Analysis Overview
SHA256
771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da
Threat Level: Shows suspicious behavior
The file 771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:50
Reported
2024-11-09 22:53
Platform
win7-20240903-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3012 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 3012 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 3012 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 3012 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | C:\Windows\SysWOW64\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe
"C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
Files
memory/3012-0-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | cf161c3c8df88c43b7f34b4184b828f3 |
| SHA1 | c3acf524d14b9f9c1a858ef678b58f8220fd89e9 |
| SHA256 | d92194a71850505ea34fbaa79faa0201abac252cfb3f34d76bf557832a941d62 |
| SHA512 | d620d14d34d43dda7667f148bc2ac21a515187a9d3915ef1091a399a7ecfef3e4ba42fb89d6c1846d2941d459d03ae78254e4aa0168cc6de89cb38e40fc2c804 |
memory/3012-9-0x0000000000400000-0x000000000055F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:50
Reported
2024-11-09 22:53
Platform
win10v2004-20241007-en
Max time kernel
130s
Max time network
141s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe
"C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4140-0-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 707b11947c068b3bcf1ccc81dba1773e |
| SHA1 | 7538cbbf8906f8e7f3cd83398222850e6a258c66 |
| SHA256 | 3bb4759e0fcce7729cfd051174051fd09524de340bc6c263b06e5967cb5117c8 |
| SHA512 | bd4542ae72f4fa037fff0527ee8c6391c6515741794b4bbae35f0c28677a63d3a3c1f645b6eb471f716709bc8b6bdde6910e9406c52b1727fe51c92acbcd071a |
memory/4140-12-0x0000000000400000-0x000000000055F000-memory.dmp