98a90912b0248bb92b56ef2d36dae84cedccee87342ac0342b571af44ccdf085

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

brave.vbs
Size

4KB
MD5

b375f095bb00bcf3881929860a94c23b
SHA1

166d303afd6ee436ff78ac5b31ce12b6bfd5dd36
SHA256

fa37cc67fae3dc9ec9e14f11c08b4b9f83749f465770bed54969e867f78715d6
SHA512

6965ec1a64d911b9ef7298cb7f386d39a1c4fc105f0b0acb4f6cdf87d94d31af4208613047f7aa5d9275699854cd923feddb59f32b9131387609252ab09a45cc
SSDEEP

48:/XmDGg/zzzzzzzzzzzzA8K9ht8Q4OmWBhJWDyCnveaF:qK9ht8QQWu79F

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 3456	4324	WScript.exe	83
PID 4324 wrote to memory of 3456	4324	WScript.exe	83
PID 3456 wrote to memory of 1064	3456	net.exe	85
PID 3456 wrote to memory of 1064	3456	net.exe	85

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\brave.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...