d4e22efe33f6e7efe8949460d43be2ee850930ac5818c0071ab8cd909cb4523d

Analysis

max time kernel
92s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

code.vbs
Size

642B
MD5

d56b8338d67b5b32af99fabcff84743c
SHA1

5d91d677bfcc592342b533eb120fab513f3b4136
SHA256

d4e22efe33f6e7efe8949460d43be2ee850930ac5818c0071ab8cd909cb4523d
SHA512

dfcb09b81d7a62972a8bfeca78e611efc7c922ddab32c971fed5f6e05b822139ef6d322183ca0852a5fbf875e575c1792a4c5f4d5521d2086ace988a067e0d79

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2600	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	taskkill.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3424	2308	WScript.exe	81
PID 2308 wrote to memory of 3424	2308	WScript.exe	81
PID 2308 wrote to memory of 2264	2308	WScript.exe	83
PID 2308 wrote to memory of 2264	2308	WScript.exe	83
PID 2308 wrote to memory of 3288	2308	WScript.exe	85
PID 2308 wrote to memory of 3288	2308	WScript.exe	85
PID 2308 wrote to memory of 1300	2308	WScript.exe	87
PID 2308 wrote to memory of 1300	2308	WScript.exe	87
PID 2308 wrote to memory of 4564	2308	WScript.exe	89
PID 2308 wrote to memory of 4564	2308	WScript.exe	89
PID 2308 wrote to memory of 4700	2308	WScript.exe	90
PID 2308 wrote to memory of 4700	2308	WScript.exe	90
PID 2308 wrote to memory of 2736	2308	WScript.exe	91
PID 2308 wrote to memory of 2736	2308	WScript.exe	91
PID 2308 wrote to memory of 4020	2308	WScript.exe	95
PID 2308 wrote to memory of 4020	2308	WScript.exe	95
PID 2308 wrote to memory of 1584	2308	WScript.exe	97
PID 2308 wrote to memory of 1584	2308	WScript.exe	97
PID 2308 wrote to memory of 648	2308	WScript.exe	99
PID 2308 wrote to memory of 648	2308	WScript.exe	99
PID 2308 wrote to memory of 848	2308	WScript.exe	101
PID 2308 wrote to memory of 848	2308	WScript.exe	101
PID 2308 wrote to memory of 2144	2308	WScript.exe	103
PID 2308 wrote to memory of 2144	2308	WScript.exe	103
PID 2308 wrote to memory of 1608	2308	WScript.exe	105
PID 2308 wrote to memory of 1608	2308	WScript.exe	105
PID 2308 wrote to memory of 1820	2308	WScript.exe	107
PID 2308 wrote to memory of 1820	2308	WScript.exe	107
PID 2308 wrote to memory of 2408	2308	WScript.exe	108
PID 2308 wrote to memory of 2408	2308	WScript.exe	108
PID 2308 wrote to memory of 4604	2308	WScript.exe	111
PID 2308 wrote to memory of 4604	2308	WScript.exe	111
PID 2308 wrote to memory of 1064	2308	WScript.exe	113
PID 2308 wrote to memory of 1064	2308	WScript.exe	113
PID 2308 wrote to memory of 2116	2308	WScript.exe	115
PID 2308 wrote to memory of 2116	2308	WScript.exe	115
PID 2308 wrote to memory of 4348	2308	WScript.exe	117
PID 2308 wrote to memory of 4348	2308	WScript.exe	117
PID 2308 wrote to memory of 4184	2308	WScript.exe	119
PID 2308 wrote to memory of 4184	2308	WScript.exe	119
PID 2308 wrote to memory of 1772	2308	WScript.exe	121
PID 2308 wrote to memory of 1772	2308	WScript.exe	121
PID 2308 wrote to memory of 4536	2308	WScript.exe	123
PID 2308 wrote to memory of 4536	2308	WScript.exe	123
PID 2308 wrote to memory of 4040	2308	WScript.exe	125
PID 2308 wrote to memory of 4040	2308	WScript.exe	125
PID 2308 wrote to memory of 4220	2308	WScript.exe	126
PID 2308 wrote to memory of 4220	2308	WScript.exe	126
PID 2308 wrote to memory of 736	2308	WScript.exe	128
PID 2308 wrote to memory of 736	2308	WScript.exe	128
PID 2308 wrote to memory of 3612	2308	WScript.exe	131
PID 2308 wrote to memory of 3612	2308	WScript.exe	131
PID 2308 wrote to memory of 3664	2308	WScript.exe	132
PID 2308 wrote to memory of 3664	2308	WScript.exe	132
PID 2308 wrote to memory of 2044	2308	WScript.exe	135
PID 2308 wrote to memory of 2044	2308	WScript.exe	135
PID 2308 wrote to memory of 4384	2308	WScript.exe	137
PID 2308 wrote to memory of 4384	2308	WScript.exe	137
PID 2308 wrote to memory of 1092	2308	WScript.exe	138
PID 2308 wrote to memory of 1092	2308	WScript.exe	138
PID 2308 wrote to memory of 2600	2308	WScript.exe	141
PID 2308 wrote to memory of 2600	2308	WScript.exe	141

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:3424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:4604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\what.bat" "
  2⤵
  PID:1092
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im cmd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\what.bat

Filesize
138B

MD5
22daf7675069fd1357b39383b8644f8f

SHA1
6a7b3097021897cd55b48d16ea8e548e085a4f31

SHA256
1b357376ed2cdf28d86f7f9a56b509f02f5d1efa43df0028d04873901228e773

SHA512
7f1152a982419baf844b33d78538cb37223bb7e357fbc2e2501214d977a3c9388dbc194c899610d4f0d1dbe48b38a0e1a0c95156439457d8c04a637f7fd092be

Download Submit