eeb802aa132faf387bd18f64fb47c432e9d7f4e914515775b0879e9236383435

General

Target

ass.vbs
Size

1KB
MD5

6543b3ddab1447dd81d1f008f8895ac0
SHA1

835b051518de180705064745f87476b18004f540
SHA256

eeb802aa132faf387bd18f64fb47c432e9d7f4e914515775b0879e9236383435
SHA512

ac311ff6fea6a320207f4870577d73ac59585c005eae8db063c8d0c2effae681ae66c733061cf1a8dc672a6d948b3dd7ad5d682723294b12f3ebcf0ca0aa5bdd

Score

8^/10

evasion

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1428 reg.exe
772 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2004 chrome.exe
2004 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2004 chrome.exe
2004 chrome.exe
2004 chrome.exe
2004 chrome.exe

pid	process
1428	reg.exe
772	reg.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exechrome.exe

description	pid	process	target process
PID 1184 wrote to memory of 772	1184	WScript.exe	reg.exe
PID 1184 wrote to memory of 772	1184	WScript.exe	reg.exe
PID 1184 wrote to memory of 1428	1184	WScript.exe	reg.exe
PID 1184 wrote to memory of 1428	1184	WScript.exe	reg.exe
PID 1184 wrote to memory of 2004	1184	WScript.exe	chrome.exe
PID 1184 wrote to memory of 2004	1184	WScript.exe	chrome.exe
PID 2004 wrote to memory of 5024	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 5024	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 2728	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 4404	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 4404	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe
PID 2004 wrote to memory of 488	2004	chrome.exe	chrome.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ass.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:772

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/watch?v=BbeeuzU5Qc8&ab_channel=MetroGirlzStation
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa45ee9758,0x7ffa45ee9768,0x7ffa45ee9778
3⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1800,i,11404839941011964572,15143531629432656626,131072 /prefetch:2
3⤵
PID:2728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1800,i,11404839941011964572,15143531629432656626,131072 /prefetch:8
3⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1800,i,11404839941011964572,15143531629432656626,131072 /prefetch:8
3⤵
PID:488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1800,i,11404839941011964572,15143531629432656626,131072 /prefetch:1
3⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1800,i,11404839941011964572,15143531629432656626,131072 /prefetch:1
3⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=1800,i,11404839941011964572,15143531629432656626,131072 /prefetch:1
3⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4760 --field-trial-handle=1800,i,11404839941011964572,15143531629432656626,131072 /prefetch:1
3⤵
PID:1692

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
645545409390ab25a5d46e6d9697db59

SHA1
10712b4a7a976e52789b8be5b502907faba0c803

SHA256
3a4dbfabaab95b1d8f78a9636d7982da71571db906b0a213f516b22090b159b8

SHA512
2337502ab7af8c044552c5db0fd8797b80c9899267401c18237e7f7541a404ca10638445359ffc9fb3fe2e040275bb5aeb3bf4fe670a4a3f613ca05a88afdd6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
c1a39b4477723529ce23d7b2a2dda28e

SHA1
5f3108e4dcd79e6640a1769ae1590037451a026f

SHA256
7e2e79dd4fb7c1b8a98a4553412d2c9767700f86f61102ab576c294582faf465

SHA512
c70af341dda9cc49b854ca20fd28cea54499f8a19e64d56a01ce72f14d6ce76461fa74c5dc32fb0e99d7b0ed7beb6aaf6ff31100acd6cfe4c06316c76c7dd6e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
707B

MD5
253a38b11990cb9c19c2ba2f597dfc2e

SHA1
0b5ccdbdf72fbb43aef49baa3eb9a45996c720bc

SHA256
125b943718ac6299204be10119cf5f5f7a5a52b025b8f679c41f110bd4fe3e55

SHA512
018d62dd535e80a7431e7c7d869bf529022892dbb34f29ec03a1bc48e83e3c9086196e3f8acc3644081f3ae8a15fef84ef354819e1a50413b418e93717e05931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e689564426e5e85e2cad3d2313ca0fd0

SHA1
eea2ded0947f33ad548f24d5ad0d34b71c6d3eec

SHA256
349f2a6356bb47f0b5949d40142a18567a453a90d80c55a19dceb68fc1447a9a

SHA512
62e68650ba9d605337ebed0e15a432e92887d3820a16bd40384c6d52d7a8514cd1c3a6e71aa4c7de4af93da86c1df7ec5ea1619e40c480e011cfe800a3bbcbbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
265KB

MD5
42af6fac643bbe271fb8f5e804671649

SHA1
468fd46093f9ecc775ad31378e49478981a87d8b

SHA256
d0f5ab70a3ac38e1f4c910788baf2dc47130493bad9158680e86dcf484885d3e

SHA512
9fe2ab2bc2b8d5dd5dcb55c049484aa28cfab7475b5ecba6c087d0a67561280d652bd8e13abb483ae5909d7e181519089fd41e4bda98dacd1a3eee2b968658f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
\??\pipe\crashpad_2004_NOXKWXMJOKWVCPWF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads