Analysis
-
max time kernel
141s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 08:57
Behavioral task
behavioral1
Sample
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
Resource
win10v2004-20220722-en
General
-
Target
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe
-
Size
5.4MB
-
MD5
5ae2a626f52f6607ec13c0ad334ec7af
-
SHA1
8c8bfd4f37c2165a6a58cca4a5479f4942f3165f
-
SHA256
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9
-
SHA512
a86d6f516b17313d293a1af326002b959efe107e0c2418fa22bca6f8184dca45adfd8e68961bc6dd54ad19d8ef6138e5ce41e57b204a9be69dd785019775d02d
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 18 1268 wscript.exe -
Processes:
resource yara_rule behavioral2/memory/956-132-0x0000000140000000-0x0000000140931000-memory.dmp vmprotect behavioral2/memory/956-134-0x0000000140000000-0x0000000140931000-memory.dmp vmprotect behavioral2/memory/956-139-0x0000000140000000-0x0000000140931000-memory.dmp vmprotect behavioral2/memory/956-142-0x0000000140000000-0x0000000140931000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exepid process 956 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe 956 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe 956 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe 956 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exewscript.execmd.exedescription pid process target process PID 956 wrote to memory of 1268 956 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe wscript.exe PID 956 wrote to memory of 1268 956 738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe wscript.exe PID 1268 wrote to memory of 4452 1268 wscript.exe cmd.exe PID 1268 wrote to memory of 4452 1268 wscript.exe cmd.exe PID 4452 wrote to memory of 2732 4452 cmd.exe systeminfo.exe PID 4452 wrote to memory of 2732 4452 cmd.exe systeminfo.exe PID 1268 wrote to memory of 4192 1268 wscript.exe cmd.exe PID 1268 wrote to memory of 4192 1268 wscript.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe"C:\Users\Admin\AppData\Local\Temp\738186c0cd14dc3842b78e52b63c953582aa2170a6294b8443ee028a5982cfe9.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\62B1.tmp\990.vbs2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c systeminfo>\Users\Public\wafe.txt3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del \Users\Public\wafe.txt3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\62B1.tmp\990.vbsFilesize
844B
MD5784876f7348b625ffa03e7baaffacbeb
SHA148dd279cd30c2f5d1e0312ffdfe2a0042f3cd7c1
SHA2566fae337181f94eb6b70dc99dec4a74af370babcf013e99a9dab023421c15277d
SHA512856748f7f1c8f4a737412018d9cde4c256c66ed714607712dcd3e6dc26437e43b7cbc8d22ddbc18c3a08b78841b2606784f0a44dc7915971b0691992ee3ae778
-
C:\Users\Public\wafe.txtFilesize
2KB
MD53cfb3af44cd4c6d10164d71337dd5299
SHA123f53d0d55e6c1bdc7b3cf9b163830a8fae9c1bc
SHA25616673b1b4c7d645ac697db4180c66bddc82935c02f40248313118b9c4c8c28e7
SHA512043e1f3a803c426bfc3a825e1a03fa9de9792216051f19adaf0748f13652682658d3ec27828082d12b3eac175d172ead7e4a5c4b5951d5e5b142fbeca22b9ff4
-
memory/956-132-0x0000000140000000-0x0000000140931000-memory.dmpFilesize
9.2MB
-
memory/956-134-0x0000000140000000-0x0000000140931000-memory.dmpFilesize
9.2MB
-
memory/956-139-0x0000000140000000-0x0000000140931000-memory.dmpFilesize
9.2MB
-
memory/956-142-0x0000000140000000-0x0000000140931000-memory.dmpFilesize
9.2MB
-
memory/1268-135-0x0000000000000000-mapping.dmp
-
memory/2732-138-0x0000000000000000-mapping.dmp
-
memory/4192-141-0x0000000000000000-mapping.dmp
-
memory/4452-137-0x0000000000000000-mapping.dmp