587929dac78dfb5501de074c578c19a26cca6ebeb93918bc10e4f65dcdf1f725

Analysis

max time kernel
298s
max time network
314s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

587929dac78dfb5501de074c578c19a26cca6ebeb93918bc10e4f65dcdf1f725.exe
Size

4.0MB
MD5

fad9117195abc602151ac1cf9a3492ce
SHA1

fc20f80206a80d6fda7d7d43ba52ade5a3cc308d
SHA256

587929dac78dfb5501de074c578c19a26cca6ebeb93918bc10e4f65dcdf1f725
SHA512

bec85e5370b5e84be7a8d38c9cf686627ca328fd686360fef215030e03b32d63f80e750b9fb55413f887e0672c01b1d90c8480a2c16477bc5652f825afcd2265
SSDEEP

98304:sWLkFXk7w5DSndblrgI6RnkjB/5YfuE5NrSRiV/Kgh7b+qQMCZyc:sWLkF07w5DSndBrgIEnkjdZ4O9w+V

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	587929dac78dfb5501de074c578c19a26cca6ebeb93918bc10e4f65dcdf1f725.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	587929dac78dfb5501de074c578c19a26cca6ebeb93918bc10e4f65dcdf1f725.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 512	1468	587929dac78dfb5501de074c578c19a26cca6ebeb93918bc10e4f65dcdf1f725.exe	81
PID 1468 wrote to memory of 512	1468	587929dac78dfb5501de074c578c19a26cca6ebeb93918bc10e4f65dcdf1f725.exe	81
PID 512 wrote to memory of 1172	512	WScript.exe	82
PID 512 wrote to memory of 1172	512	WScript.exe	82

C:\Users\Admin\AppData\Local\Temp\587929dac78dfb5501de074c578c19a26cca6ebeb93918bc10e4f65dcdf1f725.exe
"C:\Users\Admin\AppData\Local\Temp\587929dac78dfb5501de074c578c19a26cca6ebeb93918bc10e4f65dcdf1f725.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FileName\222.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ²»¶ÏÍø°²×°.vbs
    3⤵
    PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FileName\222.vbs

Filesize
448B

MD5
d7ce2c3dd70813c1a7547714742cc76e

SHA1
b14ff7e100ab2f28d4880a6988b264e53741ddd3

SHA256
4590686cb7a219e157f60c2939cbf7e2030104f8c51af20c9b6c2a4308958b90

SHA512
d5bc1086609ef180b3527f7a4db0b6a5e30a144eea0eece524eaaa0fba2cc3f4c345baae9d5ae479138df721f26213f4ca0ba5b994cde34d16eec8f3fd68b5b4

Download Submit
memory/512-132-0x0000000000000000-mapping.dmp

Download
memory/1172-134-0x0000000000000000-mapping.dmp

Download