976eb912c8c957c2bca5f8812568fa1a8d2ab71881af1526c276a52ad0bdf9ea

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDERS.scr
Size

1.1MB
MD5

acebb19a9b0ac74a82d68dd9919752a7
SHA1

2d3d7c32c22329cd8e19eec67fcc8fdcc7c63168
SHA256

52c1daa48f7a7341a1fe5b90241cdbd64b4e2586c0d9f27284449be57247ad76
SHA512

8bf7cdc831262227948b67f33ed7c3c8a7d8f39d511eaf01ef132334a0beb0282f5335a4006062c8912d7df8e5d51bff91c31e9849258a9ac05ce612bb9791ce
SSDEEP

24576:bNA3R5drXadXhgHG+8DJ6Q6qgb/j5fjnQbz8qXAX4FQYcZRSnqJSW:G5CXhI/8DJh6nL5fjnuzHQX465RFJ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ORDERS.scr
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1220	heldecibuq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDERS.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heldecibuq.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	ORDERS.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 4680	2188	ORDERS.scr	89
PID 2188 wrote to memory of 4680	2188	ORDERS.scr	89
PID 2188 wrote to memory of 4680	2188	ORDERS.scr	89
PID 4680 wrote to memory of 1220	4680	WScript.exe	90
PID 4680 wrote to memory of 1220	4680	WScript.exe	90
PID 4680 wrote to memory of 1220	4680	WScript.exe	90

C:\Users\Admin\AppData\Local\Temp\ORDERS.scr
"C:\Users\Admin\AppData\Local\Temp\ORDERS.scr" /S
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\f2818e0517\ssoe.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\f2818e0517\heldecibuq.exe
    "C:\f2818e0517\heldecibuq.exe" spnhv.thc
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=1440 /prefetch:8
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\f2818e0517\heldecibuq.exe

Filesize
646KB

MD5
a3e8113ff31e86152d4a384dab4ea102

SHA1
28cabe6b57d14f6dd47a880c51bc9726d017989f

SHA256
d06ea150b0a83b9cf2ef63fdafc9e79a23bfa004c9f42d526499329e0ab1c977

SHA512
f34d79e3984e819c2e86e9b75c27985f7f4d8696bd3bf18447b697e127db3f76c707369336925ae941f95053d4e83d1684356d479be2295114d654bb24efb290

Download Submit
C:\f2818e0517\ssoe.vbe

Filesize
40KB

MD5
c20048dad2cd829b63302a2e017fc888

SHA1
94482fed7a6335e23ef26f87b2a94320893c18af

SHA256
7a03af4b8eb03756865b86580b3484c6f0d237a5fc3e842e3106722b480a9aee

SHA512
972d68180c37bed93db90d1fa6b221606548cd39584e90dd4616379eba2cd5edd5e383522b2937a7312821a6f8c23f8ee540d784c08f2840cb99a7e0401c2667

Download Submit