Analysis Overview
SHA256
5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b
Threat Level: Shows suspicious behavior
The file 5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:50
Reported
2024-11-09 22:53
Platform
win7-20240903-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 876 wrote to memory of 2344 | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 876 wrote to memory of 2344 | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 876 wrote to memory of 2344 | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 876 wrote to memory of 2344 | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | C:\Windows\SysWOW64\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe
"C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
Files
memory/876-0-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 093c5aaae995450f228c26d1c383e55b |
| SHA1 | f58e2d718af40a7b9c636f47b765000a36a89a6a |
| SHA256 | fa9146ffa113b9e09a3ac81d6b95de8e42500d8a2801f169535cae8a9b79dc34 |
| SHA512 | 644182eb6f9e32567daf315d266ceb4f310272976f003e5a39dffffd6dc23789299c590a6cf6821cc2cc63224753efaab03d375f6544d690a5690afaa0cb3fa6 |
memory/876-9-0x0000000000400000-0x000000000055F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:50
Reported
2024-11-09 22:53
Platform
win10v2004-20241007-en
Max time kernel
116s
Max time network
145s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe
"C:\Users\Admin\AppData\Local\Temp\5bd2ba6e362917ec9dd9cc2ec7a433307da9945bb4f7f9458036afdfec59e70b.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4500-0-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 062fff659a84b6b180143b4caa7b2dbf |
| SHA1 | 81099fdd0bce4153bb6b24411c5df128986454fa |
| SHA256 | a6dcc924f7d990d52809fc4cdfc7c6eb5d43625a9124b401c744415e63d42256 |
| SHA512 | 796ee5ef3d745266f22a0a5a0d86a852b790b15b47f7e66ea559ed0654dc5d17d568669a3acccf74315277b9b4260810c1c8bdbd089ad0c7c53b6df7ebf4419a |
memory/4500-12-0x0000000000400000-0x000000000055F000-memory.dmp