6dc1c3968fa19baee27e98c43c0c8870ccedb4f388acdcbbfb047cb2343b07dc

Analysis

max time kernel
105s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Your pc is hacked.vbs
Size

1008B
MD5

d74f30d6a899cff826de6a19c2feb8c0
SHA1

d244a288e493cb988908fa3276953538142a2f0f
SHA256

6dc1c3968fa19baee27e98c43c0c8870ccedb4f388acdcbbfb047cb2343b07dc
SHA512

7382943f468667c95c10f373ba05b87c5208d3175b6f83ea2d290ab50d24a944ad315725e28a42a736fde94ba8ef043541cebce0df61bf7e23bfd2664b6fbad3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4360	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	4092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4092	AUDIODG.EXE
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeShutdownPrivilege	2028	shutdown.exe
Token: SeRemoteShutdownPrivilege	2028	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4656	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 3016	2036	WScript.exe	102
PID 2036 wrote to memory of 3016	2036	WScript.exe	102
PID 2036 wrote to memory of 4360	2036	WScript.exe	104
PID 2036 wrote to memory of 4360	2036	WScript.exe	104
PID 2036 wrote to memory of 2028	2036	WScript.exe	114
PID 2036 wrote to memory of 2028	2036	WScript.exe	114

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Your pc is hacked.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3016
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /im notepad.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -s -t 30 -f -m \\
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x314 0x4cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4844 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:1728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395c055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_B5032331011F49FFB2BE71A45022247D.dat

Filesize
940B

MD5
9f5e8a9959786f04c722d2d8820d6078

SHA1
de13cefaa27ad3bb6dd1af6ab1705efc57766d49

SHA256
a54aee80f48c052b0201e3d59ba1fafe32711276068e941657bf5a081c8731ea

SHA512
0186c4cbbef4e1246b728da56699dde2453833298d3bb2cd1d559dcc3da12324f410957b98af305ca5e0366e7885ae014d50952c7f112a02a4069c881d12265b

Download Submit