a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879

Analysis

max time kernel
105s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
Size

153KB
MD5

5b1931b78644abc16bbd7e8b6269b3ff
SHA1

fb7447b14920670f579ff42fb69d4f2fc29ec757
SHA256

a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879
SHA512

84ad29c54448fb372114b635b92e9c3f04d8970807492589ed5991917ff1b061655ddbe795807691e55ca5cd406060adb50df6e43fb1d963b1d38c31523221ce
SSDEEP

3072:oLv3G9oX0gJNHHHHHLXXXXXX7rXXXSsnBSpFuFqkD6gZemy1ndT5ml:8GrgJNHHHHHLXXXXXX7rXXXSsnk4qcy3

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe

Loads dropped DLL 5 IoCs

pid	Process
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
3716	WerFault.exe
3640	WerFault.exe
4916	WerFault.exe
4368	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3640	1496	WerFault.exe	78
4368	1496	WerFault.exe	78

Runs .reg file with regedit 1 IoCs

pid	Process
4860	regedit.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4896	1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe	79
PID 1496 wrote to memory of 4896	1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe	79
PID 1496 wrote to memory of 4896	1496	a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe	79
PID 4896 wrote to memory of 4860	4896	regedt32.exe	80
PID 4896 wrote to memory of 4860	4896	regedt32.exe	80
PID 4896 wrote to memory of 4860	4896	regedt32.exe	80

C:\Users\Admin\AppData\Local\Temp\a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
"C:\Users\Admin\AppData\Local\Temp\a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\regedt32.exe
  "C:\Windows\System32\regedt32.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1260
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:3640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1012
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1496 -ip 1496
1⤵
- Loads dropped DLL
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1496 -ip 1496
1⤵
- Loads dropped DLL
PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Iterra\T03emp03.reg

Filesize
217B

MD5
17b0b494ebc51b387e65a17d3383befc

SHA1
d2d7365b70f69de800a9c71e822ce436ae51989c

SHA256
ada28ac5fd1789701be8916040a148e5ed499b02ac17e16e99c55ad32cb8ec20

SHA512
09d77a692a4c3afa1817fbd4605caf1eed97d12675a00b96e46d34c7774de45468e474fc691700ec3fe1d13bb5c8662b3047160a45702ef82d1cc249cdfa21e8

Download Submit
C:\Users\Admin\Documents\Iterra\jmgatxk.dll

Filesize
42KB

MD5
c7f36664b64e2f2dc95e99eddc4d5259

SHA1
f28b41f062c021b81f6cb8ee9b1c785485a552ae

SHA256
524e2540c8ed613ee020f55d1e2226ba70ad14793b268444a9f246402c023cca

SHA512
5f2d8bb427796c27fcb940b7fd43517f5e7f9696f78f168aa0ed45c6c074f1a9e2f0c42969531aa9c900ba7cb0be9c2e3ba472441f8a43ff1e017040aa36a92d

Download Submit
C:\Users\Admin\Documents\Iterra\jmgatxk.dll

Filesize
42KB

MD5
c7f36664b64e2f2dc95e99eddc4d5259

SHA1
f28b41f062c021b81f6cb8ee9b1c785485a552ae

SHA256
524e2540c8ed613ee020f55d1e2226ba70ad14793b268444a9f246402c023cca

SHA512
5f2d8bb427796c27fcb940b7fd43517f5e7f9696f78f168aa0ed45c6c074f1a9e2f0c42969531aa9c900ba7cb0be9c2e3ba472441f8a43ff1e017040aa36a92d

Download Submit
C:\Users\Admin\Documents\Iterra\jmgatxk.dll

Filesize
42KB

MD5
c7f36664b64e2f2dc95e99eddc4d5259

SHA1
f28b41f062c021b81f6cb8ee9b1c785485a552ae

SHA256
524e2540c8ed613ee020f55d1e2226ba70ad14793b268444a9f246402c023cca

SHA512
5f2d8bb427796c27fcb940b7fd43517f5e7f9696f78f168aa0ed45c6c074f1a9e2f0c42969531aa9c900ba7cb0be9c2e3ba472441f8a43ff1e017040aa36a92d

Download Submit
C:\Users\Admin\Documents\Iterra\jmgatxk.dll

Filesize
42KB

MD5
c7f36664b64e2f2dc95e99eddc4d5259

SHA1
f28b41f062c021b81f6cb8ee9b1c785485a552ae

SHA256
524e2540c8ed613ee020f55d1e2226ba70ad14793b268444a9f246402c023cca

SHA512
5f2d8bb427796c27fcb940b7fd43517f5e7f9696f78f168aa0ed45c6c074f1a9e2f0c42969531aa9c900ba7cb0be9c2e3ba472441f8a43ff1e017040aa36a92d

Download Submit
C:\Users\Admin\Documents\Iterra\jmgatxk.dll

Filesize
42KB

MD5
c7f36664b64e2f2dc95e99eddc4d5259

SHA1
f28b41f062c021b81f6cb8ee9b1c785485a552ae

SHA256
524e2540c8ed613ee020f55d1e2226ba70ad14793b268444a9f246402c023cca

SHA512
5f2d8bb427796c27fcb940b7fd43517f5e7f9696f78f168aa0ed45c6c074f1a9e2f0c42969531aa9c900ba7cb0be9c2e3ba472441f8a43ff1e017040aa36a92d

Download Submit
memory/1496-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1496-139-0x00000000030A0000-0x0000000003173000-memory.dmp

Filesize
844KB

Download
memory/1496-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1496-132-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1496-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download