Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:18
Static task
static1
Behavioral task
behavioral1
Sample
fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe
Resource
win10v2004-20220414-en
General
-
Target
fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe
-
Size
115KB
-
MD5
7103f17d8ef1883e893a9a10333feec2
-
SHA1
46f722fc1af5cba5cf322a8c3af20f58cfce47e9
-
SHA256
fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478
-
SHA512
8b177b6128b78756b3a75f22ef4f62d9b5bf189c7e53dc4cc7871dc24bc93a5677f27ac2064e483cb09a55f2b4825148da8499373708046645c425508f5f8fb0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wscript.exepid process 220 wscript.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\247f78ab72096ae9469980cb6ed2519a.exe wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\247f78ab72096ae9469980cb6ed2519a.exe wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\247f78ab72096ae9469980cb6ed2519a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wscript.exe\" .." wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\247f78ab72096ae9469980cb6ed2519a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wscript.exe\" .." wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
wscript.exedescription pid process Token: SeDebugPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe Token: 33 220 wscript.exe Token: SeIncBasePriorityPrivilege 220 wscript.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exewscript.exedescription pid process target process PID 4436 wrote to memory of 220 4436 fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe wscript.exe PID 4436 wrote to memory of 220 4436 fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe wscript.exe PID 220 wrote to memory of 1028 220 wscript.exe netsh.exe PID 220 wrote to memory of 1028 220 wscript.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe"C:\Users\Admin\AppData\Local\Temp\fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wscript.exe"C:\Users\Admin\AppData\Local\Temp\wscript.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\wscript.exe" "wscript.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wscript.exeFilesize
115KB
MD57103f17d8ef1883e893a9a10333feec2
SHA146f722fc1af5cba5cf322a8c3af20f58cfce47e9
SHA256fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478
SHA5128b177b6128b78756b3a75f22ef4f62d9b5bf189c7e53dc4cc7871dc24bc93a5677f27ac2064e483cb09a55f2b4825148da8499373708046645c425508f5f8fb0
-
C:\Users\Admin\AppData\Local\Temp\wscript.exeFilesize
115KB
MD57103f17d8ef1883e893a9a10333feec2
SHA146f722fc1af5cba5cf322a8c3af20f58cfce47e9
SHA256fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478
SHA5128b177b6128b78756b3a75f22ef4f62d9b5bf189c7e53dc4cc7871dc24bc93a5677f27ac2064e483cb09a55f2b4825148da8499373708046645c425508f5f8fb0
-
memory/220-131-0x0000000000000000-mapping.dmp
-
memory/220-134-0x000000001B520000-0x000000001BF56000-memory.dmpFilesize
10.2MB
-
memory/1028-135-0x0000000000000000-mapping.dmp
-
memory/4436-130-0x00007FFE568E0000-0x00007FFE57316000-memory.dmpFilesize
10.2MB