Overview
overview
10Static
static
1BYBBLJDYNKYQRCIW.ps1
windows7-x64
3BYBBLJDYNKYQRCIW.ps1
windows10-2004-x64
10LOEVIQHNNBLMJQGX.vbs
windows7-x64
3LOEVIQHNNBLMJQGX.vbs
windows10-2004-x64
7NOXOIMAYDCJQRTDL.bat
windows7-x64
8NOXOIMAYDCJQRTDL.bat
windows10-2004-x64
8PLYEDPJAJZDJPATK.vbs
windows7-x64
3PLYEDPJAJZDJPATK.vbs
windows10-2004-x64
7XKAHEZZHLYETQDGK.bat
windows7-x64
8XKAHEZZHLYETQDGK.bat
windows10-2004-x64
8YEJVMCIJLIUXHSQV.ps1
windows7-x64
3YEJVMCIJLIUXHSQV.ps1
windows10-2004-x64
3Analysis
-
max time kernel
136s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 01:53
Static task
static1
Behavioral task
behavioral1
Sample
BYBBLJDYNKYQRCIW.ps1
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
BYBBLJDYNKYQRCIW.ps1
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
LOEVIQHNNBLMJQGX.vbs
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
LOEVIQHNNBLMJQGX.vbs
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
NOXOIMAYDCJQRTDL.bat
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
NOXOIMAYDCJQRTDL.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
PLYEDPJAJZDJPATK.vbs
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
PLYEDPJAJZDJPATK.vbs
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
XKAHEZZHLYETQDGK.bat
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
XKAHEZZHLYETQDGK.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
YEJVMCIJLIUXHSQV.ps1
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
YEJVMCIJLIUXHSQV.ps1
Resource
win10v2004-20240611-en
General
-
Target
LOEVIQHNNBLMJQGX.vbs
-
Size
820B
-
MD5
3b02a48a86c436a42cece067efd1616d
-
SHA1
7963c51e6de1389ea22c2fdff4f6ad436556e891
-
SHA256
adc0a2c378fc9c87efbb3863c49fa0ac2a25e32a69e320105b79878d1bbcfca6
-
SHA512
cf0d9bc3e908e7a3153529e1e975d98806e632f3e5ce708e1c15f64749214d7ac4a02496af99a3a3af382c4ebb89ac31b3d03787303678c3b6b37158816e3523
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WScript.exenet.exedescription pid process target process PID 3692 wrote to memory of 1148 3692 WScript.exe net.exe PID 3692 wrote to memory of 1148 3692 WScript.exe net.exe PID 1148 wrote to memory of 3944 1148 net.exe net1.exe PID 1148 wrote to memory of 3944 1148 net.exe net1.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LOEVIQHNNBLMJQGX.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" session2⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:3944