Analysis
-
max time kernel
112s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 06:33
General
-
Target
document.vbs
-
Size
9KB
-
MD5
f433d8822f70bc508a0283099a8909f2
-
SHA1
5c32b5347f100127a7888a367a5f0e808125d841
-
SHA256
98667994f4d83f11bc5bba249a5d046314541621a0fa6da9d18117ec1e20e090
-
SHA512
80c2bb7382b30ba2f13635d09c9c06557ceea13cf55b40221aaeb191317e6ed020b4f1459152d74952d2e5f00f9c9c791e8c5dad2882e420a05646fc62f8c112
-
SSDEEP
192:ReSjpUorcl/E4hp3aD/OCMhiEe1mUS1G0vdzgW20fkbsgTbpQt:c4pnrcpE4hpPCMhidmnGm80jWb4
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" overhauled\\honorary.temp,CuMode2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" overhauled\\honorary.temp,CuMode3⤵