477587dbcd9c4d54188c93246135266c0028677546f6ad905ba8fbdbf6d98176

Analysis

max time kernel
6s
max time network
10s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2023 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

477587dbcd9c4d54188c93246135266c0028677546f6ad905ba8fbdbf6d98176.bat.vbs
Size

844KB
MD5

7afe4eb715f4f0748a36b126b0c0548f
SHA1

5fb057416c57f746581a398cd8a7462da791cb85
SHA256

477587dbcd9c4d54188c93246135266c0028677546f6ad905ba8fbdbf6d98176
SHA512

e6efbb02f4e37b1d99eced71051348c3880ac164595188e194c110c10c02196b91c2b5a61425752d0b8b2eb27bbe30cfb6794c7c788058edaeac913a51b1afac
SSDEEP

12288:dZXP9lH30VarOLrO4BdxK7B7zhn/O9/lSBkxXFKezOIy2BC4vo/PVHQWw8FK:PP9hE4yLqsdxKNzhnGKez9hBRvKPPK

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C3FE825D-41B5-41E1-88A0-49E14B119150}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\477587dbcd9c4d54188c93246135266c0028677546f6ad905ba8fbdbf6d98176.bat.vbs"
1⤵
PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads