1cb6977c6c4553ff7842af9205760e5c5958a85ffb3db2c1e94c69fcd0f0a347

Analysis

max time kernel
143s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_48_/3.vbs
Size

2KB
MD5

a1e554f682917f550a2e2724e4de948a
SHA1

b969a24c3581b7a3c8a1493bb5f28410b3359dce
SHA256

2b4aa2bd62996af03ef4669df853ecb883e676e9ddbb92139d43413fabbad0c0
SHA512

dfdc643f220be01c6ee9c90970ed84887038d8dd3199c8092d435d8cf6e5ac75a3f2f2b2f5fe020c8bcf0cfcefc64af28d91ef77b80075380b071c284e59c2ad

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation WScript.exe
Drops file in Program Files directory 1 IoCs

Processes:

WScript.exe

description ioc process

File created C:\Program Files\NetMeeting\ie.html WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
File created	C:\Program Files\NetMeeting\ie.html	WScript.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WScript.execmd.exe

description	pid	process	target process
PID 728 wrote to memory of 3660	728	WScript.exe	attrib.exe
PID 728 wrote to memory of 3660	728	WScript.exe	attrib.exe
PID 728 wrote to memory of 3076	728	WScript.exe	cmd.exe
PID 728 wrote to memory of 3076	728	WScript.exe	cmd.exe
PID 3076 wrote to memory of 1584	3076	cmd.exe	cmd.exe
PID 3076 wrote to memory of 1584	3076	cmd.exe	cmd.exe
PID 3076 wrote to memory of 116	3076	cmd.exe	cacls.exe
PID 3076 wrote to memory of 116	3076	cmd.exe	cacls.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3660 attrib.exe

pid	process
3660	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\$_48_\3.vbs"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" "C:\Program Files\NetMeeting\ie.html" +R
  2⤵
  - Views/modifies file attributes
  PID:3660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo Y| cacls "C:\Program Files\NetMeeting\ie.html" /P Everyone:R
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1584
- - C:\Windows\system32\cacls.exe
    cacls "C:\Program Files\NetMeeting\ie.html" /P Everyone:R
    3⤵
    PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads