Overview

overview

7

Static

static

1

file.vbs

windows7-x64

3

file.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.vbs

  • Size

    2KB

  • MD5

    0b892419b6889fd88f52b6499c495ada

  • SHA1

    b7495596ee43bf281fd9979f7ec48402676c547e

  • SHA256

    6b7ee926a8648096d7b3b53816248d70da573fd3ced5a3501859b9f64afd13d4

  • SHA512

    a35a1fa6fc9f8e939729d31a867eff2d82a8758276bb3015c92b0189dee43e680816b29674374457de49ebfd6a9a077dc114b87d7c54d7f12fd12f50f6325c26

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 47 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Windows\System32\ipconfig.exe
      ipconfig
      2⤵
      • Gathers network information
      PID:684
    • C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      2⤵
        PID:1704
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe"
        2⤵
          PID:4880
        • C:\Windows\System32\notepad.exe
          "C:\Windows\System32\notepad.exe"
          2⤵
            PID:576
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /7
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1016

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1016-2-0x0000027C88210000-0x0000027C88211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-1-0x0000027C88210000-0x0000027C88211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-0-0x0000027C88210000-0x0000027C88211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-12-0x0000027C88210000-0x0000027C88211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-11-0x0000027C88210000-0x0000027C88211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-10-0x0000027C88210000-0x0000027C88211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-9-0x0000027C88210000-0x0000027C88211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-8-0x0000027C88210000-0x0000027C88211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-7-0x0000027C88210000-0x0000027C88211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-6-0x0000027C88210000-0x0000027C88211000-memory.dmp

          Filesize

          4KB

          Download