aa03d4ff799f30857eaf1231d83957bffa98779d2556bf6aedeb540febd02cbb

Analysis

max time kernel
101s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09a7132abc47c8485e40d12dc6db84b3.exe
Size

207KB
MD5

09a7132abc47c8485e40d12dc6db84b3
SHA1

3220a68704773ca2a6549c7968945e3a774553b3
SHA256

aa03d4ff799f30857eaf1231d83957bffa98779d2556bf6aedeb540febd02cbb
SHA512

e446d4c6a53ed3e677cea110b2f333e8f56fcc595856e1230c32c08e06ac4cb260d3d35b092ff44c543f7e8ce61ae9cb5679cf9ad9cf6e37cf2f49ffd79b7c89
SSDEEP

6144:Izpmv1TcF/p/uwONct43Ep/uwONct43T92USK:ymS9pGHNu4UpGHNu4R2USK

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	4704	rundll32.exe	15

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	09a7132abc47c8485e40d12dc6db84b3.exe

Loads dropped DLL 1 IoCs

pid	Process
4824	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1040	4824	WerFault.exe	86

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3112	4904	09a7132abc47c8485e40d12dc6db84b3.exe	83
PID 4904 wrote to memory of 3112	4904	09a7132abc47c8485e40d12dc6db84b3.exe	83
PID 4904 wrote to memory of 3112	4904	09a7132abc47c8485e40d12dc6db84b3.exe	83
PID 3396 wrote to memory of 4824	3396	rundll32.exe	86
PID 3396 wrote to memory of 4824	3396	rundll32.exe	86
PID 3396 wrote to memory of 4824	3396	rundll32.exe	86

C:\Users\Admin\AppData\Local\Temp\09a7132abc47c8485e40d12dc6db84b3.exe
"C:\Users\Admin\AppData\Local\Temp\09a7132abc47c8485e40d12dc6db84b3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\09a7132abc47c8485e40d12dc6db84b3.exe
  "C:\Users\Admin\AppData\Local\Temp\09a7132abc47c8485e40d12dc6db84b3.exe" -h
  2⤵
  PID:3112

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:4824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 600
    3⤵
    - Program crash
    PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4824 -ip 4824
1⤵
PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
558fb165f9dec4a658095e16878896e2

SHA1
b0813050bb1b447dbe4544696c73d7419971acf2

SHA256
f0c6a3d1543bfbcb7be733cf2a03a5864fcf7ea9b23897e5c0b4e84ccb78e1e4

SHA512
94d5a996af420078028e4fc4afb463db28d622ac2c0785fa73690d5fdf022cd5f2ddd4712bc45071e9c3da1dab0394a192066338c3ba76f51f3d12e94b37fa18

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
845a5f94673e266f80fae41538a94db1

SHA1
a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

SHA256
3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

SHA512
f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
845a5f94673e266f80fae41538a94db1

SHA1
a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

SHA256
3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

SHA512
f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

Download Submit