0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 10:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe
Size

308KB
MD5

d4955fc98c22f0a2952ee213e9acbcec
SHA1

87757f2d314e24cc5b2e6c15e052cdb2a8733c53
SHA256

0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b
SHA512

5287c7a4f995f57418fc2edf278ecb8119d1e82579103ed1e2e9e27939837a49839695f6609aaee39b8190efd0a3569e8d9ab38169659fa1dbc43e39a8fda3f0
SSDEEP

6144:SCGaECnpAoDO1A8dg3iTPJLMfgQZX+tJs0dxm:DGHCnaomAEg3uPdkgOX+tZdxm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 3196	936	0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe	82
PID 936 wrote to memory of 3196	936	0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe	82
PID 936 wrote to memory of 3196	936	0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe	82
PID 3196 wrote to memory of 4168	3196	WScript.exe	84
PID 3196 wrote to memory of 4168	3196	WScript.exe	84
PID 3196 wrote to memory of 4168	3196	WScript.exe	84

C:\Users\Admin\AppData\Local\Temp\0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe
"C:\Users\Admin\AppData\Local\Temp\0bb95a479871eb067b8dd782a2e2c099f8aec1070642fad21a728469a59a2c2b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WeCominstall.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeCominstall.cmd" "
    3⤵
    PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WeCominstall.cmd

Filesize
899B

MD5
6b0dcdd9603f5630f74a264e4c0762d3

SHA1
b8adc858ed4156589653ad57c003d3a74e7a3f53

SHA256
0d741448e6a1dc4102c2310e53427cb9765341abdabf4e582e38dde607086a19

SHA512
4f9641077a46843bffce06bd4ac18c3629b8d2d804657ed151b51875e90776656174cea18d197d5e0717064f57f89eddb25b2b4c41fb2b5a9356451fa7291a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeCominstall.vbs

Filesize
144B

MD5
34f9b74003e36d0e7871afebbf1c0a4e

SHA1
e6d0713917ec148e8e3ebcc0c6b345516a9f15fd

SHA256
81afdfa77b5f948db65b0d853eda670c89710e2cfbefc5fb4a6ff5da383d1e7c

SHA512
329030af776732bddd32b7d0aeaafd2f1609bbc2fe73c39ef6c206be7523e5101ea0c501c50f4f290d94477a7785046aede99d134eaa6c28a372b491a067bbe4

Download Submit