Analysis

  • max time kernel
    137s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2024, 19:14

General

  • Target

    0f973994b177498ca585a4aa1cb87cfdeeba036904b1310645e9445bec6bb694.exe

  • Size

    1.1MB

  • MD5

    56581dd5bc28b6eda1e847297f97e260

  • SHA1

    c941924cd595ae8ca633d7496e815dee85dee25d

  • SHA256

    0f973994b177498ca585a4aa1cb87cfdeeba036904b1310645e9445bec6bb694

  • SHA512

    896a6bfa5fa381b06f185036695b1bcc9d8e372cd4f5f9b0e5a267b5cda5c45a921a121dff17c57935e110187747b3b8bbdd447a85fc16ed21b2345419e411cb

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qb:acallSllG4ZM7QzMc

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f973994b177498ca585a4aa1cb87cfdeeba036904b1310645e9445bec6bb694.exe
    "C:\Users\Admin\AppData\Local\Temp\0f973994b177498ca585a4aa1cb87cfdeeba036904b1310645e9445bec6bb694.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4236
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    828cdf493a20969d0b24a6b973a16902

    SHA1

    4006d9dbce8a3a3556d9fa37b9f910aef4727d5d

    SHA256

    1e96f09c1cf76cd0764ae5d33b209e00f8e2bf43c5d59f08ac50e2c01cddbe75

    SHA512

    16af9c2b5461167df2cd92b115b8f043c4cdeb091c80785bd51ce945b171e2b2e40a860e3e8c48d181b7dc43bac03ad86f56f03fa47cb5883cb014c8957991e4

  • memory/3488-0-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB

  • memory/3488-12-0x0000000000400000-0x000000000055F000-memory.dmp

    Filesize

    1.4MB