9a4159dd87dd39b75370ec421d1d528df3a3e2f5a98a134d8ec6d49f97244674

Analysis

max time kernel
300s
max time network
278s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
16-04-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fps unlocker.vbs
Size

2KB
MD5

9dff807ab87779439ee2b122d8a90226
SHA1

6912f8dfc864fda06d06619bccdea2982ae6aaee
SHA256

9a4159dd87dd39b75370ec421d1d528df3a3e2f5a98a134d8ec6d49f97244674
SHA512

181e9ddab5e18615571b2d9b14d6862b92c9093badafb958660671af6ac2badb0042005ef342fa3b5b69d317317bf6e460463c7fe5ade8bf3e4ac97154724e38

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	notepad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3056	notepad.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1988	notepad.exe
4832	notepad.exe
3056	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 1988	4552	WScript.exe	80
PID 4552 wrote to memory of 1988	4552	WScript.exe	80
PID 4552 wrote to memory of 4988	4552	WScript.exe	82
PID 4552 wrote to memory of 4988	4552	WScript.exe	82
PID 4552 wrote to memory of 3980	4552	WScript.exe	84
PID 4552 wrote to memory of 3980	4552	WScript.exe	84
PID 4552 wrote to memory of 4720	4552	WScript.exe	85
PID 4552 wrote to memory of 4720	4552	WScript.exe	85
PID 4552 wrote to memory of 4832	4552	WScript.exe	86
PID 4552 wrote to memory of 4832	4552	WScript.exe	86
PID 4552 wrote to memory of 2652	4552	WScript.exe	87
PID 4552 wrote to memory of 2652	4552	WScript.exe	87
PID 4552 wrote to memory of 3556	4552	WScript.exe	88
PID 4552 wrote to memory of 3556	4552	WScript.exe	88
PID 4552 wrote to memory of 4740	4552	WScript.exe	89
PID 4552 wrote to memory of 4740	4552	WScript.exe	89
PID 4552 wrote to memory of 2996	4552	WScript.exe	90
PID 4552 wrote to memory of 2996	4552	WScript.exe	90
PID 4552 wrote to memory of 1036	4552	WScript.exe	91
PID 4552 wrote to memory of 1036	4552	WScript.exe	91
PID 4552 wrote to memory of 2644	4552	WScript.exe	92
PID 4552 wrote to memory of 2644	4552	WScript.exe	92
PID 4552 wrote to memory of 3056	4552	WScript.exe	93
PID 4552 wrote to memory of 3056	4552	WScript.exe	93
PID 4552 wrote to memory of 4620	4552	WScript.exe	95
PID 4552 wrote to memory of 4620	4552	WScript.exe	95
PID 4552 wrote to memory of 940	4552	WScript.exe	96
PID 4552 wrote to memory of 940	4552	WScript.exe	96
PID 4552 wrote to memory of 4468	4552	WScript.exe	97
PID 4552 wrote to memory of 4468	4552	WScript.exe	97
PID 4552 wrote to memory of 1044	4552	WScript.exe	98
PID 4552 wrote to memory of 1044	4552	WScript.exe	98
PID 4552 wrote to memory of 1140	4552	WScript.exe	99
PID 4552 wrote to memory of 1140	4552	WScript.exe	99
PID 4552 wrote to memory of 1208	4552	WScript.exe	100
PID 4552 wrote to memory of 1208	4552	WScript.exe	100
PID 4552 wrote to memory of 2060	4552	WScript.exe	101
PID 4552 wrote to memory of 2060	4552	WScript.exe	101
PID 4552 wrote to memory of 4472	4552	WScript.exe	102
PID 4552 wrote to memory of 4472	4552	WScript.exe	102
PID 4552 wrote to memory of 4796	4552	WScript.exe	103
PID 4552 wrote to memory of 4796	4552	WScript.exe	103
PID 4552 wrote to memory of 4480	4552	WScript.exe	104
PID 4552 wrote to memory of 4480	4552	WScript.exe	104
PID 4552 wrote to memory of 4164	4552	WScript.exe	105
PID 4552 wrote to memory of 4164	4552	WScript.exe	105
PID 4552 wrote to memory of 3348	4552	WScript.exe	106
PID 4552 wrote to memory of 3348	4552	WScript.exe	106
PID 4552 wrote to memory of 2764	4552	WScript.exe	107
PID 4552 wrote to memory of 2764	4552	WScript.exe	107
PID 4552 wrote to memory of 4956	4552	WScript.exe	108
PID 4552 wrote to memory of 4956	4552	WScript.exe	108
PID 4552 wrote to memory of 5056	4552	WScript.exe	109
PID 4552 wrote to memory of 5056	4552	WScript.exe	109
PID 4552 wrote to memory of 2684	4552	WScript.exe	110
PID 4552 wrote to memory of 2684	4552	WScript.exe	110
PID 4552 wrote to memory of 2960	4552	WScript.exe	111
PID 4552 wrote to memory of 2960	4552	WScript.exe	111
PID 4552 wrote to memory of 3316	4552	WScript.exe	112
PID 4552 wrote to memory of 3316	4552	WScript.exe	112
PID 4552 wrote to memory of 2748	4552	WScript.exe	113
PID 4552 wrote to memory of 2748	4552	WScript.exe	113
PID 4552 wrote to memory of 3548	4552	WScript.exe	114
PID 4552 wrote to memory of 3548	4552	WScript.exe	114

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fps unlocker.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1988
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4988
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3980
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4720
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4832
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2652
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3556
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4740
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2996
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1036
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2644
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3056
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4620
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:940
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4468
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1044
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1140
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1208
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2060
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4472
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4796
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4480
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4164
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3348
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2764
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4956
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5056
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2684
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2960
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3316
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2748
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3548
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1712
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1996
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2028
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3684
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1776
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4884
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4868
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4204
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5080
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads