2892084066a00407233a15366e718131b5b0ab2834eee56b04f718afb3b30fbd

Analysis

max time kernel
138s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Size

328KB
MD5

01373d57fe51a8c713ff58681b73b545
SHA1

fdde9f7b9b943e8c618ea471ca3d59642530b7d8
SHA256

66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e
SHA512

29929961a67d31e5ee696a9b80326e6c1b28490d9e575f580467d11b7051ea94c88fe7a1590f54b44d33b41402b2428d43e06df6b2e9a574246e3af481583cd1
SSDEEP

6144:evSBanJK/5kPas8N0HEAAf1vbViarAWbd33IEPT:evjas8uHEAAtvBpk9EPT

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	3816	rundll32.exe	14

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe

Loads dropped DLL 1 IoCs

pid	Process
4084	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3648	4084	WerFault.exe	97

Modifies registry class 44 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS\ = "0"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR\	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\66C502~1.EXE"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ = "sqltest.Application"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\ = "sqltest.Application"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\66C502~1.EXE"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\ = "sqltest"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	60	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2780	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
2780	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
384	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
384	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 384	2780	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe	83
PID 2780 wrote to memory of 384	2780	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe	83
PID 2780 wrote to memory of 384	2780	66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe	83
PID 3380 wrote to memory of 4084	3380	rundll32.exe	97
PID 3380 wrote to memory of 4084	3380	rundll32.exe	97
PID 3380 wrote to memory of 4084	3380	rundll32.exe	97

C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
"C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
  "C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe" -h
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:384

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:4084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 600
    3⤵
    - Program crash
    PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4084 -ip 4084
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
9dd748ec666aca6d3fee60839649fb02

SHA1
d09baa2751e2972fca1ded62d40823889ca8d41d

SHA256
555ced7986ad075033f84cf3b656143f7ca8194aa5824415d2d668123e59fac6

SHA512
1faff5e33104061a8479b4e03979e23c9814d14a19d780b5b6cdd81af5f371fcd6f96c8f08ba3760b7b660dcf9667e7e7e9f13284d119936bed046cc19c5fdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit