3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2

Analysis

max time kernel
153s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2.exe
Size

305KB
MD5

e9e8c070b34b395489a18bd9cc5cfe97
SHA1

5822461d43129b2501ef1e963bd3b4bcc182e40d
SHA256

3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2
SHA512

44706890d8ad5d74f217f2b245f3ea84434b84082e253d39bba537f61832f94155b2e6be654b3069ae38050a790c7f3c457ecec6b03520f957ac1d1fa21d114e
SSDEEP

6144:/Ya6KLv4nsx++b52HokQCkaDsR3XBoQV5KIWanleg/K7rfbiiGi:/Y0LvrJAHI7QYkmnlzS7rAi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	wrlzkzy.exe

Executes dropped EXE 2 IoCs

pid	Process
4576	wrlzkzy.exe
3020	wrlzkzy.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4576 set thread context of 3020	4576	wrlzkzy.exe	86
PID 3020 set thread context of 1292	3020	wrlzkzy.exe	81
PID 2232 set thread context of 1292	2232	cmmon32.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3908	4424	WerFault.exe	94

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3020	wrlzkzy.exe
3020	wrlzkzy.exe
3020	wrlzkzy.exe
3020	wrlzkzy.exe
3020	wrlzkzy.exe
3020	wrlzkzy.exe
3020	wrlzkzy.exe
3020	wrlzkzy.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4576	wrlzkzy.exe
3020	wrlzkzy.exe
3020	wrlzkzy.exe
3020	wrlzkzy.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe
2232	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	wrlzkzy.exe
Token: SeDebugPrivilege	2232	cmmon32.exe
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeCreatePagefilePrivilege	1292	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4576	4508	3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2.exe	84
PID 4508 wrote to memory of 4576	4508	3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2.exe	84
PID 4508 wrote to memory of 4576	4508	3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2.exe	84
PID 4576 wrote to memory of 3020	4576	wrlzkzy.exe	86
PID 4576 wrote to memory of 3020	4576	wrlzkzy.exe	86
PID 4576 wrote to memory of 3020	4576	wrlzkzy.exe	86
PID 4576 wrote to memory of 3020	4576	wrlzkzy.exe	86
PID 1292 wrote to memory of 2232	1292	Explorer.EXE	87
PID 1292 wrote to memory of 2232	1292	Explorer.EXE	87
PID 1292 wrote to memory of 2232	1292	Explorer.EXE	87
PID 2232 wrote to memory of 4424	2232	cmmon32.exe	94
PID 2232 wrote to memory of 4424	2232	cmmon32.exe	94
PID 2232 wrote to memory of 4424	2232	cmmon32.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2.exe
  "C:\Users\Admin\AppData\Local\Temp\3fb2ea468d879582791fb74c6ef0898e45f62b2e22c6b6b1311def934957cde2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe
    "C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe" C:\Users\Admin\AppData\Local\Temp\irwxzea.nf
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe
      "C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3020
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4424
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4424 -s 144
      4⤵
      Program crash
      PID:3908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 4424 -ip 4424
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\irwxzea.nf

Filesize
5KB

MD5
6ae5403c5208ef1be21da0cd8a2a6148

SHA1
a7d05f32e8d8cd3328b512715adb49c8a5d89214

SHA256
0a6eaf357edafed3b457a7038a9be8b4e323b2d87e12a3414be212a262cd8a21

SHA512
4cd00f509fd3d45c7c3c2d8fbb3a38930e204056df6fdc9549fdadedfbe4a3a326e8f89bc28cf891f649ba36c92175f534d019627c4677646ccbf937c24e301d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzwei.nv

Filesize
205KB

MD5
e75bf2acec6e9a536f58ba066ec0e05a

SHA1
a1a6b1fcd7e60d1f1a441574d7614f6da2370578

SHA256
603420dac511cb1c0a550f6db3b2f49da1d18a258f4f7110dd041ee2be35e4ee

SHA512
d7130aff461125c91625ffcf938a039058e5af307ec3891ecad04455dbf897efe1b6880fd86538cd52c34115a84d3d9e164c32768caf3d1c2332390a1cd0a8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe

Filesize
147KB

MD5
6b34e3f7bf37f2269e6f86cae8e24ea1

SHA1
79b4bcd8bc97c506b3161985e1ba1e94344722af

SHA256
16c3749c576220726436bab7a636c6ebe3e40fb7d5856d7570d421fafc4703bd

SHA512
93de3e3ba961c81d3c0b47809c740326a0e369c641bb30be818f4780bdfff9c4a727111fe973ffd7c6b18ffd3d02341b96f98f6d72d374d1909156276b13cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe

Filesize
147KB

MD5
6b34e3f7bf37f2269e6f86cae8e24ea1

SHA1
79b4bcd8bc97c506b3161985e1ba1e94344722af

SHA256
16c3749c576220726436bab7a636c6ebe3e40fb7d5856d7570d421fafc4703bd

SHA512
93de3e3ba961c81d3c0b47809c740326a0e369c641bb30be818f4780bdfff9c4a727111fe973ffd7c6b18ffd3d02341b96f98f6d72d374d1909156276b13cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrlzkzy.exe

Filesize
147KB

MD5
6b34e3f7bf37f2269e6f86cae8e24ea1

SHA1
79b4bcd8bc97c506b3161985e1ba1e94344722af

SHA256
16c3749c576220726436bab7a636c6ebe3e40fb7d5856d7570d421fafc4703bd

SHA512
93de3e3ba961c81d3c0b47809c740326a0e369c641bb30be818f4780bdfff9c4a727111fe973ffd7c6b18ffd3d02341b96f98f6d72d374d1909156276b13cdf3

Download Submit
memory/1292-200-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-203-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-176-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-229-0x0000000002790000-0x0000000002792000-memory.dmp

Filesize
8KB

Download
memory/1292-184-0x0000000008710000-0x000000000881F000-memory.dmp

Filesize
1.1MB

Download
memory/1292-149-0x00000000081C0000-0x00000000082A4000-memory.dmp

Filesize
912KB

Download
memory/1292-223-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-222-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-221-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-181-0x0000000008710000-0x000000000881F000-memory.dmp

Filesize
1.1MB

Download
memory/1292-219-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-218-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-159-0x0000000008710000-0x000000000881F000-memory.dmp

Filesize
1.1MB

Download
memory/1292-158-0x0000000008710000-0x000000000881F000-memory.dmp

Filesize
1.1MB

Download
memory/1292-217-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-161-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-162-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-163-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-165-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-164-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-166-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-167-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-168-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-169-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-170-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-171-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-172-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-173-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-174-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-175-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-216-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-220-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-215-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-190-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-191-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-192-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-193-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-194-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-195-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-196-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-197-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-198-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-199-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-214-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-201-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-202-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-213-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-204-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-205-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1292-206-0x0000000002DE0000-0x0000000002DE2000-memory.dmp

Filesize
8KB

Download
memory/2232-157-0x0000000002B70000-0x0000000002BFF000-memory.dmp

Filesize
572KB

Download
memory/2232-156-0x0000000002D40000-0x000000000308A000-memory.dmp

Filesize
3.3MB

Download
memory/2232-155-0x0000000000E40000-0x0000000000E6D000-memory.dmp

Filesize
180KB

Download
memory/2232-154-0x0000000000E40000-0x0000000000E6D000-memory.dmp

Filesize
180KB

Download
memory/2232-153-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2232-151-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/3020-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-148-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/3020-146-0x0000000000A30000-0x0000000000D7A000-memory.dmp

Filesize
3.3MB

Download
memory/4576-140-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download