Analysis Overview
SHA256
1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7
Threat Level: Shows suspicious behavior
The file 1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:50
Reported
2024-11-09 22:53
Platform
win7-20241023-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe
"C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
Files
memory/2140-0-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 838d99a7e6c884b9114fb65a527c209f |
| SHA1 | abb7e0af97ec044ef21d4bbaa0004bcc5a74b5b6 |
| SHA256 | 3d12a13fd8dda8019ccb4a25e52ec21dc9743a365e9b97884396f5ab69e22748 |
| SHA512 | 905ec28be1842dcb09183f5a031a575480324dfa708670a7f30e07b947947f5fa89ad6c91a82fe0d28a98d5ccb2fe2e52f1f753529f4391e22b2cc3dbd8e86fb |
memory/2140-11-0x0000000000400000-0x000000000055F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:50
Reported
2024-11-09 22:53
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 3368 | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 1744 wrote to memory of 3368 | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 1744 wrote to memory of 3368 | N/A | C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe | C:\Windows\SysWOW64\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe
"C:\Users\Admin\AppData\Local\Temp\1798b85364256a7415f912b8400cbfa1faa96a1767442438c5b2320f21aa18c7.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1744-0-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 889b31379c90c3c3609ad626337d3c2e |
| SHA1 | c7d0a6370a7c40e6b87afb5ecf1a94e8aa8bda5b |
| SHA256 | faf8e01268b84e961b9d6146e4d813160e8449fe8c4745a9a7339223eef904b5 |
| SHA512 | a923c3973418632a85e490ce60228806fb58341d5a6f9499d24ab5c417fe7091e33990c17063b785544c8dbdd9955c2932c155b6b128c9f49ce3519d2e6ed195 |
memory/1744-9-0x0000000000400000-0x000000000055F000-memory.dmp