df6093cc8395612fbbd4363266ff5c78ce332367b4230866380f722296a9cdec

Analysis

max time kernel
172s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df6093cc8395612fbbd4363266ff5c78ce332367b4230866380f722296a9cdec.vbs
Size

4KB
MD5

21dea128e711313098d82c5c5be4f0e0
SHA1

396275c129f66afa3f17a7b71a4ef6c20e9b2d7a
SHA256

df6093cc8395612fbbd4363266ff5c78ce332367b4230866380f722296a9cdec
SHA512

51773370565ca927e0416287bbac87774aa93781c2c0556b3b7ef128fa09365d6d62a24c2da276c1693ce0ab0679850a9b46488b23fea24a29532d45b34a7bfe
SSDEEP

96:ffJwI7iv7wAbiPtb5UQG4OmDp/otZRvxDEAfExD9TQuDGm59QyPv+J/PEmZeAeiB:fBx7ivcAbAwJcV/otZMAcxDXDjT/P2Jr

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
37	3888	WScript.exe
65	3888	WScript.exe
78	3888	WScript.exe
86	3888	WScript.exe
91	3888	WScript.exe
99	3888	WScript.exe
100	3888	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AUTORUN.INF	WScript.exe
File opened for modification	C:\AUTORUN.INF	WScript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SysInfo.reg	WScript.exe
File created	C:\Windows\System32\prncfg.vbs	WScript.exe
File opened for modification	C:\Windows\System32\prncfg.vbs	WScript.exe
File created	C:\Windows\System32\SySInFO.REG	WScript.exe
File opened for modification	C:\Windows\System32\SySInFO.REG	WScript.exe
File created	C:\Windows\System32\SysInfo.reg	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000006b552074100041646d696e003c0009000400efbe6b557d6c755512902e0000007ee101000000010000000000000000000000000000003de1f000410064006d0069006e00000014000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000006b557d6c12004170704461746100400009000400efbe6b557d6c755512902e00000089e1010000000100000000000000000000000000000020f30e004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e0031000000000075550690100054656d7000003a0009000400efbe6b557d6c755506902e0000009de1010000000100000000000000000000000000000073c22101540065006d007000000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000006b557d6c1100557365727300640009000400efbe874f7748755512902e000000c70500000000010000000000000000003a0000000000d967240055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000006b55b26e10004c6f63616c003c0009000400efbe6b557d6c755512902e0000009ce10100000001000000000000000000000000000000e996ac004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1860	regedit.exe
1296	regedit.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4532	explorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	3480	cmd.exe
Token: SeSystemtimePrivilege	3480	cmd.exe
Token: SeSystemtimePrivilege	556	cmd.exe
Token: SeSystemtimePrivilege	556	cmd.exe
Token: SeSystemtimePrivilege	4328	cmd.exe
Token: SeSystemtimePrivilege	4328	cmd.exe
Token: SeSystemtimePrivilege	1472	cmd.exe
Token: SeSystemtimePrivilege	1472	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4532	explorer.exe
4532	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 4808	1736	WScript.exe	84
PID 1736 wrote to memory of 4808	1736	WScript.exe	84
PID 1736 wrote to memory of 1296	1736	WScript.exe	86
PID 1736 wrote to memory of 1296	1736	WScript.exe	86
PID 4808 wrote to memory of 2652	4808	net.exe	87
PID 4808 wrote to memory of 2652	4808	net.exe	87
PID 1736 wrote to memory of 4740	1736	WScript.exe	88
PID 1736 wrote to memory of 4740	1736	WScript.exe	88
PID 1736 wrote to memory of 3480	1736	WScript.exe	92
PID 1736 wrote to memory of 3480	1736	WScript.exe	92
PID 1736 wrote to memory of 556	1736	WScript.exe	94
PID 1736 wrote to memory of 556	1736	WScript.exe	94
PID 1736 wrote to memory of 3888	1736	WScript.exe	96
PID 1736 wrote to memory of 3888	1736	WScript.exe	96
PID 3888 wrote to memory of 3544	3888	WScript.exe	98
PID 3888 wrote to memory of 3544	3888	WScript.exe	98
PID 3888 wrote to memory of 1860	3888	WScript.exe	99
PID 3888 wrote to memory of 1860	3888	WScript.exe	99
PID 3544 wrote to memory of 3692	3544	net.exe	100
PID 3544 wrote to memory of 3692	3544	net.exe	100
PID 3888 wrote to memory of 4328	3888	WScript.exe	101
PID 3888 wrote to memory of 4328	3888	WScript.exe	101
PID 3888 wrote to memory of 1472	3888	WScript.exe	107
PID 3888 wrote to memory of 1472	3888	WScript.exe	107

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df6093cc8395612fbbd4363266ff5c78ce332367b4230866380f722296a9cdec.vbs"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stoP SHAredAccESS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stoP SHAredAccESS
    3⤵
    PID:2652
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe" /S sYSINFO.Reg
  2⤵
  - Runs .reg file with regedit
  PID:1296
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" .\
  2⤵
  PID:4740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C dAtE 12/7/2019
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c dAte 11/21/2022
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\PRNcfg.VBs"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stOP shaREdaccESS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stOP shaREdaccESS
      4⤵
      PID:3692
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe" /S SySINFo.reg
    3⤵
    - Runs .reg file with regedit
    PID:1860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DAte 11/11/2022
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dATE 11/21/2022
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1472

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM32\SySINFo.reg

Filesize
497B

MD5
d484e805ad95e6bba830fbc72550facc

SHA1
eac5889f3b4bfab1b0e9bf063ce8272bd80d1cf9

SHA256
19cde613f139d155d756c7cf648f9f3d62c26568acb212af210cc3416e9365e0

SHA512
7cdf242b757f066a0e0e1125c952804bb64a14e189ab70e809f590f55ed83e0ba95771a7ae6b22f0ae774008055f95ad7dd9e3e483ca2f20e6fa731ea30b1588

Download Submit
C:\Windows\SYSTEM32\sYSINFO.Reg

Filesize
497B

MD5
1fca1f6483e39feb3f2769ec9680b151

SHA1
1294b13e913928624aa8b341fae933eb73a771b8

SHA256
6fac50eeb6342a2071d3fd8cca4b44a1db170063d157e7e54e8c995e70a7a31f

SHA512
4eb0ff47b918dac8af538f5beca9e4f574f10685f96d41a0a5ac4c818ec5bbd5168139e140f8a50e3bd82ea5ca5410863d0d06ea4d4ce44e6e8c71e34114d817

Download Submit
C:\Windows\System32\PRNcfg.VBs

Filesize
4KB

MD5
1a40e1f845eef1388153e986469160b9

SHA1
c19fd4428d1c256be7132723d2f0ddfc4ebeb652

SHA256
b19db9a62239ca5d934594a98f57335413cb8d01fd68b215e8507e88a7ea3721

SHA512
bc125c186d2d4b8a3235cc1807ad3607e07280ebc370aed2c0753bb79928d679ec1bd85f26c8c792df6e7082f87946670470ab9ebda8467a2fbf62665b4d1c5a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads