2892084066a00407233a15366e718131b5b0ab2834eee56b04f718afb3b30fbd

General

Target

66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Size

328KB
MD5

01373d57fe51a8c713ff58681b73b545
SHA1

fdde9f7b9b943e8c618ea471ca3d59642530b7d8
SHA256

66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e
SHA512

29929961a67d31e5ee696a9b80326e6c1b28490d9e575f580467d11b7051ea94c88fe7a1590f54b44d33b41402b2428d43e06df6b2e9a574246e3af481583cd1
SSDEEP

6144:evSBanJK/5kPas8N0HEAAf1vbViarAWbd33IEPT:evjas8uHEAAtvBpk9EPT

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3380 3816 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	3816	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4084 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3648 4084 WerFault.exe rundll32.exe

pid	process
4084	rundll32.exe

pid	pid_target	process	target process
3648	4084	WerFault.exe	rundll32.exe

Modifies registry class 44 IoCs

Processes:

66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS\ = "0"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR\	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\66C502~1.EXE"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ = "sqltest.Application"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\ = "sqltest.Application"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\66C502~1.EXE"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\ = "sqltest"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 60 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe

pid	process
2780	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
2780	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
384	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
384	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exerundll32.exe

description	pid	process	target process
PID 2780 wrote to memory of 384	2780	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
PID 2780 wrote to memory of 384	2780	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
PID 2780 wrote to memory of 384	2780	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
PID 3380 wrote to memory of 4084	3380	rundll32.exe	rundll32.exe
PID 3380 wrote to memory of 4084	3380	rundll32.exe	rundll32.exe
PID 3380 wrote to memory of 4084	3380	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
"C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
"C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe" -h
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:384

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 600
3⤵
- Program crash
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4084 -ip 4084
1⤵
PID:3636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
9dd748ec666aca6d3fee60839649fb02

SHA1
d09baa2751e2972fca1ded62d40823889ca8d41d

SHA256
555ced7986ad075033f84cf3b656143f7ca8194aa5824415d2d668123e59fac6

SHA512
1faff5e33104061a8479b4e03979e23c9814d14a19d780b5b6cdd81af5f371fcd6f96c8f08ba3760b7b660dcf9667e7e7e9f13284d119936bed046cc19c5fdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads