1227929a4962989bd6676abba8f974bdf35576c98973309f4a30789a9d9be796

Analysis

max time kernel
33s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document_E506_Nov#22.iso
Size

1.2MB
MD5

1324c3f5b19897f15a4d26a18a125ebe
SHA1

78391b0832d0f5f4aca0598086fee39d0c5dadd5
SHA256

1227929a4962989bd6676abba8f974bdf35576c98973309f4a30789a9d9be796
SHA512

cbcd0489cd913ff462539780bf4a9715ce18403e50c071c3b32d090c42e0723e5a21470cdad837b16bf92a86447577dd03b376d79be3c0db6ac18120b270ceb1
SSDEEP

24576:2t68Z3shoA9qB8DvUAZkl9iIDIQIFaO1YnknF6:f8vmqB8DUAZklKYnknF6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

File opened (read-only) \??\E: WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2560 3784 WerFault.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe

description	ioc	process
File opened (read-only)	\??\E:	WScript.exe

pid	pid_target	process	target process
2560	3784	WerFault.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WScript.exerundll32.exe

description	pid	process	target process
PID 1640 wrote to memory of 4288	1640	WScript.exe	rundll32.exe
PID 1640 wrote to memory of 4288	1640	WScript.exe	rundll32.exe
PID 4288 wrote to memory of 2708	4288	rundll32.exe	rundll32.exe
PID 4288 wrote to memory of 2708	4288	rundll32.exe	rundll32.exe
PID 4288 wrote to memory of 2708	4288	rundll32.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\document_E506_Nov#22.iso
1⤵
- Modifies registry class
PID:4308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3688

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\document.vbs"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" overhauled\\watering.temp,CuMode
2⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" overhauled\\watering.temp,CuMode
3⤵
PID:2708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 3784 -ip 3784
1⤵
PID:3216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3784 -s 836
1⤵
- Program crash
PID:2560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2708-133-0x0000000000000000-mapping.dmp

Download
memory/4288-132-0x0000000000000000-mapping.dmp

Download