Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
04-08-2022 08:57
Behavioral task
behavioral1
Sample
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
Resource
win10v2004-20220722-en
General
-
Target
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
-
Size
5.4MB
-
MD5
5ae2a626f52f6607ec13c0ad334ec7af
-
SHA1
8c8bfd4f37c2165a6a58cca4a5479f4942f3165f
-
SHA256
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9
-
SHA512
a86d6f516b17313d293a1af326002b959efe107e0c2418fa22bca6f8184dca45adfd8e68961bc6dd54ad19d8ef6138e5ce41e57b204a9be69dd785019775d02d
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 2 968 wscript.exe -
Processes:
resource yara_rule behavioral1/memory/960-55-0x0000000140000000-0x0000000140931000-memory.dmp vmprotect behavioral1/memory/960-59-0x0000000140000000-0x0000000140931000-memory.dmp vmprotect behavioral1/memory/960-66-0x0000000140000000-0x0000000140931000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exepid process 960 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe 960 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exewscript.execmd.exedescription pid process target process PID 960 wrote to memory of 968 960 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe wscript.exe PID 960 wrote to memory of 968 960 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe wscript.exe PID 960 wrote to memory of 968 960 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe wscript.exe PID 968 wrote to memory of 2028 968 wscript.exe cmd.exe PID 968 wrote to memory of 2028 968 wscript.exe cmd.exe PID 968 wrote to memory of 2028 968 wscript.exe cmd.exe PID 2028 wrote to memory of 1684 2028 cmd.exe systeminfo.exe PID 2028 wrote to memory of 1684 2028 cmd.exe systeminfo.exe PID 2028 wrote to memory of 1684 2028 cmd.exe systeminfo.exe PID 968 wrote to memory of 1428 968 wscript.exe cmd.exe PID 968 wrote to memory of 1428 968 wscript.exe cmd.exe PID 968 wrote to memory of 1428 968 wscript.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe"C:\Users\Admin\AppData\Local\Temp\738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9B2.tmp\990.vbs2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c systeminfo>\Users\Public\wafe.txt3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del \Users\Public\wafe.txt3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9B2.tmp\990.vbsFilesize
844B
MD5784876f7348b625ffa03e7baaffacbeb
SHA148dd279cd30c2f5d1e0312ffdfe2a0042f3cd7c1
SHA2566fae337181f94eb6b70dc99dec4a74af370babcf013e99a9dab023421c15277d
SHA512856748f7f1c8f4a737412018d9cde4c256c66ed714607712dcd3e6dc26437e43b7cbc8d22ddbc18c3a08b78841b2606784f0a44dc7915971b0691992ee3ae778
-
C:\Users\Public\wafe.txtFilesize
2KB
MD5b4ff64724330a5534622750c197d2484
SHA1f36591f4b0887e43e61c60911638643c4a0feb23
SHA256d226eef3932b9bb573cbe4d7bc222024bdae22b36342aa6eae71abb0c5c7188c
SHA512a48d3df5ee6d10966e0ce10d8cf9370eb85e6746f26cadd70abb47329ee93a0505d1d774d8e4c6ce822f20005e179d13e8159c592a7689dd7c294ae1b0ccb553
-
memory/960-54-0x000007FEFB991000-0x000007FEFB993000-memory.dmpFilesize
8KB
-
memory/960-55-0x0000000140000000-0x0000000140931000-memory.dmpFilesize
9.2MB
-
memory/960-57-0x0000000001D00000-0x0000000001D1A000-memory.dmpFilesize
104KB
-
memory/960-59-0x0000000140000000-0x0000000140931000-memory.dmpFilesize
9.2MB
-
memory/960-66-0x0000000140000000-0x0000000140931000-memory.dmpFilesize
9.2MB
-
memory/968-58-0x0000000000000000-mapping.dmp
-
memory/1428-65-0x0000000000000000-mapping.dmp
-
memory/1684-63-0x0000000000000000-mapping.dmp
-
memory/2028-62-0x0000000000000000-mapping.dmp