8f24af6b16e50c1fcacd744971d800382bc12d0043f3615c94703e3c51763604

Analysis

max time kernel
133s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.vbs
Size

2KB
MD5

99302e53d0025be05ad09a4b2787720d
SHA1

769dc76ab84dd588a4ac2c5f90b02b04d2cd00fd
SHA256

8f24af6b16e50c1fcacd744971d800382bc12d0043f3615c94703e3c51763604
SHA512

324e73d79b1bdda41b32b4ee5e7ff77bf8baaeaceb437a665a92b68282e3e11ed02291ee148ea7d04a5e737a2ec6fc31c89ab9e4cea8de13f410a6c104386c0a

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	4068	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api64.ipify.org
10	api64.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1876	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2720	notepad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	taskkill.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 2720	4068	WScript.exe	86
PID 4068 wrote to memory of 2720	4068	WScript.exe	86
PID 4068 wrote to memory of 1876	4068	WScript.exe	92
PID 4068 wrote to memory of 1876	4068	WScript.exe	92

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Roaming\note.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2720
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im notepad.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\note.txt

Filesize
105B

MD5
7974a453105fb964df9cbdf56bd8f998

SHA1
f99e67104498c6a19323cdb636f3edfee2f89119

SHA256
03eae3a1fc877ce36665bcf5c4f6b2614059447b454132083e3ed1eb439e00f0

SHA512
243e57c7f65de4f0ad505062bb80f06b2342d515b0f55bed8978f51367e517c42d60df5d85d83fa5f9ec17f076d2ea40fe4eefed7fadc2e72f88fad57c63d107

Download Submit