Analysis
-
max time kernel
66s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2023 01:42
Static task
static1
Behavioral task
behavioral1
Sample
b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe
Resource
win10v2004-20230221-en
General
-
Target
b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe
-
Size
312KB
-
MD5
a64c4c4083e817d1b75536c30dd0ce5e
-
SHA1
a4667b3ae9b83bc12f9d53543c41783b343afac3
-
SHA256
b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab
-
SHA512
fa39341ae0d245459174707c4dfd5fa4830e26eb7b58a1c81395977a27536ef1813bc42c2536556901a8a9cb238bd88b081df602f4d2a5242c95320d55d80d8f
-
SSDEEP
6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQs8EPn:6aeqeO0UQB8KFHqAY8EPn
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 4488 rundll32.exe 28 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe -
Loads dropped DLL 1 IoCs
pid Process 2748 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1708 2748 WerFault.exe 84 -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3776 b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe 3776 b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe 4452 b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe 4452 b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3776 wrote to memory of 4452 3776 b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe 82 PID 3776 wrote to memory of 4452 3776 b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe 82 PID 3776 wrote to memory of 4452 3776 b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe 82 PID 4708 wrote to memory of 2748 4708 rundll32.exe 84 PID 4708 wrote to memory of 2748 4708 rundll32.exe 84 PID 4708 wrote to memory of 2748 4708 rundll32.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe"C:\Users\Admin\AppData\Local\Temp\b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe"C:\Users\Admin\AppData\Local\Temp\b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe" -h2⤵
- Suspicious use of SetWindowsHookEx
PID:4452
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 6003⤵
- Program crash
PID:1708
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2748 -ip 27481⤵PID:2016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
557KB
MD5f1f63fb8caa7c9447692fe4dc35dce65
SHA1ea4816ff6db602728e97c990c4e71822e262e87c
SHA25667e6fcfa88fcfe4fa1c87671567bd8bcf3cb2f79a5cb88173552b2222bbd27d2
SHA512e5984aa82fd76ebe9804678b722ca416c9a890bab10d20a0f0e2a9b348f86ac3da4c210ddb5bd09ecf489ac90cc9f8d1939a489a242fe436a3af84c09743aed5
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6