bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea

Analysis

max time kernel
132s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2022, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe
Size

75KB
MD5

223a512f5c73433b587cecb1473179c8
SHA1

148a74c051f9db27376635d4c4d130c87460f77b
SHA256

bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea
SHA512

919d0c7af6dbb725df0c77946128b3a0b342acb47a9e3ac0b1851f5202531ceeec8a36b94b87ae61839c8e089995724529dee69c3067bb8fa0325cf3919fe329
SSDEEP

1536:bVN9S4A343LR+u+yEfXPqD+ZTIlG4t2ynLMTZnai:b0aR+u0XPqD+Z8lG4t2ynL4Zai

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\intel\jingling.exe	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe

Runs net.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4444	4984	bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe	80
PID 4984 wrote to memory of 4444	4984	bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe	80
PID 4984 wrote to memory of 4444	4984	bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe	80
PID 4444 wrote to memory of 3016	4444	WScript.exe	81
PID 4444 wrote to memory of 3016	4444	WScript.exe	81
PID 4444 wrote to memory of 3016	4444	WScript.exe	81
PID 3016 wrote to memory of 2480	3016	cmd.exe	83
PID 3016 wrote to memory of 2480	3016	cmd.exe	83
PID 3016 wrote to memory of 2480	3016	cmd.exe	83
PID 2480 wrote to memory of 5112	2480	net.exe	84
PID 2480 wrote to memory of 5112	2480	net.exe	84
PID 2480 wrote to memory of 5112	2480	net.exe	84

C:\Users\Admin\AppData\Local\Temp\bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe
"C:\Users\Admin\AppData\Local\Temp\bd0795308caba4ce2781c934529b90557b9bd0be735d7dcfb1f3f2da226d6eea.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abc.vbs"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net stop ATISmart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\net.exe
      net stop ATISmart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop ATISmart
        5⤵
        
        PID:5112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\abc.vbs

Filesize
1KB

MD5
2a5a8bb0ed289cb4253d2b93d5e63311

SHA1
ebccfdf01b2fcffcb7b92f8bed902b205867a6d4

SHA256
e34b3617c34997ddcd2e32516f2a9227d4e1d9bff24cc6c4dca2d704dd3d1c12

SHA512
c77c4afa558c059fa788f0b49f140d24bbf3f709dcf5ded046cbe89f8910d9b66941a52cb50f39dbe44189efcdae4bb1db3690528517c6b3ad695d7522f8a184

Download Submit