Malware Analysis Report

2025-04-03 10:42

Sample ID 241109-2skbratgjj
Target 771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da
SHA256 771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da

Threat Level: Shows suspicious behavior

The file 771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:50

Reported

2024-11-09 22:53

Platform

win7-20240903-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe

"C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

N/A

Files

memory/3012-0-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 cf161c3c8df88c43b7f34b4184b828f3
SHA1 c3acf524d14b9f9c1a858ef678b58f8220fd89e9
SHA256 d92194a71850505ea34fbaa79faa0201abac252cfb3f34d76bf557832a941d62
SHA512 d620d14d34d43dda7667f148bc2ac21a515187a9d3915ef1091a399a7ecfef3e4ba42fb89d6c1846d2941d459d03ae78254e4aa0168cc6de89cb38e40fc2c804

memory/3012-9-0x0000000000400000-0x000000000055F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:50

Reported

2024-11-09 22:53

Platform

win10v2004-20241007-en

Max time kernel

130s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe

"C:\Users\Admin\AppData\Local\Temp\771c6de77f1cf30a61eccff4860c34612ab01e4d8d9fc197f424bf70de2ca4da.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4140-0-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 707b11947c068b3bcf1ccc81dba1773e
SHA1 7538cbbf8906f8e7f3cd83398222850e6a258c66
SHA256 3bb4759e0fcce7729cfd051174051fd09524de340bc6c263b06e5967cb5117c8
SHA512 bd4542ae72f4fa037fff0527ee8c6391c6515741794b4bbae35f0c28677a63d3a3c1f645b6eb471f716709bc8b6bdde6910e9406c52b1727fe51c92acbcd071a

memory/4140-12-0x0000000000400000-0x000000000055F000-memory.dmp