738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9

General

Target

738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
Size

5.4MB
MD5

5ae2a626f52f6607ec13c0ad334ec7af
SHA1

8c8bfd4f37c2165a6a58cca4a5479f4942f3165f
SHA256

738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9
SHA512

a86d6f516b17313d293a1af326002b959efe107e0c2418fa22bca6f8184dca45adfd8e68961bc6dd54ad19d8ef6138e5ce41e57b204a9be69dd785019775d02d

Score

8^/10

vmprotect

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

18 1268 wscript.exe

flow	pid	process
18	1268	wscript.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/956-132-0x0000000140000000-0x0000000140931000-memory.dmp	vmprotect
behavioral2/memory/956-134-0x0000000140000000-0x0000000140931000-memory.dmp	vmprotect
behavioral2/memory/956-139-0x0000000140000000-0x0000000140931000-memory.dmp	vmprotect
behavioral2/memory/956-142-0x0000000140000000-0x0000000140931000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2732 systeminfo.exe

pid	process
2732	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe

pid	process
956	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
956	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
956	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
956	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exewscript.execmd.exe

description	pid	process	target process
PID 956 wrote to memory of 1268	956	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe	wscript.exe
PID 956 wrote to memory of 1268	956	738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe	wscript.exe
PID 1268 wrote to memory of 4452	1268	wscript.exe	cmd.exe
PID 1268 wrote to memory of 4452	1268	wscript.exe	cmd.exe
PID 4452 wrote to memory of 2732	4452	cmd.exe	systeminfo.exe
PID 4452 wrote to memory of 2732	4452	cmd.exe	systeminfo.exe
PID 1268 wrote to memory of 4192	1268	wscript.exe	cmd.exe
PID 1268 wrote to memory of 4192	1268	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
"C:\Users\Admin\AppData\Local\Temp\738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\62B1.tmp\990.vbs
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c systeminfo>\Users\Public\wafe.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del \Users\Public\wafe.txt
3⤵
PID:4192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62B1.tmp\990.vbs
Filesize
844B

MD5
784876f7348b625ffa03e7baaffacbeb

SHA1
48dd279cd30c2f5d1e0312ffdfe2a0042f3cd7c1

SHA256
6fae337181f94eb6b70dc99dec4a74af370babcf013e99a9dab023421c15277d

SHA512
856748f7f1c8f4a737412018d9cde4c256c66ed714607712dcd3e6dc26437e43b7cbc8d22ddbc18c3a08b78841b2606784f0a44dc7915971b0691992ee3ae778

Download Submit
C:\Users\Public\wafe.txt
Filesize
2KB

MD5
3cfb3af44cd4c6d10164d71337dd5299

SHA1
23f53d0d55e6c1bdc7b3cf9b163830a8fae9c1bc

SHA256
16673b1b4c7d645ac697db4180c66bddc82935c02f40248313118b9c4c8c28e7

SHA512
043e1f3a803c426bfc3a825e1a03fa9de9792216051f19adaf0748f13652682658d3ec27828082d12b3eac175d172ead7e4a5c4b5951d5e5b142fbeca22b9ff4

Download Submit
memory/956-132-0x0000000140000000-0x0000000140931000-memory.dmp

Filesize
9.2MB

Download
memory/956-134-0x0000000140000000-0x0000000140931000-memory.dmp

Filesize
9.2MB

Download
memory/956-139-0x0000000140000000-0x0000000140931000-memory.dmp

Filesize
9.2MB

Download
memory/956-142-0x0000000140000000-0x0000000140931000-memory.dmp

Filesize
9.2MB

Download
memory/1268-135-0x0000000000000000-mapping.dmp

Download
memory/2732-138-0x0000000000000000-mapping.dmp

Download
memory/4192-141-0x0000000000000000-mapping.dmp

Download
memory/4452-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads