Analysis
-
max time kernel
60s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2023 01:37
Static task
static1
Behavioral task
behavioral1
Sample
0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
Resource
win10v2004-20230220-en
General
-
Target
0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe
-
Size
312KB
-
MD5
b7f3bbe2d4281867faafbf082b126334
-
SHA1
ffc748cf49fbc9fcd8fb9ba42ffd11839bcb9e4a
-
SHA256
0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584
-
SHA512
3aa22851b4ded467b8bf8c830afa16fe9b55f5655d429b67d42ec50fab3e88898489670329cb36c5b859dd3767809fdf976a152900832ba3bd67ed50aeb966a3
-
SSDEEP
6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQsfEPn:6aeqeO0UQB8KFHqAYfEPn
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2344 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation 0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3608 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1668 3608 WerFault.exe rundll32.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exepid process 4740 0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe 4740 0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe 4508 0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe 4508 0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exerundll32.exedescription pid process target process PID 4740 wrote to memory of 4508 4740 0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe 0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe PID 4740 wrote to memory of 4508 4740 0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe 0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe PID 4740 wrote to memory of 4508 4740 0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe 0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe PID 804 wrote to memory of 3608 804 rundll32.exe rundll32.exe PID 804 wrote to memory of 3608 804 rundll32.exe rundll32.exe PID 804 wrote to memory of 3608 804 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe"C:\Users\Admin\AppData\Local\Temp\0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe"C:\Users\Admin\AppData\Local\Temp\0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584.exe" -h2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3608 -ip 36081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\db.datFilesize
557KB
MD545ceed48afd68359f317952e8845ea02
SHA10149982c8c5a90616c3392974b1a543eb2b4e894
SHA256ba07f9487a10ed278772d9571d6e867f53338029a3c4580eed2e08d8f5a8f9bd
SHA512c41645620e26ece7bf044c7a7a8d43383e87a07baae20596d7e01a609d403396fc1993647724185b066e48d9b7f7bddca8913c838dfa56916de7dbd27b9bd4cf
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6