f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad

General

Target

f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe
Size

173KB
MD5

3feb88a38d7e8692436aced0fbc5e798
SHA1

e86aabad1cd6539e2e0cba7b4ae07d5b33fbde7f
SHA256

f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad
SHA512

e860a1052ebe3af9edb309bd303066de4ab77e116b6b81fd142e903a404ce77122453189acedc0008ded3640be570125833ed6e67673888bc7a2cd247d67facc
SSDEEP

3072:CdclVo8bVCsZRb4k6m92rtby1l08ndSQGP:dnpR1X+tbyI8ndS

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe

Loads dropped DLL 1 IoCs

pid	Process
1608	f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
3636	1608	WerFault.exe	81
1852	1608	WerFault.exe	81
932	1608	WerFault.exe	81
4744	1608	WerFault.exe	81
1196	1608	WerFault.exe	81
1424	1608	WerFault.exe	81
4868	1608	WerFault.exe	81
4756	1608	WerFault.exe	81

Runs .reg file with regedit 1 IoCs

pid	Process
3144	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1608	f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe
1608	f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe
1608	f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe
1608	f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe
1608	f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe
1608	f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 456	1608	f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe	108
PID 1608 wrote to memory of 456	1608	f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe	108
PID 1608 wrote to memory of 456	1608	f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe	108
PID 456 wrote to memory of 3144	456	regedt32.exe	111
PID 456 wrote to memory of 3144	456	regedt32.exe	111
PID 456 wrote to memory of 3144	456	regedt32.exe	111

C:\Users\Admin\AppData\Local\Temp\f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe
"C:\Users\Admin\AppData\Local\Temp\f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 604
  2⤵
  - Program crash
  PID:3636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 728
  2⤵
  - Program crash
  PID:1852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 748
  2⤵
  - Program crash
  PID:932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 896
  2⤵
  - Program crash
  PID:4744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 960
  2⤵
  - Program crash
  PID:1196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 960
  2⤵
  - Program crash
  PID:1424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 972
  2⤵
  - Program crash
  PID:4868
- C:\Windows\SysWOW64\regedt32.exe
  "C:\Windows\System32\regedt32.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 884
  2⤵
  - Program crash
  PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1608 -ip 1608
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1608 -ip 1608
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1608 -ip 1608
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1608 -ip 1608
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1608 -ip 1608
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1608 -ip 1608
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1608 -ip 1608
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1608 -ip 1608
1⤵
PID:4948

Network

DNS

knnistabe.com

f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe

Remote address:

8.8.8.8:53

Request

knnistabe.com

IN A

Response

72.21.91.29:80

322 B
7
67.26.109.254:80

322 B
7
104.80.225.205:443

322 B
7
20.50.80.209:443

322 B
7
67.26.109.254:80

322 B
7
67.26.109.254:80

322 B
7
67.26.109.254:80

322 B
7

8.8.8.8:53

knnistabe.com

dns

f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe

59 B
132 B
1
1

DNS Request

knnistabe.com

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Iterra\T03emp03.reg

Filesize
217B

MD5
b937b05f9ed5d4664623737e113a199a

SHA1
6399a412cbe25f66bddf5c13b0a40871046f35a7

SHA256
917f013f817c6828da5dbc8bdeb288617373cb4f50b7120d02c6ea8d3585437d

SHA512
f4f08b2ba9e58a261637ee21ca4d060f845064417eca81d2950d5db52223325a86ac58d9dcc18aa7a4fbf849c08398326cd60a6f6854693229a03669c38c491c

Download Submit
C:\Users\Admin\Documents\Iterra\qlizotd.dll

Filesize
41KB

MD5
138d049f208cafba11ce647464a74c83

SHA1
8b9c26a5dd9fdc8d8d376d1ef6fe62876068c657

SHA256
88b5c70fbc4dc678e4602a1427aa59951676402034ceff683fdf3d5aaa13780c

SHA512
6464d7735baf6a3a7516237a76bb532ec5aba4acbc17f5976f1d43e183ed63a99337505388e48c2cf679ec0b1aaf44acde1cf9bfb2bf0d5d22761215480d81c4

Download Submit
memory/1608-132-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1608-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1608-138-0x00000000031B0000-0x0000000003283000-memory.dmp

Filesize
844KB

Download

Analysis

Sharing