28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2022 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe
Size

5.4MB
MD5

0fb3f0ee78448aac3542aba6aa9f3bb0
SHA1

fd7577dd6cdcef82108d2c70954c77db12ab3e05
SHA256

28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e
SHA512

ab02e4504f137262930da264ba71ab9ebdd43cfca65c42b3e5964d9914cd306122cdffd28871093cef707924c170394d1f81fed31604986e9d3fe43d2b85efbb

Score

8^/10

vmprotect

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

10 3440 wscript.exe

flow	pid	process
10	3440	wscript.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2728-131-0x0000000140000000-0x0000000140933000-memory.dmp	vmprotect
behavioral2/memory/2728-137-0x0000000140000000-0x0000000140933000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe

pid	process
2728	28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe
2728	28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe
2728	28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe
2728	28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exewscript.exe

description	pid	process	target process
PID 2728 wrote to memory of 3440	2728	28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe	wscript.exe
PID 2728 wrote to memory of 3440	2728	28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe	wscript.exe
PID 3440 wrote to memory of 3536	3440	wscript.exe	cmd.exe
PID 3440 wrote to memory of 3536	3440	wscript.exe	cmd.exe
PID 3440 wrote to memory of 2596	3440	wscript.exe	cmd.exe
PID 3440 wrote to memory of 2596	3440	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe
"C:\Users\Admin\AppData\Local\Temp\28f95bd89183a54567e70e2d02afc9bdb26f196c79b7e65aefecd30a1cd4ff2e.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\7072.tmp\21.vbs
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c requireAdministrator>systeminfo>\Users\Public\wafe.txt
3⤵
PID:3536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del \Users\Public\wafe.txt
3⤵
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7072.tmp\21.vbs
Filesize
862B

MD5
78b750cc6656d3b51e01a9ef0c32a863

SHA1
86f0e714b6899f995e4cdc0e0a1030a40bd630b6

SHA256
b5a8b138adf8d3c0c7dd4a164fb45543859352cee1663dee6a4b61f8eced74b9

SHA512
faf309489698e2732646be797e50402265738d97b0b9687113db2242e3c9947e1aa63ae0fad34526998380280d0f2f6e7dc7c36df1f80e600d9acf2ed24b2ccc

Download Submit
memory/2596-136-0x0000000000000000-mapping.dmp

Download
memory/2728-131-0x0000000140000000-0x0000000140933000-memory.dmp

Filesize
9.2MB

Download
memory/2728-137-0x0000000140000000-0x0000000140933000-memory.dmp

Filesize
9.2MB

Download
memory/3440-133-0x0000000000000000-mapping.dmp

Download
memory/3536-135-0x0000000000000000-mapping.dmp

Download