bfdee5c9ef2b8f526e703c231d7fad299efaf783357c33ee8428ff0db79e81c0

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.vbs
Size

257B
MD5

28b95d6abebeab4350a49d2001fb94da
SHA1

855b275019cf525292d250bbdafaf44be53cb9d6
SHA256

bfdee5c9ef2b8f526e703c231d7fad299efaf783357c33ee8428ff0db79e81c0
SHA512

217c341c3949002c3a63845540ea982a880d97bf0a5c56e44db637a53dbde333087c3892ad19da91495948b697da5570f97426ac98d125b6ec87b67200de5f6d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 4220	2980	WScript.exe	81
PID 2980 wrote to memory of 4220	2980	WScript.exe	81
PID 2980 wrote to memory of 3748	2980	WScript.exe	83
PID 2980 wrote to memory of 3748	2980	WScript.exe	83
PID 3748 wrote to memory of 2296	3748	cmd.exe	85
PID 3748 wrote to memory of 2296	3748	cmd.exe	85

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo x=msgbox("Your computer has been infected!", 16, "Virus Alert") > C:\Users\Admin\AppData\Local\Temp\virus.vbs
  2⤵
  PID:4220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\virus.vbs
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\virus.vbs"
    3⤵
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\virus.vbs

Filesize
66B

MD5
27bed2caaf350e764969b0f4a0b7122c

SHA1
79887878f5cd9445bd22808310815b5063fe418c

SHA256
52fac398d5b66601f65dab0ed58b77dcf369c0726ae2d4a99993fc5a3f533bdb

SHA512
b4dd82f5b037aa8492d26b7f8434742d045f73a25ccdba80c6b13c62fa320932c37af56d124ae28887767d9b604758ac6ccd2180dce702593e04c99f9b827275

Download Submit