7126b9932dc0cdfe751340edfa7c4a14b69262eb1afd0530e6d1fdb2e25986dd

Analysis

max time kernel
135s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

information.vbe
Size

1KB
MD5

e9ffdb716af3d355b25096a8ed4de8ef
SHA1

66e2b15ba4dbfa127c3ec86abce666870a4a168a
SHA256

30daba44a4a25ff5750508613f897057a55337458f19b562e2ed1172c77e626b
SHA512

f157dc99dfd4c1bec37deba85ed5250f70e169ab2d21b2c75d7d94b4463608c3c74ed9ab773e1359735cb95cb1f38333887d3c8e65c80c0cdfeee8bcb0d019f3

Score

8^/10

defense_evasion

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3200	cscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	cmd.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\tmp2.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\tmp2.exe:Zone.Identifier	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4748	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3200	1612	WScript.exe	85
PID 1612 wrote to memory of 3200	1612	WScript.exe	85
PID 3200 wrote to memory of 2040	3200	cscript.exe	87
PID 3200 wrote to memory of 2040	3200	cscript.exe	87
PID 3200 wrote to memory of 4748	3200	cscript.exe	88
PID 3200 wrote to memory of 4748	3200	cscript.exe	88

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\information.vbe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\information.vbe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\System32\cmd.exe
    cmd /c (echo [ZoneTransfer] & echo ZoneId=0) > C:\Users\Admin\AppData\Local\Temp\tmp2.exe:Zone.Identifier
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    PID:2040
- - C:\Windows\System32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\tmp2.exe
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...