Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:45
Static task
static1
Behavioral task
behavioral1
Sample
c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbs
Resource
win10v2004-20220812-en
General
-
Target
c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbs
-
Size
13KB
-
MD5
a6de2c299a0ba22c14187075e65d594c
-
SHA1
664c1da8d5f9021783438c9508ba45845b090016
-
SHA256
c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26
-
SHA512
cac790adf78e823680c3d78227c36a0c5d9d34c2f7a327307b47572b587cb13db6ba1bc884b63e519c44d0aa4a406230ade4495d7558c74a051daedb0a020dc9
-
SSDEEP
384:RVzzVqiGagRYwZSFFOECXCghDSHXWmZg1r+9f7qN:RVzxqagRYwZSGECXCgMmsgV/N
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbs wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
WScript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 1324 wrote to memory of 4296 1324 WScript.exe wscript.exe PID 1324 wrote to memory of 4296 1324 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbs"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbs"2⤵
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbsFilesize
13KB
MD5a6de2c299a0ba22c14187075e65d594c
SHA1664c1da8d5f9021783438c9508ba45845b090016
SHA256c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26
SHA512cac790adf78e823680c3d78227c36a0c5d9d34c2f7a327307b47572b587cb13db6ba1bc884b63e519c44d0aa4a406230ade4495d7558c74a051daedb0a020dc9
-
C:\Users\Admin\AppData\Roaming\c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26.vbsFilesize
13KB
MD5a6de2c299a0ba22c14187075e65d594c
SHA1664c1da8d5f9021783438c9508ba45845b090016
SHA256c9193332066bd6248d2cafb240b614150651abfd1617b8228d72d176080c4d26
SHA512cac790adf78e823680c3d78227c36a0c5d9d34c2f7a327307b47572b587cb13db6ba1bc884b63e519c44d0aa4a406230ade4495d7558c74a051daedb0a020dc9
-
memory/4296-132-0x0000000000000000-mapping.dmp