Analysis
-
max time kernel
16s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 11:23
Static task
static1
Behavioral task
behavioral1
Sample
ass.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ass.vbs
Resource
win10v2004-20240412-en
Errors
General
-
Target
ass.vbs
-
Size
1KB
-
MD5
0971210e69a8fc2d1bfc3a2549226f99
-
SHA1
4f3ac74c56e81868e252c8e057fb88b0de039605
-
SHA256
6edae4802f00f7339f786534c29bf22b1f9c0cd0920a88f884be66bf563a1c02
-
SHA512
c4ca0e5772e9a2cee310f5b39b6b94b7a04656d7a7e344b275a26657e43a1b71a6c4ccff7c90d8128b5b767af16d590c7070a5d57fe9ac93c79ee0d9a5988ea2
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4476 taskkill.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 3740 notepad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 4476 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WScript.exedescription pid process target process PID 2180 wrote to memory of 1028 2180 WScript.exe reg.exe PID 2180 wrote to memory of 1028 2180 WScript.exe reg.exe PID 2180 wrote to memory of 1808 2180 WScript.exe reg.exe PID 2180 wrote to memory of 1808 2180 WScript.exe reg.exe PID 2180 wrote to memory of 3740 2180 WScript.exe notepad.exe PID 2180 wrote to memory of 3740 2180 WScript.exe notepad.exe PID 2180 wrote to memory of 4476 2180 WScript.exe taskkill.exe PID 2180 wrote to memory of 4476 2180 WScript.exe taskkill.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ass.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Disables RegEdit via registry modification
- Modifies registry key
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Local\Temp\example.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im svchost.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\example.txtFilesize
57B
MD5817fdb4e756556eefd6912f3cc8d06db
SHA17c2e82c99ac6926574c596aee06df97f5b966d03
SHA256ab2df71056fe1c80fc5a540f32c3e14d206d52997164f94d9241f36032e09dcf
SHA512446b19e4cd56c6ff0c9753205f0882ad0450e97cabd888c68421fbf2c84631d532f968bfe226cfeef43cea42d27dd70a73db6c1960726ac60dc31066c51cdb8f