f1b5de0a6387d947f69dc50

Download Submit
C:\Users\Admin\Documents\Iterra\jqbagqm.dll

Filesize
40KB

MD5
d89da90af381ca3bb669566bc5133231

SHA1
66ab6602dd5302ab5fe5a1aaa1495d102dbc2205

SHA256
caf9f0142ec78eeba1f73b8bfbf2d6e3ed0bde79a9c57c2b291f413607882698

SHA512
52b30ccfcba93ae396f1a935db1a2969afaa0cb9131a288cf36161f7525ced08dd056e75a7cc1a66bd008a31068fcbc2c81e7c077f1b5de0a6387d947f69dc50

Download Submit
memory/3416-139-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3416-138-0x0000000003080000-0x0000000003153000-memory.dmp

Filesize
844KB

Download
memory/3416-132-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3416-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3416-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download