09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033

Analysis

max time kernel
143s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe
Size

880KB
MD5

194345ebabc4e6ce9a385c8bc366e3c0
SHA1

f72d6953d3ab1008e6cc07041118d277b63c6edd
SHA256

09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033
SHA512

2f2e1023605294a0f030140438d0f20329d05aaa95442860060d48f33259592ec9e43bfd56d0e5d52ac600c4bb96ede957a52dc9a6aab3ac959d1c6b956d9096
SSDEEP

6144:LQuiA1RTz/cYja2ieb5YbF5R+Jn8xH97r7F41d43wUmDm:nz/9ja2ieFYp5R+I7+Y

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	1932	rundll32.exe	27

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe

Loads dropped DLL 1 IoCs

pid	Process
3248	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3920	3248	WerFault.exe	88

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2000	09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe
2000	09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe
3084	09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe
3084	09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 3084	2000	09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe	86
PID 2000 wrote to memory of 3084	2000	09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe	86
PID 2000 wrote to memory of 3084	2000	09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe	86
PID 4572 wrote to memory of 3248	4572	rundll32.exe	88
PID 4572 wrote to memory of 3248	4572	rundll32.exe	88
PID 4572 wrote to memory of 3248	4572	rundll32.exe	88

C:\Users\Admin\AppData\Local\Temp\09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe
"C:\Users\Admin\AppData\Local\Temp\09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe
  "C:\Users\Admin\AppData\Local\Temp\09b55350fc85b124a6b6c39dd8604cbb0902e495cbb60fa638532b391947e033.exe" -h
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3084

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:3248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 600
    3⤵
    - Program crash
    PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3248 -ip 3248
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
4b81022967a53f322b4f0be01179ab04

SHA1
f7fe8346bb11e37a9d0bdb5c32cdf9eabfb87fde

SHA256
e05152185dc5bb2ae7e1564159166c1fd81702f03473fc793ffa005ca09f2cc1

SHA512
125cccf8ae62a3f297c2b7e94585e9f7275a4c213cfaaa419a64fc0a345b6f7a9bc7677fa534785e38714cfd5227dcd5d3beea61e24b33907a63e4b32f330fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit