b92b2b4cac45231f8e8105a13b0d95f8997fd6e936c0bc712e5bc86a9b109ad1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trigger.vbs
Size

1KB
MD5

6a1f32674e0f60fd94e5b660cb518ae7
SHA1

15e5fa5e75008d286cf2c320050dec94f11be18d
SHA256

b92b2b4cac45231f8e8105a13b0d95f8997fd6e936c0bc712e5bc86a9b109ad1
SHA512

df228f584aa3994c339173fea9cc8befc92d638017a51fc9909376ab8f0c7a75d54e6ebb99826c781df036e14912ceadb7e35eb886f85950453a69d8b4594a06

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3444	WScript.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 3268	3444	WScript.exe	81
PID 3444 wrote to memory of 3268	3444	WScript.exe	81
PID 3444 wrote to memory of 2120	3444	WScript.exe	82
PID 3444 wrote to memory of 2120	3444	WScript.exe	82
PID 3444 wrote to memory of 3296	3444	WScript.exe	84
PID 3444 wrote to memory of 3296	3444	WScript.exe	84
PID 3444 wrote to memory of 4264	3444	WScript.exe	85
PID 3444 wrote to memory of 4264	3444	WScript.exe	85
PID 3444 wrote to memory of 5000	3444	WScript.exe	86
PID 3444 wrote to memory of 5000	3444	WScript.exe	86
PID 3444 wrote to memory of 1504	3444	WScript.exe	87
PID 3444 wrote to memory of 1504	3444	WScript.exe	87
PID 3444 wrote to memory of 4848	3444	WScript.exe	88
PID 3444 wrote to memory of 4848	3444	WScript.exe	88
PID 3444 wrote to memory of 1980	3444	WScript.exe	89
PID 3444 wrote to memory of 1980	3444	WScript.exe	89
PID 3444 wrote to memory of 1188	3444	WScript.exe	90
PID 3444 wrote to memory of 1188	3444	WScript.exe	90
PID 3444 wrote to memory of 1036	3444	WScript.exe	91
PID 3444 wrote to memory of 1036	3444	WScript.exe	91
PID 3444 wrote to memory of 3504	3444	WScript.exe	94
PID 3444 wrote to memory of 3504	3444	WScript.exe	94
PID 3444 wrote to memory of 5104	3444	WScript.exe	95
PID 3444 wrote to memory of 5104	3444	WScript.exe	95
PID 3444 wrote to memory of 3140	3444	WScript.exe	99
PID 3444 wrote to memory of 3140	3444	WScript.exe	99
PID 3444 wrote to memory of 1576	3444	WScript.exe	100
PID 3444 wrote to memory of 1576	3444	WScript.exe	100
PID 3444 wrote to memory of 3560	3444	WScript.exe	103
PID 3444 wrote to memory of 3560	3444	WScript.exe	103
PID 3444 wrote to memory of 3108	3444	WScript.exe	104
PID 3444 wrote to memory of 3108	3444	WScript.exe	104
PID 3444 wrote to memory of 4880	3444	WScript.exe	105
PID 3444 wrote to memory of 4880	3444	WScript.exe	105
PID 3444 wrote to memory of 1204	3444	WScript.exe	106
PID 3444 wrote to memory of 1204	3444	WScript.exe	106
PID 3444 wrote to memory of 4456	3444	WScript.exe	107
PID 3444 wrote to memory of 4456	3444	WScript.exe	107
PID 3444 wrote to memory of 1456	3444	WScript.exe	108
PID 3444 wrote to memory of 1456	3444	WScript.exe	108
PID 3444 wrote to memory of 3484	3444	WScript.exe	109
PID 3444 wrote to memory of 3484	3444	WScript.exe	109
PID 3444 wrote to memory of 4340	3444	WScript.exe	110
PID 3444 wrote to memory of 4340	3444	WScript.exe	110
PID 3444 wrote to memory of 2956	3444	WScript.exe	111
PID 3444 wrote to memory of 2956	3444	WScript.exe	111
PID 3444 wrote to memory of 2372	3444	WScript.exe	112
PID 3444 wrote to memory of 2372	3444	WScript.exe	112
PID 3444 wrote to memory of 2492	3444	WScript.exe	113
PID 3444 wrote to memory of 2492	3444	WScript.exe	113
PID 3444 wrote to memory of 1388	3444	WScript.exe	114
PID 3444 wrote to memory of 1388	3444	WScript.exe	114
PID 3444 wrote to memory of 2120	3444	WScript.exe	115
PID 3444 wrote to memory of 2120	3444	WScript.exe	115
PID 3444 wrote to memory of 3900	3444	WScript.exe	116
PID 3444 wrote to memory of 3900	3444	WScript.exe	116
PID 3444 wrote to memory of 3700	3444	WScript.exe	117
PID 3444 wrote to memory of 3700	3444	WScript.exe	117
PID 3444 wrote to memory of 3916	3444	WScript.exe	118
PID 3444 wrote to memory of 3916	3444	WScript.exe	118
PID 3444 wrote to memory of 4996	3444	WScript.exe	119
PID 3444 wrote to memory of 4996	3444	WScript.exe	119
PID 3444 wrote to memory of 1916	3444	WScript.exe	120
PID 3444 wrote to memory of 1916	3444	WScript.exe	120

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.vbs"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:3268
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:2120
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:3296
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4264
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:5000
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1504
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:4848
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1980
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:1188
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1036
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:3504
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:5104
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:3140
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1576
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:3560
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:3108
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:4880
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1204
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:4456
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1456
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:3484
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4340
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:2956
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:2372
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:2492
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1388
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:2120
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:3900
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:3700
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:3916
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:4996
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1916
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:4820
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:396
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:5004
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4652
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:4544
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:2948
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:3148
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1476
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:4924
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:3000
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:4432
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:5088
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:2324
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4392
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:4968
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1652
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbs"
  2⤵
  PID:924
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\f.vbs

Filesize
3B

MD5
3d0bd6b5f67f726d0bdb65f88bca374c

SHA1
1b75aa24f743a80bb85cd8cc921c66f779783f1f

SHA256
ffa625f9e301bded2619003e6a2160e2abd0ec6502579786bc872845fe2610fc

SHA512
fd15db572439b800cb64afffb232125f4078a0e89fa5eabd5751bd36ff22bfc9c9d14a56f17882651e5152102585bdb848e7483c105d04f05e220d7f41ffac14

Download Submit
C:\Users\Admin\AppData\Roaming\msg.vbs

Filesize
16B

MD5
febba25969d7363536dbc8cb8f620ea8

SHA1
c2492b795c1733ccb281ae3665d38fa4713b8ebf

SHA256
d65935643c5722e229d0d68283571402c91c71edaefcf3e0d55cf44db3911272

SHA512
9cc307d3bf0d911ef434f0a4f7fcb0f66e8bef720e62ffdf75e5103d448c07d96673594990aa3a5b7a145c01f921ff3865be3ffded3662656993ad0428769a74

Download Submit
C:\Users\Admin\Desktop\ConvertProtect.vbs

Filesize
1KB

MD5
6a1f32674e0f60fd94e5b660cb518ae7

SHA1
15e5fa5e75008d286cf2c320050dec94f11be18d

SHA256
b92b2b4cac45231f8e8105a13b0d95f8997fd6e936c0bc712e5bc86a9b109ad1

SHA512
df228f584aa3994c339173fea9cc8befc92d638017a51fc9909376ab8f0c7a75d54e6ebb99826c781df036e14912ceadb7e35eb886f85950453a69d8b4594a06

Download Submit