Analysis
-
max time kernel
15s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
18/03/2024, 17:45
General
-
Target
strcomputer.vbs
-
Size
2KB
-
MD5
26b6d2fcf318aecf9df98d0f4705a671
-
SHA1
1751305572fc3e87bdcf8f5a46fd45fee3a3830d
-
SHA256
da372170c6fa0828db5e4fb5cf15749d09391b6f6b998dc6a27ecc68e26ff30a
-
SHA512
46622857c48e01b8222eb0613b77d88155d17b8694e13b6edc3c8d88d6278104496680381d595a37ace5a18f71fe85c7405a866b3092d09618da4832da925784
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\strcomputer.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /im cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt1⤵
- Opens file in notepad (likely ransom note)