81d37d383d7965fa6114fc95efa733b4d35db1903bc007045d7e4314511c449c

Analysis

max time kernel
264s
max time network
268s
platform
windows10-2004_x64
resource
win10v2004-20230221-es
resource tags

arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
22-05-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stage1_cleaned.vbs
Size

44.8MB
MD5

21e08177e5718a4483232b04a08be251
SHA1

6f0abbc5ba20b8458443532c87761a90f9651666
SHA256

81d37d383d7965fa6114fc95efa733b4d35db1903bc007045d7e4314511c449c
SHA512

41a12835b23bc7631550026a4aa6a6ced25c74f874bbb80b9023b0e2b591f88b2fae620e329c3f742303b81ae1abf921d2cd55884d2f71b40d5d5ccade90cd95
SSDEEP

786432:/gLgLgLgrgLgLgLgLgLgOgLgLgLgLgLgLgLgLgLgtgLgLgLglgLgLgLgLgLgLgLI:u

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
30	4212	WScript.exe
33	4212	WScript.exe
35	4212	WScript.exe
37	4212	WScript.exe
42	4212	WScript.exe
46	4212	WScript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	WScript.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4212	4204	WScript.exe	92
PID 4204 wrote to memory of 4212	4204	WScript.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stage1_cleaned.vbs"
1⤵
PID:1520

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\ywfxdhfnohpm.vbs"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\giljyyvpmfr.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\giljyyvpmfr.vbs

Filesize
18.6MB

MD5
c24401bdcd1d2b12c2c0d24b9537c379

SHA1
85dfcfa03ea625b639d41ef4b1b13a100c619712

SHA256
7436743916189dc9b5318299f8b45b4abe13443b6973b5883a0acda603aec3d6

SHA512
dc59ebd604823ac0d31f17bc2a2558ad75ef6a64ca5d655f529da9bf740ed3b7e7b6c1bd610ac92a4bf7fcb5f5257b0201d5124fa79684ecb3fa28add6fad59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywfxdhfnohpm.vbs

Filesize
466B

MD5
84668d06bc297aee669af488d6475f94

SHA1
d0112db7aa21e0a81847dd31585cf8ff090cd42c

SHA256
f763a68ee540107a0560a3bce086a4d3270a952b9a8d288e80e160d1623791a2

SHA512
aec09f8804ef849f0d59dffc59dca2c8a6407715ece5cafd5a0abb9c5d40906857242074ee29365a2755d2a14aeedd9c3386ff27b222bd58721fb17cead3a591

Download Submit