940c2237b8cdb75574c2d30533c2e6560b34c038209579a588a76c35aea21b82

General

Target

Excz0.lib.dll
Size

13.7MB
MD5

bc30bf23e4b2089e7beb6dee6656b36b
SHA1

60413e8738971b2dbc694336fe6004822f738ddb
SHA256

6bacde421bff804efd0ab86980294cb2815e393ff8652d588041d2fd9465ed65
SHA512

0a2202e7885640b139309d286547fcaa93c164d65da80598e79c9557770114d52726bfcdea3fcaddbb3837ad86abe968c2564ec04dc56309038e264f5ce5974c
SSDEEP

393216:imNUyg6YH3mxBnM2lUukRka+tifXfmfguj4:im+yg6kmUyUuk+Wmfdj4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4196	rundll32.exe
4196	rundll32.exe
4196	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe
1132	OpenWith.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 4196	4712	rundll32.exe	83
PID 4712 wrote to memory of 4196	4712	rundll32.exe	83
PID 4712 wrote to memory of 4196	4712	rundll32.exe	83
PID 4196 wrote to memory of 3388	4196	rundll32.exe	91
PID 4196 wrote to memory of 3388	4196	rundll32.exe	91
PID 4196 wrote to memory of 3388	4196	rundll32.exe	91
PID 4196 wrote to memory of 1532	4196	rundll32.exe	95
PID 4196 wrote to memory of 1532	4196	rundll32.exe	95
PID 4196 wrote to memory of 1532	4196	rundll32.exe	95
PID 4196 wrote to memory of 2548	4196	rundll32.exe	96
PID 4196 wrote to memory of 2548	4196	rundll32.exe	96
PID 4196 wrote to memory of 2548	4196	rundll32.exe	96
PID 4196 wrote to memory of 3720	4196	rundll32.exe	98
PID 4196 wrote to memory of 3720	4196	rundll32.exe	98
PID 4196 wrote to memory of 3720	4196	rundll32.exe	98
PID 4196 wrote to memory of 3468	4196	rundll32.exe	99
PID 4196 wrote to memory of 3468	4196	rundll32.exe	99
PID 4196 wrote to memory of 3468	4196	rundll32.exe	99
PID 4196 wrote to memory of 2368	4196	rundll32.exe	100
PID 4196 wrote to memory of 2368	4196	rundll32.exe	100
PID 4196 wrote to memory of 2368	4196	rundll32.exe	100
PID 4196 wrote to memory of 4584	4196	rundll32.exe	101
PID 4196 wrote to memory of 4584	4196	rundll32.exe	101
PID 4196 wrote to memory of 4584	4196	rundll32.exe	101

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Excz0.lib.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Excz0.lib.dll,#1
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\req.ttf
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\req.ttf
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\req.ttf
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\req.ttf
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\req.ttf
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\req.ttf
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Local\Temp\req.ttf
    3⤵
    PID:4584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempExodusExported.dll

Filesize
13.7MB

MD5
b33e86772f0fea3bbbc21b5b116d53bb

SHA1
0c48a91d827d0185d6f28ab4a730a7723042fdb9

SHA256
a4acb2bbe546ae7f64db0eccb44af13b4d2d7bbd713940943760d32a9c3bfb51

SHA512
1257017bd10811e1ed8fe905c8b272a2ccb35013d87b4c6a24d705fbd4ad3312a6b8055ca8e05b576be22c0a963c940081841a52b5bc3a5524e3a3833430a897

Download Submit
C:\Users\Admin\AppData\Local\TempExodusExported.dll

Filesize
13.7MB

MD5
b33e86772f0fea3bbbc21b5b116d53bb

SHA1
0c48a91d827d0185d6f28ab4a730a7723042fdb9

SHA256
a4acb2bbe546ae7f64db0eccb44af13b4d2d7bbd713940943760d32a9c3bfb51

SHA512
1257017bd10811e1ed8fe905c8b272a2ccb35013d87b4c6a24d705fbd4ad3312a6b8055ca8e05b576be22c0a963c940081841a52b5bc3a5524e3a3833430a897

Download Submit
C:\Users\Admin\AppData\Local\TempExodusExported.dll

Filesize
13.7MB

MD5
b33e86772f0fea3bbbc21b5b116d53bb

SHA1
0c48a91d827d0185d6f28ab4a730a7723042fdb9

SHA256
a4acb2bbe546ae7f64db0eccb44af13b4d2d7bbd713940943760d32a9c3bfb51

SHA512
1257017bd10811e1ed8fe905c8b272a2ccb35013d87b4c6a24d705fbd4ad3312a6b8055ca8e05b576be22c0a963c940081841a52b5bc3a5524e3a3833430a897

Download Submit
C:\Users\Admin\AppData\Local\TempExodusExported.dll

Filesize
13.7MB

MD5
b33e86772f0fea3bbbc21b5b116d53bb

SHA1
0c48a91d827d0185d6f28ab4a730a7723042fdb9

SHA256
a4acb2bbe546ae7f64db0eccb44af13b4d2d7bbd713940943760d32a9c3bfb51

SHA512
1257017bd10811e1ed8fe905c8b272a2ccb35013d87b4c6a24d705fbd4ad3312a6b8055ca8e05b576be22c0a963c940081841a52b5bc3a5524e3a3833430a897

Download Submit
C:\Users\Admin\AppData\Local\Temp\req.ttf

Filesize
196KB

MD5
0f0ea204488f7d0bbaa7451c312f4db5

SHA1
1d1a61201baea75eb0aebdf75cef600c09cbb1da

SHA256
2c347d0ff76223dc362bf0a832f0288d5047504dc03e190680d28552b9ef734d

SHA512
dcd642717213666aee9359ae04f779dfdd145c9400d8f8725548c816b00471ce0bc0d60b60d93ef5c7261f534402ace2eba9e66454e9685464184163a16b00e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\req.ttf

Filesize
196KB

MD5
0f0ea204488f7d0bbaa7451c312f4db5

SHA1
1d1a61201baea75eb0aebdf75cef600c09cbb1da

SHA256
2c347d0ff76223dc362bf0a832f0288d5047504dc03e190680d28552b9ef734d

SHA512
dcd642717213666aee9359ae04f779dfdd145c9400d8f8725548c816b00471ce0bc0d60b60d93ef5c7261f534402ace2eba9e66454e9685464184163a16b00e0

Download Submit
memory/4196-150-0x0000000006D90000-0x0000000007334000-memory.dmp

Filesize
5.6MB

Download
memory/4196-151-0x0000000004730000-0x00000000047C2000-memory.dmp

Filesize
584KB

Download
memory/4196-152-0x0000000006800000-0x000000000681A000-memory.dmp

Filesize
104KB

Download
memory/4196-153-0x0000000006850000-0x0000000006872000-memory.dmp

Filesize
136KB

Download
memory/4196-154-0x0000000006960000-0x0000000006980000-memory.dmp

Filesize
128KB

Download
memory/4196-157-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/4196-149-0x0000000074120000-0x0000000074EE0000-memory.dmp

Filesize
13.8MB

Download
memory/4196-148-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing