Analysis
-
max time kernel
78s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2023 04:21
Static task
static1
Behavioral task
behavioral1
Sample
bf48a5cd9169a5826521a8a33b21adee.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
bf48a5cd9169a5826521a8a33b21adee.exe
Resource
win10v2004-20230220-en
General
-
Target
bf48a5cd9169a5826521a8a33b21adee.exe
-
Size
308KB
-
MD5
bf48a5cd9169a5826521a8a33b21adee
-
SHA1
b769421d41836cb6fb1bfc624207ed4f2eac57b5
-
SHA256
32e60467041b40146d87fc1c8c734f60f7e3763820e0c2a852a801c8afd1c7ab
-
SHA512
a40ab338563540aaac258b62f29195e56432d137ce4052aee24cec4f01e4c115f116392f7657b9a9dbe2f0b05ff79818520a417ec3608892cbd68c69e9a25a71
-
SSDEEP
6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1KEP3:i814Xn0Ti8tbJyIQdjrfzQEP3
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 4784 rundll32.exe 12 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation bf48a5cd9169a5826521a8a33b21adee.exe -
Loads dropped DLL 1 IoCs
pid Process 4968 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2192 4968 WerFault.exe 89 -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1500 bf48a5cd9169a5826521a8a33b21adee.exe 1500 bf48a5cd9169a5826521a8a33b21adee.exe 1896 bf48a5cd9169a5826521a8a33b21adee.exe 1896 bf48a5cd9169a5826521a8a33b21adee.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1500 wrote to memory of 1896 1500 bf48a5cd9169a5826521a8a33b21adee.exe 87 PID 1500 wrote to memory of 1896 1500 bf48a5cd9169a5826521a8a33b21adee.exe 87 PID 1500 wrote to memory of 1896 1500 bf48a5cd9169a5826521a8a33b21adee.exe 87 PID 4996 wrote to memory of 4968 4996 rundll32.exe 89 PID 4996 wrote to memory of 4968 4996 rundll32.exe 89 PID 4996 wrote to memory of 4968 4996 rundll32.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf48a5cd9169a5826521a8a33b21adee.exe"C:\Users\Admin\AppData\Local\Temp\bf48a5cd9169a5826521a8a33b21adee.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\bf48a5cd9169a5826521a8a33b21adee.exe"C:\Users\Admin\AppData\Local\Temp\bf48a5cd9169a5826521a8a33b21adee.exe" -h2⤵
- Suspicious use of SetWindowsHookEx
PID:1896
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
PID:4968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 6003⤵
- Program crash
PID:2192
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4968 -ip 49681⤵PID:2356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
557KB
MD5819ae848dc8b172ef0db45a423cc4024
SHA1e78a66524da011216a63d9936bd4b22b9d0335d2
SHA2561213515bf29bf5dbedd80835b8cf1310b952525fcc716faf0b3d602930cacf24
SHA512a8fe171c6edc22ee62999c70167a9d904d5d94a50e9dca7a7240dbd6a14b0e684fc19d5bc99dfbd3a82bdf8ccb62f6144a8b310f77432224631ac428ded0b084
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
Filesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6