Analysis
-
max time kernel
38s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
04-08-2022 03:04
Behavioral task
behavioral1
Sample
28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe
Resource
win10v2004-20220721-en
General
-
Target
28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe
-
Size
5.4MB
-
MD5
0fb3f0ee78448aac3542aba6aa9f3bb0
-
SHA1
fd7577dd6cdcef82108d2c70954c77db12ab3e05
-
SHA256
28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e
-
SHA512
ab02e4504f137262930da264ba71ab9ebdd43cfca65c42b3e5964d9914cd306122cdffd28871093cef707924c170394d1f81fed31604986e9d3fe43d2b85efbb
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 2 1948 wscript.exe -
Processes:
resource yara_rule behavioral1/memory/848-55-0x0000000140000000-0x0000000140933000-memory.dmp vmprotect behavioral1/memory/848-57-0x0000000140000000-0x0000000140933000-memory.dmp vmprotect behavioral1/memory/848-63-0x0000000140000000-0x0000000140933000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exepid process 848 28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe 848 28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exewscript.exedescription pid process target process PID 848 wrote to memory of 1948 848 28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe wscript.exe PID 848 wrote to memory of 1948 848 28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe wscript.exe PID 848 wrote to memory of 1948 848 28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe wscript.exe PID 1948 wrote to memory of 1940 1948 wscript.exe cmd.exe PID 1948 wrote to memory of 1940 1948 wscript.exe cmd.exe PID 1948 wrote to memory of 1940 1948 wscript.exe cmd.exe PID 1948 wrote to memory of 1708 1948 wscript.exe cmd.exe PID 1948 wrote to memory of 1708 1948 wscript.exe cmd.exe PID 1948 wrote to memory of 1708 1948 wscript.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe"C:\Users\Admin\AppData\Local\Temp\28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\51B9.tmp\21.vbs2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c requireAdministrator>systeminfo>\Users\Public\wafe.txt3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del \Users\Public\wafe.txt3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\51B9.tmp\21.vbsFilesize
862B
MD578b750cc6656d3b51e01a9ef0c32a863
SHA186f0e714b6899f995e4cdc0e0a1030a40bd630b6
SHA256b5a8b138adf8d3c0c7dd4a164fb45543859352cee1663dee6a4b61f8eced74b9
SHA512faf309489698e2732646be797e50402265738d97b0b9687113db2242e3c9947e1aa63ae0fad34526998380280d0f2f6e7dc7c36df1f80e600d9acf2ed24b2ccc
-
memory/848-54-0x000007FEFBA21000-0x000007FEFBA23000-memory.dmpFilesize
8KB
-
memory/848-55-0x0000000140000000-0x0000000140933000-memory.dmpFilesize
9.2MB
-
memory/848-57-0x0000000140000000-0x0000000140933000-memory.dmpFilesize
9.2MB
-
memory/848-63-0x0000000140000000-0x0000000140933000-memory.dmpFilesize
9.2MB
-
memory/1708-62-0x0000000000000000-mapping.dmp
-
memory/1940-61-0x0000000000000000-mapping.dmp
-
memory/1948-58-0x0000000000000000-mapping.dmp