44905c8aad3cd7360aa237ed7d2a024152b32fc5c39266bf2ce382d0bb3f7f27

General

Target

44905c8aad3cd7360aa237ed7d2a024152b32fc5c39266bf2ce382d0bb3f7f27.vbs
Size

337B
MD5

1fe4615994b98e453f7ff6aeea17aa11
SHA1

9ba1044f248176e14f6389eb19e8c59f241377de
SHA256

44905c8aad3cd7360aa237ed7d2a024152b32fc5c39266bf2ce382d0bb3f7f27
SHA512

0e9c59d283729db4d08ebfefc2bc8235ff84a53129fb22e0758f06c292931bc5753d4c1d2afda987f6d19e5e6e3e6208f74a00332afa8d578780b88143f440b1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2573087164"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BB8F029C-7114-11ED-919F-4EF50EB22100} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c9748000000000200000000001066000000010000200000006306fc88ab1a85ccef43ad56ca182e68f3df6273ab51cc17ef13943d71ef05b8000000000e80000000020000200000006925edc43d43c04617ff6b8c3aab5c364e0f5024e044d180c08ac2f94e6ca0c0200000006a72160069b515df042af5b94146b3777032c3f71afea4c89a6294e20e79000e40000000b06a9a759dbae7b57d510b8b02aadd1cc052efb7fc5b02740741c9d49849a02efc672c14312a59f8c791ed7973185f201dfa6ecd41eaf36ee5fad442edaa85e6	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999841"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c97480000000002000000000010660000000100002000000061894d3e067c050accb8a7635079d6703623bed176bc14819300fec0d6d61121000000000e8000000002000020000000f0ab6fcf0f7cd83b9cc090725cf6cab7f1cbd66177f855f024702559d5ed3a87200000003ea09c655f2d660a7f79f9df6d7c07c1a7e2da74f32ac50ea7ef9351c5cd1fe7400000006e484503a7384c53c5bbaa0394aac9d59272267f47ab9106e57814a8406565ffb6c27d85a41dfae56d9dbd916333bcbf31d66f66bac33243958c9bd4433995e6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00165e992105d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0933da02105d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999841"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2573087164"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1768	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1768	iexplore.exe
1768	iexplore.exe
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2268	2844	WScript.exe	82
PID 2844 wrote to memory of 2268	2844	WScript.exe	82
PID 2268 wrote to memory of 1768	2268	cmd.exe	84
PID 2268 wrote to memory of 1768	2268	cmd.exe	84
PID 2844 wrote to memory of 4164	2844	WScript.exe	86
PID 2844 wrote to memory of 4164	2844	WScript.exe	86
PID 2844 wrote to memory of 3832	2844	WScript.exe	88
PID 2844 wrote to memory of 3832	2844	WScript.exe	88
PID 2844 wrote to memory of 1408	2844	WScript.exe	90
PID 2844 wrote to memory of 1408	2844	WScript.exe	90
PID 1768 wrote to memory of 1796	1768	iexplore.exe	92
PID 1768 wrote to memory of 1796	1768	iexplore.exe	92
PID 1768 wrote to memory of 1796	1768	iexplore.exe	92

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44905c8aad3cd7360aa237ed7d2a024152b32fc5c39266bf2ce382d0bb3f7f27.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C start /min iexplore http://447.cc/index2.html?7xdown
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://447.cc/index2.html?7xdown
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1768 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C .\to.cmd
  2⤵
  PID:4164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C .\copy.cmd
  2⤵
  PID:3832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C .\run.cmd
  2⤵
  PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads