Overview

overview

10

Static

static

3

Purchase O...ls.scr

windows7-x64

10

Purchase O...ls.scr

windows10-2004-x64

10

Specifications.scr

windows7-x64

10

Specifications.scr

windows10-2004-x64

7

Analysis

  • max time kernel
    88s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 05:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Specifications.scr

  • Size

    1020KB

  • MD5

    f03e14fede667def5971cd05001ac26e

  • SHA1

    c3b194d8b0d66a3a7aa540123f9191f06632c31a

  • SHA256

    a090d4d19e61d32cc67cbbcd57124becd412d1e9f7d8d8ed896da4d2d689dc7f

  • SHA512

    e38eaa3b4720cd0e0fd002f9d9067991c7b2ded1335a0a8d8872b96ec498a3231bdf99c1347e701b0bf23631e27a2569d62b0671a009562f9effb932c2ff3ff1

  • SSDEEP

    24576:MtS2xc3m8Y83BarJ3OJJwFcx9wyeZBMI4mCJFix:MQ2x+b3BaN3mwF6yJXWFi

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specifications.scr
    "C:\Users\Admin\AppData\Local\Temp\Specifications.scr" /S
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Specifications.scr"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3184
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QfWagJoK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB621.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3592
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QfWagJoK.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:772
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:2168
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:2972
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:4108
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
              PID:5056
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              2⤵
                PID:4004

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2prtuwv.zve.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpB621.tmp
                    Filesize

                    1KB

                    MD5

                    450470c80a8791fcc30d2baa7d3baa7f

                    SHA1

                    fb324bfcdb7a528af73204a2cfe05e7929791831

                    SHA256

                    46886f38cd6f8e8ba547e4b4703268daa2e6474958e2660041298865f1d8346f

                    SHA512

                    9f16952679c1b63f857a3c4394db5bd9a4b03f94fed55eb43e3a15dd64e28439b10a7861f538248f7d57bee987e76438fa90a6549ce1dc52a05f8a7f3ee75505

                    Download Submit

                  • memory/772-67-0x0000000004850000-0x0000000004860000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/772-65-0x00000000062B0000-0x00000000062CE000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/772-53-0x000000007F2F0000-0x000000007F300000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/772-55-0x0000000075AF0000-0x0000000075B3C000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/772-54-0x0000000006EA0000-0x0000000006ED2000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/772-78-0x0000000006EE0000-0x0000000006F83000-memory.dmp

                    Filesize

                    652KB

                    Download

                  • memory/772-50-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/772-83-0x0000000007290000-0x0000000007326000-memory.dmp

                    Filesize

                    600KB

                    Download

                  • memory/772-82-0x0000000007080000-0x000000000708A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/772-25-0x0000000004850000-0x0000000004860000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/772-32-0x0000000005590000-0x00000000055F6000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/772-91-0x0000000075260000-0x0000000075A10000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/772-88-0x0000000007330000-0x0000000007338000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/772-87-0x0000000007350000-0x000000000736A000-memory.dmp

                    Filesize

                    104KB

                    Download

                  • memory/772-85-0x0000000007240000-0x000000000724E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/772-84-0x0000000007210000-0x0000000007221000-memory.dmp

                    Filesize

                    68KB

                    Download

                  • memory/772-22-0x0000000075260000-0x0000000075A10000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/772-49-0x0000000005890000-0x0000000005BE4000-memory.dmp

                    Filesize

                    3.3MB

                    Download

                  • memory/772-24-0x0000000004850000-0x0000000004860000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1784-11-0x0000000075260000-0x0000000075A10000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/1784-2-0x0000000005C80000-0x0000000006224000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/1784-12-0x0000000005880000-0x0000000005890000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1784-10-0x0000000008750000-0x00000000087EC000-memory.dmp

                    Filesize

                    624KB

                    Download

                  • memory/1784-1-0x0000000075260000-0x0000000075A10000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/1784-3-0x00000000055E0000-0x0000000005672000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/1784-9-0x00000000084A0000-0x0000000008560000-memory.dmp

                    Filesize

                    768KB

                    Download

                  • memory/1784-48-0x0000000075260000-0x0000000075A10000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/1784-8-0x0000000008450000-0x000000000845E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/1784-7-0x0000000008440000-0x000000000844A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/1784-6-0x00000000059A0000-0x00000000059B4000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/1784-5-0x0000000005680000-0x000000000568A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/1784-4-0x0000000005880000-0x0000000005890000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1784-0-0x0000000000C30000-0x0000000000D32000-memory.dmp

                    Filesize

                    1.0MB

                    Download

                  • memory/3184-20-0x00000000057D0000-0x0000000005DF8000-memory.dmp

                    Filesize

                    6.2MB

                    Download

                  • memory/3184-66-0x0000000075AF0000-0x0000000075B3C000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/3184-52-0x0000000006550000-0x000000000659C000-memory.dmp

                    Filesize

                    304KB

                    Download

                  • memory/3184-79-0x0000000005190000-0x00000000051A0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3184-77-0x000000007F510000-0x000000007F520000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3184-80-0x0000000007E80000-0x00000000084FA000-memory.dmp

                    Filesize

                    6.5MB

                    Download

                  • memory/3184-81-0x0000000007840000-0x000000000785A000-memory.dmp

                    Filesize

                    104KB

                    Download

                  • memory/3184-33-0x0000000005EE0000-0x0000000005F46000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/3184-26-0x0000000005740000-0x0000000005762000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/3184-19-0x0000000005190000-0x00000000051A0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3184-21-0x0000000005190000-0x00000000051A0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3184-86-0x0000000007A80000-0x0000000007A94000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/3184-51-0x0000000006510000-0x000000000652E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/3184-18-0x0000000075260000-0x0000000075A10000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/3184-92-0x0000000075260000-0x0000000075A10000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/3184-17-0x0000000002BF0000-0x0000000002C26000-memory.dmp

                    Filesize

                    216KB

                    Download