025803b36393bc7b87e759559b17eab350c1a2b6b0951b547a617bef8ce81490

General

Target

0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
Size

312KB
MD5

b7f3bbe2d4281867faafbf082b126334
SHA1

ffc748cf49fbc9fcd8fb9ba42ffd11839bcb9e4a
SHA256

0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584
SHA512

3aa22851b4ded467b8bf8c830afa16fe9b55f5655d429b67d42ec50fab3e88898489670329cb36c5b859dd3767809fdf976a152900832ba3bd67ed50aeb966a3
SSDEEP

6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQsfEPn:6aeqeO0UQB8KFHqAYfEPn

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2344 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2344	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3608 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1668 3608 WerFault.exe rundll32.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3608	rundll32.exe

pid	pid_target	process	target process
1668	3608	WerFault.exe	rundll32.exe

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe

pid	process
4740	0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
4740	0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
4508	0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
4508	0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exerundll32.exe

description	pid	process	target process
PID 4740 wrote to memory of 4508	4740	0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe	0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
PID 4740 wrote to memory of 4508	4740	0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe	0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
PID 4740 wrote to memory of 4508	4740	0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe	0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
PID 804 wrote to memory of 3608	804	rundll32.exe	rundll32.exe
PID 804 wrote to memory of 3608	804	rundll32.exe	rundll32.exe
PID 804 wrote to memory of 3608	804	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
"C:\Users\Admin\AppData\Local\Temp\0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740

C:\Users\Admin\AppData\Local\Temp\0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
"C:\Users\Admin\AppData\Local\Temp\0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe" -h
2⤵
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 600
3⤵
- Program crash
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3608 -ip 3608
1⤵
PID:3572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
45ceed48afd68359f317952e8845ea02

SHA1
0149982c8c5a90616c3392974b1a543eb2b4e894

SHA256
ba07f9487a10ed278772d9571d6e867f53338029a3c4580eed2e08d8f5a8f9bd

SHA512
c41645620e26ece7bf044c7a7a8d43383e87a07baae20596d7e01a609d403396fc1993647724185b066e48d9b7f7bddca8913c838dfa56916de7dbd27b9bd4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads