38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0.exe
Size

127KB
MD5

0ed52c86604e8097bffd866083be2a34
SHA1

e2a5e42db4540ba820d76dc1d70f5f9e885f18cb
SHA256

38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0
SHA512

debb951915724d405eb87e601753773195c92178ce603ed0b0ca22c92122118215b7ead778fb24d638acb14341bb288142c7acbefce8a06bd508eae1b1055fa4
SSDEEP

3072:tWIVzl1GSJLLpgmGj8g5ZQXMmwI+QXMmwI23:gIVzl3LumGGMazMa23

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
988	DelAB96.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 4860	1048	38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0.exe	82
PID 1048 wrote to memory of 4860	1048	38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0.exe	82
PID 1048 wrote to memory of 4860	1048	38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0.exe	82
PID 4860 wrote to memory of 4280	4860	cmd.exe	84
PID 4860 wrote to memory of 4280	4860	cmd.exe	84
PID 4860 wrote to memory of 4280	4860	cmd.exe	84
PID 1048 wrote to memory of 988	1048	38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0.exe	85
PID 1048 wrote to memory of 988	1048	38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0.exe	85
PID 1048 wrote to memory of 988	1048	38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0.exe	85
PID 988 wrote to memory of 4980	988	DelAB96.tmp	86
PID 988 wrote to memory of 4980	988	DelAB96.tmp	86
PID 988 wrote to memory of 4980	988	DelAB96.tmp	86
PID 4980 wrote to memory of 1488	4980	cmd.exe	88
PID 4980 wrote to memory of 1488	4980	cmd.exe	88
PID 4980 wrote to memory of 1488	4980	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0.exe
"C:\Users\Admin\AppData\Local\Temp\38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c a.vbs
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
    3⤵
    PID:4280
- C:\Users\Admin\AppData\Local\Temp\DelAB96.tmp
  C:\Users\Admin\AppData\Local\Temp\DelAB96.tmp 296 "C:\Users\Admin\AppData\Local\Temp\38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c a.vbs
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
      4⤵
      PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelAB96.tmp

Filesize
127KB

MD5
0ed52c86604e8097bffd866083be2a34

SHA1
e2a5e42db4540ba820d76dc1d70f5f9e885f18cb

SHA256
38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0

SHA512
debb951915724d405eb87e601753773195c92178ce603ed0b0ca22c92122118215b7ead778fb24d638acb14341bb288142c7acbefce8a06bd508eae1b1055fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DelAB96.tmp

Filesize
127KB

MD5
0ed52c86604e8097bffd866083be2a34

SHA1
e2a5e42db4540ba820d76dc1d70f5f9e885f18cb

SHA256
38bf026f703f1047dfc63aa1a4f51c6455a0cd4e496879dacd7f49673eff8cc0

SHA512
debb951915724d405eb87e601753773195c92178ce603ed0b0ca22c92122118215b7ead778fb24d638acb14341bb288142c7acbefce8a06bd508eae1b1055fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.vbs

Filesize
22KB

MD5
0a4899d7995aeb9b8263f62dcae31c0c

SHA1
d4f5dc941ffa15b07e73097d6dccd87ddfef2e22

SHA256
ce532ed99a85758250b49e3b422654068ac384b8c4951b8f2df97402e191a617

SHA512
ac3a445d8970b691fc9756a89ee590e6449dcd53334bf47c4fc4eb4f0445e767d0271e4cad43a4a286eb320709b63f381d4cd2c938ed5de8786fc0379478b4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.vbs

Filesize
22KB

MD5
0a4899d7995aeb9b8263f62dcae31c0c

SHA1
d4f5dc941ffa15b07e73097d6dccd87ddfef2e22

SHA256
ce532ed99a85758250b49e3b422654068ac384b8c4951b8f2df97402e191a617

SHA512
ac3a445d8970b691fc9756a89ee590e6449dcd53334bf47c4fc4eb4f0445e767d0271e4cad43a4a286eb320709b63f381d4cd2c938ed5de8786fc0379478b4c5

Download Submit