738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
04-08-2022 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
Size

5.4MB
MD5

5ae2a626f52f6607ec13c0ad334ec7af
SHA1

8c8bfd4f37c2165a6a58cca4a5479f4942f3165f
SHA256

738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9
SHA512

a86d6f516b17313d293a1af326002b959efe107e0c2418fa22bca6f8184dca45adfd8e68961bc6dd54ad19d8ef6138e5ce41e57b204a9be69dd785019775d02d

Score

8^/10

vmprotect

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

2 968 wscript.exe

flow	pid	process
2	968	wscript.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/960-55-0x0000000140000000-0x0000000140931000-memory.dmp	vmprotect
behavioral1/memory/960-59-0x0000000140000000-0x0000000140931000-memory.dmp	vmprotect
behavioral1/memory/960-66-0x0000000140000000-0x0000000140931000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1684 systeminfo.exe

pid	process
1684	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe

pid	process
960	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
960	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exewscript.execmd.exe

description	pid	process	target process
PID 960 wrote to memory of 968	960	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe	wscript.exe
PID 960 wrote to memory of 968	960	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe	wscript.exe
PID 960 wrote to memory of 968	960	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe	wscript.exe
PID 968 wrote to memory of 2028	968	wscript.exe	cmd.exe
PID 968 wrote to memory of 2028	968	wscript.exe	cmd.exe
PID 968 wrote to memory of 2028	968	wscript.exe	cmd.exe
PID 2028 wrote to memory of 1684	2028	cmd.exe	systeminfo.exe
PID 2028 wrote to memory of 1684	2028	cmd.exe	systeminfo.exe
PID 2028 wrote to memory of 1684	2028	cmd.exe	systeminfo.exe
PID 968 wrote to memory of 1428	968	wscript.exe	cmd.exe
PID 968 wrote to memory of 1428	968	wscript.exe	cmd.exe
PID 968 wrote to memory of 1428	968	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
"C:\Users\Admin\AppData\Local\Temp\738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9B2.tmp\990.vbs
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c systeminfo>\Users\Public\wafe.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:1684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del \Users\Public\wafe.txt
3⤵
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9B2.tmp\990.vbs
Filesize
844B

MD5
784876f7348b625ffa03e7baaffacbeb

SHA1
48dd279cd30c2f5d1e0312ffdfe2a0042f3cd7c1

SHA256
6fae337181f94eb6b70dc99dec4a74af370babcf013e99a9dab023421c15277d

SHA512
856748f7f1c8f4a737412018d9cde4c256c66ed714607712dcd3e6dc26437e43b7cbc8d22ddbc18c3a08b78841b2606784f0a44dc7915971b0691992ee3ae778

Download Submit
C:\Users\Public\wafe.txt
Filesize
2KB

MD5
b4ff64724330a5534622750c197d2484

SHA1
f36591f4b0887e43e61c60911638643c4a0feb23

SHA256
d226eef3932b9bb573cbe4d7bc222024bdae22b36342aa6eae71abb0c5c7188c

SHA512
a48d3df5ee6d10966e0ce10d8cf9370eb85e6746f26cadd70abb47329ee93a0505d1d774d8e4c6ce822f20005e179d13e8159c592a7689dd7c294ae1b0ccb553

Download Submit
memory/960-54-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x0000000140000000-0x0000000140931000-memory.dmp

Filesize
9.2MB

Download
memory/960-57-0x0000000001D00000-0x0000000001D1A000-memory.dmp

Filesize
104KB

Download
memory/960-59-0x0000000140000000-0x0000000140931000-memory.dmp

Filesize
9.2MB

Download
memory/960-66-0x0000000140000000-0x0000000140931000-memory.dmp

Filesize
9.2MB

Download
memory/968-58-0x0000000000000000-mapping.dmp

Download
memory/1428-65-0x0000000000000000-mapping.dmp

Download
memory/1684-63-0x0000000000000000-mapping.dmp

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download