a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0

General

Target

a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe
Size

69KB
MD5

268171181d88cf3cacf18078d1366a00
SHA1

eea95617c94b191506cf37ca85e2b5064cf6215f
SHA256

a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0
SHA512

025caa53938e52b8710542776433737c1929bc100c33af778b83ef1f01ea22f9063fb1e2f8153f73ade8bdbab55f3892022bbf26ccd4e1e7dbdc05bf9115041c
SSDEEP

1536:LFcpB4OEQDN9ZTGX7rOMw2XGXjDsNEwHYVrOttUBrD:LQBscNDGrrOzzD1mYpMqB3

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
4940	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winwlw32.rom,zKukPXaV"	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winwlw32.rom	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe
File opened for modification	C:\Windows\SysWOW64\winwlw32.rom	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1676	4940	WerFault.exe	79

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 440	4940	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe	81
PID 4940 wrote to memory of 440	4940	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe	81
PID 4940 wrote to memory of 440	4940	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe	81
PID 4940 wrote to memory of 2888	4940	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe	54
PID 4940 wrote to memory of 2888	4940	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe	54
PID 4940 wrote to memory of 2800	4940	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe	83
PID 4940 wrote to memory of 2800	4940	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe	83
PID 4940 wrote to memory of 2800	4940	a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe	83
PID 440 wrote to memory of 3916	440	cmd.exe	90
PID 440 wrote to memory of 3916	440	cmd.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2888
- C:\Users\Admin\AppData\Local\Temp\a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe
  "C:\Users\Admin\AppData\Local\Temp\a3cb786ef604b849dfdee3f6a9f4356e8fb4204e018f53c0799a5348f06ee2c0.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start iexplore -embedding
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
      4⤵
      PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fig129A.bat"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 488
    3⤵
    - Program crash
    PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4940 -ip 4940
1⤵
PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fig129A.bat

Filesize
188B

MD5
c652a3fae352ef1f8b6d9d39168ff30a

SHA1
04091ca6317973539ea234ac175a4bfb96727333

SHA256
de9ad321345462090ffbc33f75b8eed2a3f29c76941ccb01d225d8ed3afb034b

SHA512
5fee41f6f1244931bdb3c40e177003ef7db583c570cc4e8cd9db8dc6f2314440e95a596b31f4766c4f34aeac4c8aa350d339afea5b7f81f69c72bd3126cbbfb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fig129A.tmp

Filesize
38KB

MD5
ba571f16760b1edc0a3b0ba384e8698f

SHA1
a4e3328f0f9c476db90208cfe96c4be69da70645

SHA256
afff2d01281449bb050310decf680ddee2ef8eec0be72519eddbfd16081139c1

SHA512
d548739479704e3a95920d43fff4abcb76dc5494bd8b57a27367cbe451250b9c8b8becd190fcce2fdb69a796a5b04218f82d33660584dc78ece7a1ec814d3aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\fig129A.tmp

Filesize
38KB

MD5
ba571f16760b1edc0a3b0ba384e8698f

SHA1
a4e3328f0f9c476db90208cfe96c4be69da70645

SHA256
afff2d01281449bb050310decf680ddee2ef8eec0be72519eddbfd16081139c1

SHA512
d548739479704e3a95920d43fff4abcb76dc5494bd8b57a27367cbe451250b9c8b8becd190fcce2fdb69a796a5b04218f82d33660584dc78ece7a1ec814d3aff

Download Submit
memory/440-133-0x0000000000000000-mapping.dmp

Download
memory/2800-135-0x0000000000000000-mapping.dmp

Download
memory/2888-134-0x000000007FFF0000-0x000000007FFF6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing