Overview

overview

10

Static

static

10

ed03f8136c...18.exe

windows7-x64

7

ed03f8136c...18.exe

windows10-2004-x64

7

$PLUGINSDI...ad.dll

windows7-x64

3

$PLUGINSDI...ad.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...nu.dll

windows7-x64

3

$PLUGINSDI...nu.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...om.dll

windows7-x64

7

$PLUGINSDI...om.dll

windows10-2004-x64

7

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

$TEMP/v.vbs

windows7-x64

3

$TEMP/v.vbs

windows10-2004-x64

3

$TEMP/xcmd.exe

windows7-x64

9

$TEMP/xcmd.exe

windows10-2004-x64

9

$_48_/$APP...md.exe

windows7-x64

9

$_48_/$APP...md.exe

windows10-2004-x64

9

$_48_/1.html

windows7-x64

6

$_48_/1.html

windows10-2004-x64

1

$_48_/3.bat

windows7-x64

1

$_48_/3.bat

windows10-2004-x64

1

$_48_/3.vbs

windows7-x64

4

$_48_/3.vbs

windows10-2004-x64

7

$_48_/qq.vbs

windows7-x64

3

$_48_/qq.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-04-2024 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $_48_/3.vbs

  • Size

    2KB

  • MD5

    a1e554f682917f550a2e2724e4de948a

  • SHA1

    b969a24c3581b7a3c8a1493bb5f28410b3359dce

  • SHA256

    2b4aa2bd62996af03ef4669df853ecb883e676e9ddbb92139d43413fabbad0c0

  • SHA512

    dfdc643f220be01c6ee9c90970ed84887038d8dd3199c8092d435d8cf6e5ac75a3f2f2b2f5fe020c8bcf0cfcefc64af28d91ef77b80075380b071c284e59c2ad

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\$_48_\3.vbs"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" "C:\Program Files\NetMeeting\ie.html" +R
      2⤵
      • Views/modifies file attributes
      PID:3660
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Y| cacls "C:\Program Files\NetMeeting\ie.html" /P Everyone:R
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
          PID:1584
        • C:\Windows\system32\cacls.exe
          cacls "C:\Program Files\NetMeeting\ie.html" /P Everyone:R
          3⤵
            PID:116

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Hide Artifacts

      1
      T1564

      Hidden Files and Directories

      1
      T1564.001

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads