ae5b66322e5a7c26ad21ccc556bdc1618796166565d2939142c5aa3d76c38ace

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wscripts/service-install.vbs
Size

412B
MD5

971e2a344a6e17347a81eeb21ada7ba7
SHA1

37e034c29adda9b118b75bfdc7c6f41aac71e257
SHA256

01f62a12de3307b375dff3ebcd6961d76ffcbc24f70682c7875655a811ce76a1
SHA512

5ea0750dc07ff1a0eb1807043b48fb9ed54f6dcb96ce03cb543b0ea36d326779814b6cb87091373574911662a35d75b576e35c5b8d781db36fe1503f8287c65d

Score

8^/10

execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
216	sc.exe
1692	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 216	744	WScript.exe	82
PID 744 wrote to memory of 216	744	WScript.exe	82
PID 744 wrote to memory of 1692	744	WScript.exe	84
PID 744 wrote to memory of 1692	744	WScript.exe	84

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wscripts\service-install.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Users\Admin\AppData\Local\Temp\wscripts\pservice.exe\"" start= auto type= interact type= own
  2⤵
  - Launches sc.exe
  PID:216
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" start Parsec
  2⤵
  - Launches sc.exe
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads