Analysis
-
max time kernel
167s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
10-01-2024 23:25
General
-
Target
51e909c1badb84a70df015d4ed3d78fc.vbs
-
Size
17KB
-
MD5
51e909c1badb84a70df015d4ed3d78fc
-
SHA1
7e05dd9ae5416cef9acf19ffe04cf2df5396c1f6
-
SHA256
355b7ad8cbfe01fddd5922203a911aa8c2d8adf8e2ec5f141889db1f0c640c2b
-
SHA512
f39a828dc22e9d53873b448d61bae74c622fba9420f163d78a3904f3fba0d2770d15c55f73ac044234765cee7eff1bdc5321dd18c593a2cde40e088989b1a772
-
SSDEEP
192:cZhbwnqhbXlM4Ud8GMQsM4UiuM4UFpM4UORkcWD4cfuc87NU2U3B5ht6HAw+:c70nmK4UCGrl4Um4UM4UUZWZfD8shAgX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51e909c1badb84a70df015d4ed3d78fc.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cs-16.ro/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94fb446f8,0x7ff94fb44708,0x7ff94fb447183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2331784503220133232,16550719362576718682,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:13⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://blackghost.ro/2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff94fb446f8,0x7ff94fb44708,0x7ff94fb447183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13867131523400294539,3250528495326627344,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13867131523400294539,3250528495326627344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im ati.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im hlds.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im ati.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5576c26ee6b9afa995256adb0bf1921c9
SHA15409d75623f25059fe79a8e86139c854c834c6a0
SHA256188d83fc73f8001fc0eac076d6859074000c57e1e33a65c83c73b4dab185f81e
SHA512b9dbadb0f522eedb2bf28385f3ff41476caeedc048bc02988356b336e5cf526394a04b3bca5b3397af5dde4482e2851c18eca8aeaaf417a7536e7ea7718f9043
-
Filesize
152B
MD5011193d03a2492ca44f9a78bdfb8caa5
SHA171c9ead344657b55b635898851385b5de45c7604
SHA256d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0
SHA512239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210
-
Filesize
201KB
MD5e3038f6bc551682771347013cf7e4e4f
SHA1f4593aba87d0a96d6f91f0e59464d7d4c74ed77e
SHA2566a55e169bc14e97dfcd7352b9bc4b834da37dd1e561282d8f2cc1dbf9964d29a
SHA5124bee876cea29ad19e6c41d57b3b7228f05f33f422e007dc1a8288fd1a207deb882c2789422e255a76c5bf21544f475689e7192b9a8a80dc2e87c94ee0bc6d75f
-
Filesize
264B
MD5242b26476a4ed96a68b9c0c1655d2989
SHA15fc7c4b8701222c89e47d079699531c0782d7fbc
SHA256f3cac347c8d55fa7253040d680053135a5ef3359397c68babaf14de93d7b4225
SHA5127afd916c23886e7520c4bf1b9423da9062f102c169878d63ec579ef936eb790159cb3332ba7bb0c1aafe154cbd7d036bf38855ffb2008328d93f6f5c917128ba
-
Filesize
1KB
MD5b51526464265759c618d75acf6a5d818
SHA1736bec69b97ef605195d5d0dca28dfd7bb05ba81
SHA256739ae6ea40b209db63db44900cde2cc3f6a83340dc4b3cf320fd884b9af335da
SHA5121f151d684f66e1a7fc1b5829b9fd053e65c6d4d87cc04228e8637d41bb670253ec32426da689009b1a88d790ad303cfe65feaa94dee6b1961ca6a04ef8aa1cb8
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD53e9ffdb4d07c06de7c06785b4affaf66
SHA18eb673911b1c24fd4a29f3dad4542e44f6229652
SHA25697ee5c51b893bd7770f2cba49ff82622ec11adb7d54ed6344523c3b08b628255
SHA512b03dc3a8fa7cec1180a07037eeba4c347d927a67f29bb7cee826813923a232914960c73179091b91b8270d72c15b882b766eb5a67b44297e12fd0d7f3c1fa42f
-
Filesize
6KB
MD597f25899da0a0b5a54dfb799d60ed540
SHA12b0fa21d7c2c8b406e661a5fc11185a961bd2082
SHA2569d48155b17d683e1563ed6b6420bf81719550d84da48557a6a96e07fb2405dd6
SHA512468de53cec8f82fd6602033a5ff1765b3af4c6d556bb2ec69fe4ca53409f5659f0a055671cc489e282e82d49d6cfa972b99de1e98a896b9c1991e722e4de7943
-
Filesize
6KB
MD5435b02cd471f2e6717933edd737e6c3c
SHA167a04a1ff43eb9feb1105a1e2f71de7c7cc07e7d
SHA256d062b0eaf4913ca7bfc947e6d4aae4a7593363b13997dc18a4bee18ed33c1aa3
SHA5127e05ad62485fe5318f026f54299e1bf12293926ff4bb71526b19e7f7656840ee54babec367275ea8d82fcf7699d3cc5281f2c3f4185d6d26c774e2998d0ac1bd
-
Filesize
6KB
MD5a140f07930726dca2f2cdd780583b649
SHA167126702520ca28ea6df9e5425431fdbf6880852
SHA256f07cee5698a027e8c8aa69185c10b7d93fbb8edf1849f1a99367d7c158babeb8
SHA5125bb34c289df8da0e7638fa54b9898146b1a03ac1e44a0038d7ffaf2f5fadafe03d3e59509499eceef77259313b6becc61baffe7176d1c90b96ceda9798f13589
-
Filesize
24KB
MD5f5b764fa779a5880b1fbe26496fe2448
SHA1aa46339e9208e7218fb66b15e62324eb1c0722e8
SHA25697de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d
SHA5125bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745
-
Filesize
872B
MD5d11019bcd1197226db400a13a6c68527
SHA1e1d30e36cd11399a24d78ec386688f8978ce33f0
SHA256a420cec2f88fc4efb52b6582535169961d7ea1631c1a9060b5756a441a199118
SHA5127977be93e679a6fa7b5f5c0145c3881f0d9c6764df3c674e7aa4614d83d953fec7b94fcce47cf1401f9e121bc780b0a7478a8c58fdbb9791e33f711a50064fac
-
Filesize
872B
MD52713687ea7aa38de52bf2dac2f9f132a
SHA1f79f1bcb0e7cbd06446816b51a9ab865e3a2973c
SHA2563a468f33acdf3aaf98ff5fbd6dc7e4f1e30e256916b3cb5a4817927959221a6b
SHA51225ef9e86eef0a554b791f47390e976ab9bc720d6a84b2efdf0e88f37f0aac4e0145edecb527287f1dcabe575ea330fae02f3431431b15c56788e557f1f7c4f19
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD5c5e8bfe77769edaecae5e5ea6332ed78
SHA1d4d28cdc5ca0b3c273c20fadc8466f0b94ab4be9
SHA256485ac2070bdb25eb5adae445bde626758deed8037086ca63ed8ec8af7ee49ca4
SHA5122ef561e9deac8169cd816972f7aec4ddf5582b90efde967b3ef5fee0127ce4b788452a0c0767c4d71d331c6c45304528c895d2f73d414f41f5b444d99ca55853
-
Filesize
10KB
MD5f99056beb1e3463b258344281aacc5dd
SHA1a3547bf1877b4cfeb8a145aa7f9cd9c4c40523a6
SHA2566d2ecfa4ab0e3aec1cea80b87ff8fd3d48b365872d270fd36988d3f74158f8fe
SHA512fa8d3c9e91a6ad7f391b6639b87ec18a2128770d595f9ae4b5b4633c76d258018e24a5dd443e2f55cbd904049a9f48c9a467ec15dc6f9b4c7337afc1849a0555
-
Filesize
3KB
MD5bf8b7473d9619c9cfe438b6ac63fc7e7
SHA19ad86d1b8622a557d6b91b0032ce553cb9824e03
SHA25656b7b1112ffe01c02b30dbcb7400de409256a0f22e378fafb8573329754b1329
SHA512885e8a286a24577b25766a0d27a8c48b712024992b91c4e0297242f442d51036b421f7473e9741a00848ba40d6323cd35767b0990283f8c4a7d0a52c8423f321