Analysis
-
max time kernel
135s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 20:11
Static task
static1
Behavioral task
behavioral1
Sample
run2.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
run2.vbs
Resource
win10v2004-20240426-en
General
-
Target
run2.vbs
-
Size
261KB
-
MD5
a706bd911f5e832cae1626739c28477a
-
SHA1
db2a4e98c698ea8f89000d4a22746a0a5eeb37c0
-
SHA256
d42989249e63da78fb0dd9fedca355f0a2006b2ab39e63ecfbebf5a2aca8d50d
-
SHA512
99eef31b3e4f1f462240647be0717435f492e71bd1bf4ec355d284f9378b2a432a103812c5ad477f1efab52287df6baeeacf83cc48330cade3b9ad246c806539
-
SSDEEP
6144:w3G3wiSHA2I+g5N91lSkuhNB/Lq3uqX883Wjq507OJsq8repl+JPUczCsJQf7UVk:w3G3wiSHAx+g5N91l7uX9Ly
Malware Config
Extracted
metasploit
windows/download_exec
http://NASDJKNASDJKNJKSDNL.COM:80/html/terces.php?/12345
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2312 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 2736 wrote to memory of 2312 2736 WScript.exe svchost.exe PID 2736 wrote to memory of 2312 2736 WScript.exe svchost.exe PID 2736 wrote to memory of 2312 2736 WScript.exe svchost.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run2.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5516ca9cd506502745e0bfdf2d51d285c
SHA188aa578264dcedc72da7276c63cc98ac200b8e86
SHA256d4c09b1b430ef6448900924186d612b9638fc0e78d033697f1ebfb56570d1127
SHA512bc24ab05d63da5e5041d9d2e6b79790d2b44fcffa60bc860064790a0e24cb399f32125f3626518c97e55e450325327f4027bdbe2939213340492faf94ba38f84