Overview

overview

10

Static

static

7

IMG001.scr

windows7-x64

8

IMG001.scr

windows10-2004-x64

8

$PLUGINSDI...os.dll

windows7-x64

3

$PLUGINSDI...os.dll

windows10-2004-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

$R9/NsCpuC...32.exe

windows7-x64

7

$R9/NsCpuC...32.exe

windows10-2004-x64

7

$R9/NsCpuC...64.exe

windows7-x64

7

$R9/NsCpuC...64.exe

windows10-2004-x64

7

$R9/Plugin...os.dll

windows7-x64

3

$R9/Plugin...os.dll

windows10-2004-x64

3

$R9/Plugins/inetc.dll

windows7-x64

3

$R9/Plugins/inetc.dll

windows10-2004-x64

3

$R9/Plugins/tftp.exe

windows7-x64

10

$R9/Plugins/tftp.exe

windows10-2004-x64

10

$R9/Stubs/bzip2.exe

windows7-x64

3

$R9/Stubs/bzip2.exe

windows10-2004-x64

3

$R9/Stubs/...id.exe

windows7-x64

3

$R9/Stubs/...id.exe

windows10-2004-x64

3

$R9/Stubs/lzma.exe

windows7-x64

3

$R9/Stubs/lzma.exe

windows10-2004-x64

3

$R9/Stubs/zlib.exe

windows7-x64

3

$R9/Stubs/zlib.exe

windows10-2004-x64

3

$R9/makensis.exe

windows7-x64

1

$R9/makensis.exe

windows10-2004-x64

3

information.vbe

windows7-x64

8

information.vbe

windows10-2004-x64

8

Analysis

  • max time kernel
    135s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    information.vbe

  • Size

    1KB

  • MD5

    e9ffdb716af3d355b25096a8ed4de8ef

  • SHA1

    66e2b15ba4dbfa127c3ec86abce666870a4a168a

  • SHA256

    30daba44a4a25ff5750508613f897057a55337458f19b562e2ed1172c77e626b

  • SHA512

    f157dc99dfd4c1bec37deba85ed5250f70e169ab2d21b2c75d7d94b4463608c3c74ed9ab773e1359735cb95cb1f38333887d3c8e65c80c0cdfeee8bcb0d019f3

Score
8/10
defense_evasion

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\information.vbe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\System32\cscript.exe
      "C:\Windows\System32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\information.vbe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:3200
      • C:\Windows\System32\cmd.exe
        cmd /c (echo [ZoneTransfer] & echo ZoneId=0) > C:\Users\Admin\AppData\Local\Temp\tmp2.exe:Zone.Identifier
        3⤵
        • Subvert Trust Controls: Mark-of-the-Web Bypass
        • NTFS ADS
        PID:2040
      • C:\Windows\System32\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2.exe
        3⤵
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        PID:4748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit