c0a6e1d96dfb40838acec2043a2e292f86ed2d87835b3304698a4e0a5b5c59b2

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2023, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

171644e7d0764c9d5258f0666410cd60.exe
Size

80KB
MD5

171644e7d0764c9d5258f0666410cd60
SHA1

3cc41a4637b8f46cc5d9249e2c4b79fc33c68b7b
SHA256

c0a6e1d96dfb40838acec2043a2e292f86ed2d87835b3304698a4e0a5b5c59b2
SHA512

df5fbd5826034d1b06a089277a5103f9add3375d879354e7126f685bcaa5dfee21427f7fa0839ed486edd77f8abfcee1131aba73f94f48ac4bf0b028bba3414e
SSDEEP

1536:g1ApjpEh+eMnouy8t3z8h3IRrcJEHlazK0hEZoxXblp+M2ferfNfVZJ2yOCRS/I/:g1Sjpboutt3q3ICJ0lazK0hEZox5pCf7

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
27	4028	wscript.exe
28	4028	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	171644e7d0764c9d5258f0666410cd60.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1688-134-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4028	1688	171644e7d0764c9d5258f0666410cd60.exe	85
PID 1688 wrote to memory of 4028	1688	171644e7d0764c9d5258f0666410cd60.exe	85
PID 1688 wrote to memory of 4028	1688	171644e7d0764c9d5258f0666410cd60.exe	85
PID 4028 wrote to memory of 2180	4028	wscript.exe	86
PID 4028 wrote to memory of 2180	4028	wscript.exe	86
PID 4028 wrote to memory of 2180	4028	wscript.exe	86

C:\Users\Admin\AppData\Local\Temp\171644e7d0764c9d5258f0666410cd60.exe
"C:\Users\Admin\AppData\Local\Temp\171644e7d0764c9d5258f0666410cd60.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6AB5.tmp\connect.vbs
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\connect.cmd" "
    3⤵
    PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6AB5.tmp\connect.vbs

Filesize
2KB

MD5
eec05730b1e6e3cead5ebf507a3c99f6

SHA1
75e0e79a233e250ff405207725b0e6bf12fb6784

SHA256
bf51942f19fab393be9a419af8882781b005833283895645608485030d0aedff

SHA512
8318e6d3d92cb3212b71b3a50713eb9c82d4e897d4ad66622c0da34cc7d149ffd1b4c21ce55db2352599fd276cde606d9e639f679d4ac4b92ea40c568e292c15

Download Submit
C:\Users\Admin\connect.cmd

Filesize
277B

MD5
715385daf29fbc35f13648680ade7d79

SHA1
d347a7a9687640b95a86bf7697efa439ed8acf38

SHA256
b858845951affb7b01e0d993e289812c0020387a1622ba44e9b6bd31f8fd910c

SHA512
920710c1b5ca295b5f724a31a7ba8aa9ca7b93648984ea68da0fe58703f8230eb858002329508fc946eabb27db9b319383bc21c82565df154bcca05224406558

Download Submit
memory/1688-134-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download