8a0a41151790bacf589d57b4f7f5e184dcfff50d333f9334bef652fce0b9d29a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 23:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Screenshot 2024-06-13 034116342.vbs
Size

158KB
MD5

1818e27a2fdd32a7513e2d6aff769d61
SHA1

80796dda7bc9cedd101d2c0c7700f235ff689066
SHA256

8a0a41151790bacf589d57b4f7f5e184dcfff50d333f9334bef652fce0b9d29a
SHA512

463dd78ed724d0817d77840774f310bcc2c2fc9caa99ab7070633e26beea957743c75d1315ebb09ce976d1e78263daec2bd2d7c6a294bddfbbfc4788574d2bd0
SSDEEP

1536:n9gPdF8M4miEnudQV24qf4t0OeJBIGtCnCQf147Xt1wbsSXiMvQiih:n9gn4g4QAlf4WIICCG14791wXyM4iih

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 3364	464	WScript.exe	83
PID 464 wrote to memory of 3364	464	WScript.exe	83

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-06-13 034116342.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\Screenshot 2024-06-13 034116342.vbs"
  2⤵
  PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Screenshot 2024-06-13 034116342.vbs

Filesize
158KB

MD5
1818e27a2fdd32a7513e2d6aff769d61

SHA1
80796dda7bc9cedd101d2c0c7700f235ff689066

SHA256
8a0a41151790bacf589d57b4f7f5e184dcfff50d333f9334bef652fce0b9d29a

SHA512
463dd78ed724d0817d77840774f310bcc2c2fc9caa99ab7070633e26beea957743c75d1315ebb09ce976d1e78263daec2bd2d7c6a294bddfbbfc4788574d2bd0

Download Submit