4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e

Analysis

max time kernel
91s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
Size

2.6MB
MD5

5d9b726cdc7455d58b5e6771d1316f55
SHA1

f803ca6b3986813dbbb700794fc2aba02d93a5c7
SHA256

4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e
SHA512

4a7ebdded0ad97031011a5bbb2c98440eab4cc66309f518b128e6a6773c9add54767c36f4d915faf0e52e10b69f9441af9d3edf46a9d4a9cb1620565d7bd34c1

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 3464 wscript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	3464	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe

Loads dropped DLL 9 IoCs

Processes:

4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe

pid	process
4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2404	WMIC.exe
Token: SeSecurityPrivilege	2404	WMIC.exe
Token: SeTakeOwnershipPrivilege	2404	WMIC.exe
Token: SeLoadDriverPrivilege	2404	WMIC.exe
Token: SeSystemProfilePrivilege	2404	WMIC.exe
Token: SeSystemtimePrivilege	2404	WMIC.exe
Token: SeProfSingleProcessPrivilege	2404	WMIC.exe
Token: SeIncBasePriorityPrivilege	2404	WMIC.exe
Token: SeCreatePagefilePrivilege	2404	WMIC.exe
Token: SeBackupPrivilege	2404	WMIC.exe
Token: SeRestorePrivilege	2404	WMIC.exe
Token: SeShutdownPrivilege	2404	WMIC.exe
Token: SeDebugPrivilege	2404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2404	WMIC.exe
Token: SeRemoteShutdownPrivilege	2404	WMIC.exe
Token: SeUndockPrivilege	2404	WMIC.exe
Token: SeManageVolumePrivilege	2404	WMIC.exe
Token: 33	2404	WMIC.exe
Token: 34	2404	WMIC.exe
Token: 35	2404	WMIC.exe
Token: 36	2404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2404	WMIC.exe
Token: SeSecurityPrivilege	2404	WMIC.exe
Token: SeTakeOwnershipPrivilege	2404	WMIC.exe
Token: SeLoadDriverPrivilege	2404	WMIC.exe
Token: SeSystemProfilePrivilege	2404	WMIC.exe
Token: SeSystemtimePrivilege	2404	WMIC.exe
Token: SeProfSingleProcessPrivilege	2404	WMIC.exe
Token: SeIncBasePriorityPrivilege	2404	WMIC.exe
Token: SeCreatePagefilePrivilege	2404	WMIC.exe
Token: SeBackupPrivilege	2404	WMIC.exe
Token: SeRestorePrivilege	2404	WMIC.exe
Token: SeShutdownPrivilege	2404	WMIC.exe
Token: SeDebugPrivilege	2404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2404	WMIC.exe
Token: SeRemoteShutdownPrivilege	2404	WMIC.exe
Token: SeUndockPrivilege	2404	WMIC.exe
Token: SeManageVolumePrivilege	2404	WMIC.exe
Token: 33	2404	WMIC.exe
Token: 34	2404	WMIC.exe
Token: 35	2404	WMIC.exe
Token: 36	2404	WMIC.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.execmd.exe

description	pid	process	target process
PID 4284 wrote to memory of 2412	4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe	cmd.exe
PID 4284 wrote to memory of 2412	4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe	cmd.exe
PID 4284 wrote to memory of 2412	4284	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe	cmd.exe
PID 2412 wrote to memory of 2404	2412	cmd.exe	WMIC.exe
PID 2412 wrote to memory of 2404	2412	cmd.exe	WMIC.exe
PID 2412 wrote to memory of 2404	2412	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
"C:\Users\Admin\AppData\Local\Temp\4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4284

C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c wmic process call create "wscript %temp%\start.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process call create "wscript C:\Users\Admin\AppData\Local\Temp\start.vbs"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\AppData\Local\Temp\start.vbs
1⤵
- Process spawned unexpected child process
PID:2524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\nsUnzip.dll
Filesize
146KB

MD5
77a26c23948070dc012bba65e7f390aa

SHA1
7e112775770f9b3b24e2a238b5f7c66f8802e5d8

SHA256
4e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43

SHA512
2e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.vbs
Filesize
321B

MD5
51546c284d2ee505bc551247ab0c105e

SHA1
66fd2bbbaffbd68051e189fa44d97ae9ae2749b1

SHA256
31c473f41ac9d4515870b8c5b128cd5f3c901fcfe45116435cd1c3266f3f9ed5

SHA512
0ea834a7d869cbb94d7bcddce1b63cd3126ac1fd771fe00fcc075d06f285352004a2ff3702270488f3753d245328a779320f1b2abfd325ef45537c0cbe83e76e

Download Submit
memory/2404-144-0x0000000000000000-mapping.dmp

Download
memory/2412-143-0x0000000000000000-mapping.dmp

Download
memory/4284-132-0x00000000021A1000-0x00000000021A5000-memory.dmp

Filesize
16KB

Download