Analysis
-
max time kernel
79s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2023 02:13
Static task
static1
Behavioral task
behavioral1
Sample
b5e1e946ebad560b876703e9675ca326.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b5e1e946ebad560b876703e9675ca326.exe
Resource
win10v2004-20230220-en
General
-
Target
b5e1e946ebad560b876703e9675ca326.exe
-
Size
308KB
-
MD5
b5e1e946ebad560b876703e9675ca326
-
SHA1
c0e2e24a911a4d8e9cbc5a483ef8876fbabfa772
-
SHA256
c33ecac87bf07fc75b6768b76622daac389e05ef718c457e0393238d646bb130
-
SHA512
8ee9e9af2731eb83af3f17aa19b9a74547429f026882fb6d592d74d97ed958f990f46c5be5371e06360503672e9f8ca00ccf9d64ed59d11475c86a6f35ac1ff5
-
SSDEEP
6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1gEP3:i814Xn0Ti8tbJyIQdjrfzWEP3
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 512 2208 rundll32.exe 41 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation b5e1e946ebad560b876703e9675ca326.exe -
Loads dropped DLL 1 IoCs
pid Process 4340 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4416 4340 WerFault.exe 87 -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3268 b5e1e946ebad560b876703e9675ca326.exe 3268 b5e1e946ebad560b876703e9675ca326.exe 3612 b5e1e946ebad560b876703e9675ca326.exe 3612 b5e1e946ebad560b876703e9675ca326.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3268 wrote to memory of 3612 3268 b5e1e946ebad560b876703e9675ca326.exe 85 PID 3268 wrote to memory of 3612 3268 b5e1e946ebad560b876703e9675ca326.exe 85 PID 3268 wrote to memory of 3612 3268 b5e1e946ebad560b876703e9675ca326.exe 85 PID 512 wrote to memory of 4340 512 rundll32.exe 87 PID 512 wrote to memory of 4340 512 rundll32.exe 87 PID 512 wrote to memory of 4340 512 rundll32.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5e1e946ebad560b876703e9675ca326.exe"C:\Users\Admin\AppData\Local\Temp\b5e1e946ebad560b876703e9675ca326.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\b5e1e946ebad560b876703e9675ca326.exe"C:\Users\Admin\AppData\Local\Temp\b5e1e946ebad560b876703e9675ca326.exe" -h2⤵
- Suspicious use of SetWindowsHookEx
PID:3612
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
PID:4340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 6003⤵
- Program crash
PID:4416
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4340 -ip 43401⤵PID:4532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
557KB
MD5fd90f85bea1392578bc903144ace2ace
SHA10eabae72ab684584ca78dce7680fb997d7aba07b
SHA25632e932155cf3f208d90aa0a058a87cf072e54e38e8c5c22c045411bac0bf936d
SHA5126de4887f177d71e21b89c9d431244044b50f3bb994939690413e77775dcc17b06a4dc11c7f5b1f6f382459e12bc9800fbba81fc54f41a4dbe77e5b52c90c4151
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6