d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1

Analysis

max time kernel
246s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe
Size

109KB
MD5

30df3d8f374a5052afa29deacea17940
SHA1

7522bae6151af6cbf43426fd2e61095869468ce3
SHA256

d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1
SHA512

1dd65a45eaba7e747f150f6b0512bc144dbe0b2fec3629a412eb6be274f2bb7dae496e3570e1cca17802132346bbf9670a34fe4eea8d6f8a598046939912385f
SSDEEP

1536:B/iqYbQ7kwh2oyVbQ/L9uW22E0NtstjcKg6kiW7BWJKgchFPZ/wmPGKztVUzaIlK:4bKbRWk/L9p1tEBgL1Wcg0BnxVzdRS2b

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\rsdzpw.sys	Í¼.exe

Executes dropped EXE 1 IoCs

pid	Process
3404	Í¼.exe

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\peaajr\Parameters\ServiceDll = "%SystemRoot%\\System32\\rsdzpw.dll"	Í¼.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\peaajr\Parameters\ServiceDll = "%SystemRoot%\\System32\\rsdzpw.dll"	Í¼.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\peaajr\Parameters\ServiceDll = "%SystemRoot%\\System32\\rsdzpw.dll"	Í¼.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe

Loads dropped DLL 2 IoCs

pid	Process
3404	Í¼.exe
3652	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\000476f6.ini	Í¼.exe
File created	C:\Windows\SysWOW64\rsdzpw.dll	Í¼.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3652	svchost.exe
3652	svchost.exe
3652	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3404	5036	d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe	82
PID 5036 wrote to memory of 3404	5036	d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe	82
PID 5036 wrote to memory of 3404	5036	d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe	82

C:\Users\Admin\AppData\Local\Temp\d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe
"C:\Users\Admin\AppData\Local\Temp\d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\Í¼.exe
  "C:\Users\Admin\AppData\Local\Temp\Í¼.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:3404

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k peaajr
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Í¼.exe

Filesize
63KB

MD5
5020f214ee9efc1ad06796016852dd50

SHA1
62a3b0b4bb71df32c3d6d06412d1c87bfc201f6c

SHA256
bc844f5910db6240f250fa15061bfd46908fda7b2067dde17fb4c7b7e24f1431

SHA512
309b5a71af1455b669e483bddacbb9c4cb84ba7e3fdcc86eddba3a8e608dbd7476bd29a0428b171791ef7be7b1f448f8a5142a01c7d342d56d4af87dc73549db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Í¼.exe

Filesize
63KB

MD5
5020f214ee9efc1ad06796016852dd50

SHA1
62a3b0b4bb71df32c3d6d06412d1c87bfc201f6c

SHA256
bc844f5910db6240f250fa15061bfd46908fda7b2067dde17fb4c7b7e24f1431

SHA512
309b5a71af1455b669e483bddacbb9c4cb84ba7e3fdcc86eddba3a8e608dbd7476bd29a0428b171791ef7be7b1f448f8a5142a01c7d342d56d4af87dc73549db

Download Submit
C:\Windows\SysWOW64\rsdzpw.dll

Filesize
90KB

MD5
33defb1514ab99b545249afb1efd5619

SHA1
24bf3f801ebd7a56b73fc5a55a65b52f321d4b9f

SHA256
6e6d3d40fd17dc63d3fa051b208ce5b682115ca25ae7fde5c95cd33f2c84133c

SHA512
30f95550e8e298b6aa92c53a24f72725b3c9541cc14d3aa94900b76dbc823e82bafa67a6f1f4bb9dfb9424dd1520a6767578db811c6566141e99413fa4b90bc1

Download Submit
C:\Windows\SysWOW64\rsdzpw.dll

Filesize
90KB

MD5
33defb1514ab99b545249afb1efd5619

SHA1
24bf3f801ebd7a56b73fc5a55a65b52f321d4b9f

SHA256
6e6d3d40fd17dc63d3fa051b208ce5b682115ca25ae7fde5c95cd33f2c84133c

SHA512
30f95550e8e298b6aa92c53a24f72725b3c9541cc14d3aa94900b76dbc823e82bafa67a6f1f4bb9dfb9424dd1520a6767578db811c6566141e99413fa4b90bc1

Download Submit
\??\c:\windows\SysWOW64\rsdzpw.dll

Filesize
90KB

MD5
33defb1514ab99b545249afb1efd5619

SHA1
24bf3f801ebd7a56b73fc5a55a65b52f321d4b9f

SHA256
6e6d3d40fd17dc63d3fa051b208ce5b682115ca25ae7fde5c95cd33f2c84133c

SHA512
30f95550e8e298b6aa92c53a24f72725b3c9541cc14d3aa94900b76dbc823e82bafa67a6f1f4bb9dfb9424dd1520a6767578db811c6566141e99413fa4b90bc1

Download Submit