c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7

Analysis

max time kernel
85s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2023, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b32570cfc08329e3bf2624f727ead3f.exe
Size

308KB
MD5

3b32570cfc08329e3bf2624f727ead3f
SHA1

6f15ad55aab802e2c963c7d95d605cfd9e189ea3
SHA256

c14dfbc33876ec82c3705cc8cedad7dda10646b4fd9d12c468d786187422bee7
SHA512

9c380ea7111f6ebc335ddb5dd42b7f9b4ae32f93debfac83dfd544790fd644173b1b2d7685fb18801520eabc93fd3919b0c89d96519ed4bf0a2fec754fa5ebc8
SSDEEP

6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt18EP3:i814Xn0Ti8tbJyIQdjrfzmEP3

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	384	rundll32.exe	37

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	3b32570cfc08329e3bf2624f727ead3f.exe

Loads dropped DLL 1 IoCs

pid	Process
4904	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4144	4904	WerFault.exe	86

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3908	3b32570cfc08329e3bf2624f727ead3f.exe
3908	3b32570cfc08329e3bf2624f727ead3f.exe
4652	3b32570cfc08329e3bf2624f727ead3f.exe
4652	3b32570cfc08329e3bf2624f727ead3f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 4652	3908	3b32570cfc08329e3bf2624f727ead3f.exe	84
PID 3908 wrote to memory of 4652	3908	3b32570cfc08329e3bf2624f727ead3f.exe	84
PID 3908 wrote to memory of 4652	3908	3b32570cfc08329e3bf2624f727ead3f.exe	84
PID 3656 wrote to memory of 4904	3656	rundll32.exe	86
PID 3656 wrote to memory of 4904	3656	rundll32.exe	86
PID 3656 wrote to memory of 4904	3656	rundll32.exe	86

C:\Users\Admin\AppData\Local\Temp\3b32570cfc08329e3bf2624f727ead3f.exe
"C:\Users\Admin\AppData\Local\Temp\3b32570cfc08329e3bf2624f727ead3f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\3b32570cfc08329e3bf2624f727ead3f.exe
  "C:\Users\Admin\AppData\Local\Temp\3b32570cfc08329e3bf2624f727ead3f.exe" -h
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4652

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 600
    3⤵
    - Program crash
    PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4904 -ip 4904
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
9c30fa2037dd0f1a65ea328211147109

SHA1
cd6694a6eb5f954371cd51ddc65b11612619eb5f

SHA256
747128cac7de41ff52779f8ff985f2eb8ec1735bb168ab269cd967b6b0e9cbc3

SHA512
e5fdeedc3b5843d5b2c3dbbe37e40f3cea9b5197a009d7af6dc8573f19d81d14a592a8291f1043f5e88032bf3a08d4f988704ae3397f103e92a547c612c7b99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit