Analysis
-
max time kernel
76s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2023 11:36
Static task
static1
Behavioral task
behavioral1
Sample
d5e7b6fe3bb68f1da7ec111231292f02.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d5e7b6fe3bb68f1da7ec111231292f02.exe
Resource
win10v2004-20230220-en
General
-
Target
d5e7b6fe3bb68f1da7ec111231292f02.exe
-
Size
308KB
-
MD5
d5e7b6fe3bb68f1da7ec111231292f02
-
SHA1
1e71cbeb2caba1f955219f916fce7d13c05436b6
-
SHA256
b261a7995c16bc433bd714b2830e519c40c3b8bd60ad6a6239ce27e672dc6650
-
SHA512
f9d71917272958ef2cdae91b812d7aca62ee1d0993957ae734aaa7cbdcc88792cb52614515aa8f94c176ac56ac4f89bae902c142c5e187584fe25e7a335ac2c2
-
SSDEEP
6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1dEP3:i814Xn0Ti8tbJyIQdjrfzPEP3
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 1292 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d5e7b6fe3bb68f1da7ec111231292f02.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation d5e7b6fe3bb68f1da7ec111231292f02.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 5076 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3104 5076 WerFault.exe rundll32.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d5e7b6fe3bb68f1da7ec111231292f02.exed5e7b6fe3bb68f1da7ec111231292f02.exepid process 3060 d5e7b6fe3bb68f1da7ec111231292f02.exe 3060 d5e7b6fe3bb68f1da7ec111231292f02.exe 2524 d5e7b6fe3bb68f1da7ec111231292f02.exe 2524 d5e7b6fe3bb68f1da7ec111231292f02.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d5e7b6fe3bb68f1da7ec111231292f02.exerundll32.exedescription pid process target process PID 3060 wrote to memory of 2524 3060 d5e7b6fe3bb68f1da7ec111231292f02.exe d5e7b6fe3bb68f1da7ec111231292f02.exe PID 3060 wrote to memory of 2524 3060 d5e7b6fe3bb68f1da7ec111231292f02.exe d5e7b6fe3bb68f1da7ec111231292f02.exe PID 3060 wrote to memory of 2524 3060 d5e7b6fe3bb68f1da7ec111231292f02.exe d5e7b6fe3bb68f1da7ec111231292f02.exe PID 4308 wrote to memory of 5076 4308 rundll32.exe rundll32.exe PID 4308 wrote to memory of 5076 4308 rundll32.exe rundll32.exe PID 4308 wrote to memory of 5076 4308 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5e7b6fe3bb68f1da7ec111231292f02.exe"C:\Users\Admin\AppData\Local\Temp\d5e7b6fe3bb68f1da7ec111231292f02.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\d5e7b6fe3bb68f1da7ec111231292f02.exe"C:\Users\Admin\AppData\Local\Temp\d5e7b6fe3bb68f1da7ec111231292f02.exe" -h2⤵
- Suspicious use of SetWindowsHookEx
PID:2524
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
PID:5076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 6003⤵
- Program crash
PID:3104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5076 -ip 50761⤵PID:1168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\db.datFilesize
557KB
MD5d8fdf3094adfa6cd96ad85cb3b1c0888
SHA1e1ff8d0d9d04b6da1c78fa2eeb002f89e1c217ef
SHA256234b037565a89b5d3cdabb963390b84bbfb23f68de1d7a940d250c13d6eb2087
SHA512a55f0f2a2bc7182c639de20bcafab8ad71416665b3e9f24276d55a03312f0a0014ff12916a08f42edbfd8f58b2bc59e01010271bed028c2c67cce97535af6a94
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6