86eee51af9498987431daf99abce4788d07980de30d20a594dd7d464210b35db

Resubmissions

25/02/2025, 18:32

250225-w6rp4a1jw6 7

02/08/2023, 16:00

230802-tfr7tsfd97 8

Analysis

max time kernel
146s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invert.vbs
Size

2KB
MD5

87dad74ca7c9ce18220fc3414a28e021
SHA1

749b73dd6aa8dfe3bd529a015506c8784f825a3e
SHA256

86eee51af9498987431daf99abce4788d07980de30d20a594dd7d464210b35db
SHA512

5f2e31ac56c12e906f40c1ea56fa6c5791846558ae3be174b40f1f03a00fc3539a997f3b9ebd6c6705476099987264d48dada7aee68bc8c7ea86dae940fdc916

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 8 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\Colors\ActiveTitle = "255 255 255"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\Colors\InactiveTitle = "255 255 255"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\Colors\Menu = "0 0 0"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\Colors\Window = "0 0 0"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\Colors\WindowText = "255 255 255"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\Colors\MenuText = "255 255 255"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\Colors	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\Colors\Background = "0 0 0"	WScript.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2296	2268	WScript.exe	88
PID 2268 wrote to memory of 2296	2268	WScript.exe	88

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invert.vbs"
1⤵
- Checks computer location settings
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads