e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 13:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe
Size

180KB
MD5

39a2d48d5deac947faca65c15d343760
SHA1

05c694aaf5bf4ef54d376b21475c9e60a078f95d
SHA256

e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19
SHA512

2b21d69d3bf7d9a3284334d7da399bfa1ff9c6f9b9770d4924601929838c743928758f85b9cbe702697321e5cfd0720f6ed8081e469ab46cc8cff18618ba5bfc
SSDEEP

3072:pwxVMhOC/dTDbq91+mno3t4QZQ3rh2TTNTJTCN5gTGhSkT5dgsUGOgkBFVYbsVTo:pTfFDbRnOTr085p8mkJA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\winsoft9\2222.vbs	e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe
File opened for modification	C:\Program Files (x86)\winsoft9	e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe
File created	C:\Program Files (x86)\winsoft9\__tmp_rar_sfx_access_check_240544421	e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe
File created	C:\Program Files (x86)\winsoft9\3.vbs	e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe
File opened for modification	C:\Program Files (x86)\winsoft9\3.vbs	e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe
File created	C:\Program Files (x86)\winsoft9\2222.vbs	e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 4620	860	e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe	84
PID 860 wrote to memory of 4620	860	e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe	84
PID 860 wrote to memory of 4620	860	e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe	84

C:\Users\Admin\AppData\Local\Temp\e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe
"C:\Users\Admin\AppData\Local\Temp\e20ce4778b0354b322a4037a7c2a1ade5a3f8bdc0cdea47f4164cb8e77380f19.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\winsoft9\2222.vbs"
  2⤵
  PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\winsoft9\2222.vbs

Filesize
471B

MD5
2824245171cf637208dcab397e47ee58

SHA1
f8bd96f2dfb4e0241f27c9fe3146f13b6242ecb7

SHA256
7b647bb80e6833748bc07c9acdc09cbb359ad5a6912e8a3aec44b71e7d9f5749

SHA512
b4cca800f6de4496ce21f281dcaffa6499d250d44b3e5cefde13527bcbea13c72824f89108c98743540a7e3dce4fc2b458b69dd433e243f97aea7c8918254e1d

Download Submit