8b4a7e1f12426b5c7a58b38fbc4d27ff13037e2e03aed72144f8763c246ec5c8

General

Target

4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe
Size

312KB
MD5

eb7d2add3fe15ee8524a07c2c75bedb9
SHA1

d13c52cd6709f416aefe338922c77bae33a85f31
SHA256

4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822
SHA512

484f1172d1c0c240a8b3cb7412f41cafc25a6473256d96da4a2ed7657a7606e1a2ae202b4db43e5db180dc3325c3211b524f2d52389bd52452c5f09e2d194701
SSDEEP

6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQshEPn:6aeqeO0UQB8KFHqAYhEPn

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 3696 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	3696	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

224 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2280 224 WerFault.exe rundll32.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
224	rundll32.exe

pid	pid_target	process	target process
2280	224	WerFault.exe	rundll32.exe

description	flow	ioc
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe

pid	process
3984	4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe
3984	4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe
1028	4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe
1028	4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exerundll32.exe

description	pid	process	target process
PID 3984 wrote to memory of 1028	3984	4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe	4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe
PID 3984 wrote to memory of 1028	3984	4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe	4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe
PID 3984 wrote to memory of 1028	3984	4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe	4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe
PID 432 wrote to memory of 224	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 224	432	rundll32.exe	rundll32.exe
PID 432 wrote to memory of 224	432	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe
"C:\Users\Admin\AppData\Local\Temp\4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe
"C:\Users\Admin\AppData\Local\Temp\4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe" -h
2⤵
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 600
3⤵
- Program crash
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 224 -ip 224
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads