Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 18:05
Static task
static1
Behavioral task
behavioral1
Sample
0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
Resource
win10v2004-20221111-en
General
-
Target
0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
-
Size
1.1MB
-
MD5
53aca4da80bf2521c5f3a26574f177ba
-
SHA1
4f3bb2b512eeaf98799dcf459672ffc0af320c2d
-
SHA256
0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a
-
SHA512
6f81474df3956c399a5470423f5af3eed05121bf8679faf34635b7b6468925024bd9c99ca98b36f6c2402792e872a98afd8adf1f3d6f34a3de06db4eb5cf2422
-
SSDEEP
24576:QxgMEQ9wZsvXDj+nknKSOTVRVZVEMDbCIJXHAkZaEeMn22kND:QAGvTqnI3OTVRPZCcXjZ+u22kx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exepid process 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exedescription pid process Token: SeDebugPrivilege 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe Token: 33 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe Token: SeIncBasePriorityPrivilege 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.execmd.exedescription pid process target process PID 4828 wrote to memory of 1780 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe cmd.exe PID 4828 wrote to memory of 1780 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe cmd.exe PID 4828 wrote to memory of 1780 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe cmd.exe PID 1780 wrote to memory of 1356 1780 cmd.exe wscript.exe PID 1780 wrote to memory of 1356 1780 cmd.exe wscript.exe PID 1780 wrote to memory of 1356 1780 cmd.exe wscript.exe PID 4828 wrote to memory of 3008 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe svhost.exe PID 4828 wrote to memory of 3008 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe svhost.exe PID 4828 wrote to memory of 3008 4828 0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe"C:\Users\Admin\AppData\Local\Temp\0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbsFilesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
C:\Users\Admin\AppData\Roaming\FolderName\mata.batFilesize
76B
MD55e57f6f4e3242ad9719ed5e65346e83e
SHA172346d0208c5edeb69f41ddb4374d56d87221dad
SHA2564ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c
SHA5127dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f
-
C:\Users\Admin\AppData\Roaming\FolderName\mata2.batFilesize
288B
MD54a4f147418dd55a3c5ad7f79a7ce828d
SHA11d48f12cd714d430e7ae251bb03e790b04f72deb
SHA256b6461dd8fb99f05cd1203b3af14988e543135e26805cfdc18ccf54e4a8e95226
SHA5124cb8e61a797a9fc99821e893b8f9db36765388646a990be00126aaa4968b37c575632d1fd5d5b2dd1f2a006ab0939500f8de2b7e3d30a42ddb9f74a2f44cc064
-
memory/1356-135-0x0000000000000000-mapping.dmp
-
memory/1780-133-0x0000000000000000-mapping.dmp
-
memory/3008-136-0x0000000000000000-mapping.dmp
-
memory/4828-132-0x0000000074DE0000-0x0000000075391000-memory.dmpFilesize
5.7MB
-
memory/4828-139-0x0000000074DE0000-0x0000000075391000-memory.dmpFilesize
5.7MB
-
memory/4828-140-0x0000000074DE0000-0x0000000075391000-memory.dmpFilesize
5.7MB