6c13431566c25d6b4c65b44218c49fffb049ff78ff3af623fc54093697d22041

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

moeQG.wsf
Size

28KB
MD5

32f507328c0210778ffe190a6281395b
SHA1

e741192b9e7df7d261fa2ec511ccf5e628d2688e
SHA256

79a9959b3d969c91d3603b82316d6c78d744389d7fd22dea8b61353a6fd60cd5
SHA512

025afddd8ffd83550da90117169954e52988bc3a5d29de396f4e0e4a397732ae697bc4e914a1f8132430c4e61afc6a44b502daaee61ebd53a2bc07cadab29b83
SSDEEP

384:aIryoy9vKxPTN4qshQx1OFd20vFLgPePqDuIIfzdC0:H2oy9kP20P4d79Lg2qDurpC0

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	3432	WScript.exe
33	3432	WScript.exe
35	3432	WScript.exe
37	3432	WScript.exe
38	3432	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 652	3432	WScript.exe	95
PID 3432 wrote to memory of 652	3432	WScript.exe	95
PID 3432 wrote to memory of 1688	3432	WScript.exe	96
PID 3432 wrote to memory of 1688	3432	WScript.exe	96

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\moeQG.wsf"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp/yAWGhthcJ2.dll,qwerty
  2⤵
  PID:652
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp/yAWGhthcJ3.dll,qwerty
  2⤵
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yAWGhthcJ2.dll

Filesize
555B

MD5
6972e068753736f77ae8dd8e60100150

SHA1
a299088bded88bfd77eaa943c4078849b057b17a

SHA256
6cd7ed537df24ca4190649118575ad80b315d5041dae6caf875be67883270ba3

SHA512
dc00f90ed3dc2b19a4762d7722c972049a7063dcc1e431c6aae18006dd1a475d884011774465097967bac4371a529773ba65c7cbbc9f47901f4aad32442df13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAWGhthcJ3.dll

Filesize
70KB

MD5
fa930cf1ef1563e788fed21c100b0bd2

SHA1
ed8f4e0ee9069fefe528fcc9eff844363c0bfc38

SHA256
280131d7a7255fe39e45c6f51606f712f1a026e3845f627701f4c4724bc669a3

SHA512
70f8d5c2eb18827e0b2ef19161c392733f82d69e2572c8185d68ae2fe0d6e0806e9cc2be34e31ab3c7cc63ddb6dfce9f8085af13124d0a1cc54787642b17aedf

Download Submit