412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772

Analysis

max time kernel
99s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2023, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe
Size

72KB
MD5

834a79ee7a59547a89ef4f849829b05b
SHA1

28db68cffea38ed08db8fc3ed687a45494c38dcb
SHA256

412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772
SHA512

3adebe76c029607c1630595714b959d0e335b12c5d6d6e444788803bdd9e879aa3ff5b6b5f9370f06e74c50a5a832efb7f7ce24f6fdb51147269ab4a45261774
SSDEEP

1536:3vAkGoo+bH/J027ZKxyafwhHCC/mq1ktG:3vuWbaRgaYtX1ktG

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	2024	rundll32.exe	40

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe

Loads dropped DLL 1 IoCs

pid	Process
1816	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1000	1816	WerFault.exe	90

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3184	2640	412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe	87
PID 2640 wrote to memory of 3184	2640	412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe	87
PID 2640 wrote to memory of 3184	2640	412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe	87
PID 3172 wrote to memory of 1816	3172	rundll32.exe	90
PID 3172 wrote to memory of 1816	3172	rundll32.exe	90
PID 3172 wrote to memory of 1816	3172	rundll32.exe	90

C:\Users\Admin\AppData\Local\Temp\412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe
"C:\Users\Admin\AppData\Local\Temp\412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe
  "C:\Users\Admin\AppData\Local\Temp\412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe" --v
  2⤵
  PID:3184

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:1816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 600
    3⤵
    - Program crash
    PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1816 -ip 1816
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
cb077166b5cc181bde4c2bb30d28a99a

SHA1
800aab82a816e41ded59bc20cda364fa22dc0bcb

SHA256
40f19665b2ae343aa3838226e3393e2816a58fbb16fa4d2a3da8c602f20c9f72

SHA512
d1a9c9696f17e0ed3fe34996fef186c23ca9c0bb5cc1073a01bee88ca3d6a096dce61145f6339f88fd08fd4ac5d451105547a604c9a10fb373a78c6cf9df2811

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit