Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 04:25
Behavioral task
behavioral1
Sample
fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe
Resource
win10v2004-20220721-en
General
-
Target
fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe
-
Size
5.4MB
-
MD5
9443893f08c65fdae127a1c16f8a7600
-
SHA1
5eefe94a12c0d06b05cfdd6159e5cfe59e3331bf
-
SHA256
fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4
-
SHA512
45a01935d3874e3ed73c6b90956191132386424fa248a4f8723ee6d4575109374fb39b169ff3ec41a6e68f36b119d8475f90fc7fe8bec68b1f3082f9f22e7ee8
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 19 4308 wscript.exe -
Processes:
resource yara_rule behavioral2/memory/3672-130-0x0000000140000000-0x000000014092A000-memory.dmp vmprotect behavioral2/memory/3672-137-0x0000000140000000-0x000000014092A000-memory.dmp vmprotect behavioral2/memory/3672-139-0x0000000140000000-0x000000014092A000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exepid process 3672 fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe 3672 fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe 3672 fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe 3672 fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exewscript.execmd.exedescription pid process target process PID 3672 wrote to memory of 4308 3672 fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe wscript.exe PID 3672 wrote to memory of 4308 3672 fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe wscript.exe PID 4308 wrote to memory of 1196 4308 wscript.exe cmd.exe PID 4308 wrote to memory of 1196 4308 wscript.exe cmd.exe PID 1196 wrote to memory of 1912 1196 cmd.exe systeminfo.exe PID 1196 wrote to memory of 1912 1196 cmd.exe systeminfo.exe PID 4308 wrote to memory of 2268 4308 wscript.exe cmd.exe PID 4308 wrote to memory of 2268 4308 wscript.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe"C:\Users\Admin\AppData\Local\Temp\fc17d82965b92af78c6925ff2e6d966b879e1a623850a9306a5e01ba13c546e4.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\60F1.tmp\09.vbs2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c systeminfo>requireAdministrator>\Users\Public\wafe.txt3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del \Users\Public\wafe.txt3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\60F1.tmp\09.vbsFilesize
949B
MD520c04c5c1bd83da4d71f477ba708ccab
SHA100ad216b6698298c27ca69ca4703a0accfc4c9b1
SHA256770fa7b4b88765699bd9aaedb1561748318ef07bbe306c558bc0eb64060c8bb3
SHA512ed52d4c8b7ee508b5c6e13453c25c54dacc39b09e809aec7c6ecb749ff64aa2a681ab2e33116087cee46ffd9f48dc2a0a5e393ed820eda9ecc16a2d4a3790665
-
C:\Users\Public\wafe.txtFilesize
2KB
MD511b8dcf348eb163e549715c368606a08
SHA1100e6fce22b1cf85b0755cbcb7698095795a5c41
SHA256dd3df12714bc64038448214c453e94c6f4294ddd233f658dc4404c1323c280c1
SHA512149739b86eaa731a8a3fb8d70ff3a1b4254f16bcadfbc2d9cf44efc33c8dd9f1e13c13a31f0ef1cc327b54f932e90ff6becfafd17842b29aff6573bdc9b4458e
-
memory/1196-134-0x0000000000000000-mapping.dmp
-
memory/1912-135-0x0000000000000000-mapping.dmp
-
memory/2268-138-0x0000000000000000-mapping.dmp
-
memory/3672-130-0x0000000140000000-0x000000014092A000-memory.dmpFilesize
9.2MB
-
memory/3672-137-0x0000000140000000-0x000000014092A000-memory.dmpFilesize
9.2MB
-
memory/3672-139-0x0000000140000000-0x000000014092A000-memory.dmpFilesize
9.2MB
-
memory/4308-132-0x0000000000000000-mapping.dmp