Analysis
-
max time kernel
91s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 21:54
Static task
static1
Behavioral task
behavioral1
Sample
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
Resource
win10v2004-20220414-en
General
-
Target
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
-
Size
2.6MB
-
MD5
5d9b726cdc7455d58b5e6771d1316f55
-
SHA1
f803ca6b3986813dbbb700794fc2aba02d93a5c7
-
SHA256
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e
-
SHA512
4a7ebdded0ad97031011a5bbb2c98440eab4cc66309f518b128e6a6773c9add54767c36f4d915faf0e52e10b69f9441af9d3edf46a9d4a9cb1620565d7bd34c1
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wscript.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 3464 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe -
Loads dropped DLL 9 IoCs
Processes:
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exepid process 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2404 WMIC.exe Token: SeSecurityPrivilege 2404 WMIC.exe Token: SeTakeOwnershipPrivilege 2404 WMIC.exe Token: SeLoadDriverPrivilege 2404 WMIC.exe Token: SeSystemProfilePrivilege 2404 WMIC.exe Token: SeSystemtimePrivilege 2404 WMIC.exe Token: SeProfSingleProcessPrivilege 2404 WMIC.exe Token: SeIncBasePriorityPrivilege 2404 WMIC.exe Token: SeCreatePagefilePrivilege 2404 WMIC.exe Token: SeBackupPrivilege 2404 WMIC.exe Token: SeRestorePrivilege 2404 WMIC.exe Token: SeShutdownPrivilege 2404 WMIC.exe Token: SeDebugPrivilege 2404 WMIC.exe Token: SeSystemEnvironmentPrivilege 2404 WMIC.exe Token: SeRemoteShutdownPrivilege 2404 WMIC.exe Token: SeUndockPrivilege 2404 WMIC.exe Token: SeManageVolumePrivilege 2404 WMIC.exe Token: 33 2404 WMIC.exe Token: 34 2404 WMIC.exe Token: 35 2404 WMIC.exe Token: 36 2404 WMIC.exe Token: SeIncreaseQuotaPrivilege 2404 WMIC.exe Token: SeSecurityPrivilege 2404 WMIC.exe Token: SeTakeOwnershipPrivilege 2404 WMIC.exe Token: SeLoadDriverPrivilege 2404 WMIC.exe Token: SeSystemProfilePrivilege 2404 WMIC.exe Token: SeSystemtimePrivilege 2404 WMIC.exe Token: SeProfSingleProcessPrivilege 2404 WMIC.exe Token: SeIncBasePriorityPrivilege 2404 WMIC.exe Token: SeCreatePagefilePrivilege 2404 WMIC.exe Token: SeBackupPrivilege 2404 WMIC.exe Token: SeRestorePrivilege 2404 WMIC.exe Token: SeShutdownPrivilege 2404 WMIC.exe Token: SeDebugPrivilege 2404 WMIC.exe Token: SeSystemEnvironmentPrivilege 2404 WMIC.exe Token: SeRemoteShutdownPrivilege 2404 WMIC.exe Token: SeUndockPrivilege 2404 WMIC.exe Token: SeManageVolumePrivilege 2404 WMIC.exe Token: 33 2404 WMIC.exe Token: 34 2404 WMIC.exe Token: 35 2404 WMIC.exe Token: 36 2404 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.execmd.exedescription pid process target process PID 4284 wrote to memory of 2412 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe cmd.exe PID 4284 wrote to memory of 2412 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe cmd.exe PID 4284 wrote to memory of 2412 4284 4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe cmd.exe PID 2412 wrote to memory of 2404 2412 cmd.exe WMIC.exe PID 2412 wrote to memory of 2404 2412 cmd.exe WMIC.exe PID 2412 wrote to memory of 2404 2412 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe"C:\Users\Admin\AppData\Local\Temp\4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\cmd.exe"C:\windows\system32\cmd.exe" /c wmic process call create "wscript %temp%\start.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process call create "wscript C:\Users\Admin\AppData\Local\Temp\start.vbs"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wscript.exewscript C:\Users\Admin\AppData\Local\Temp\start.vbs1⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
C:\Users\Admin\AppData\Local\Temp\nshB490.tmp\nsUnzip.dllFilesize
146KB
MD577a26c23948070dc012bba65e7f390aa
SHA17e112775770f9b3b24e2a238b5f7c66f8802e5d8
SHA2564e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43
SHA5122e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065
-
C:\Users\Admin\AppData\Local\Temp\start.vbsFilesize
321B
MD551546c284d2ee505bc551247ab0c105e
SHA166fd2bbbaffbd68051e189fa44d97ae9ae2749b1
SHA25631c473f41ac9d4515870b8c5b128cd5f3c901fcfe45116435cd1c3266f3f9ed5
SHA5120ea834a7d869cbb94d7bcddce1b63cd3126ac1fd771fe00fcc075d06f285352004a2ff3702270488f3753d245328a779320f1b2abfd325ef45537c0cbe83e76e
-
memory/2404-144-0x0000000000000000-mapping.dmp
-
memory/2412-143-0x0000000000000000-mapping.dmp
-
memory/4284-132-0x00000000021A1000-0x00000000021A5000-memory.dmpFilesize
16KB