Analysis
-
max time kernel
298s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 12:57
Static task
static1
Behavioral task
behavioral1
Sample
nDqOiSmU.vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
nDqOiSmU.vbs
Resource
win10v2004-20240611-en
General
-
Target
nDqOiSmU.vbs
-
Size
10KB
-
MD5
161b4e988b395a2942c84f127f36a274
-
SHA1
2d43c412b6939557de9770944eae7bd87c9dc363
-
SHA256
aaebe94f90f33e30b24bbce26899e6c5d6dfb63abd91d32e45d42abc5933755a
-
SHA512
dec2fba3fc3ebe45dac3fe80921eaae39044efa5ba37ee19d8838c5eaab2c779ddda57c58df77b44eace700c902eac440f0cf64158ab2bf54c26cdf044e8bc48
-
SSDEEP
48:ZHG0n6qtcQaryowcGDDuJ22GZSo2ke5ETurr5WeXDatEAc7Aum:Y2KryowcGDDuJ23Te5ETusemQXm
Malware Config
Extracted
metasploit
metasploit_stager
51.75.140.195:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 9 IoCs
Processes:
HYIZFiFx.exeHYIZFiFx.exeHYIZFiFx.exeHYIZFiFx.exeHYIZFiFx.exeHYIZFiFx.exeHYIZFiFx.exeHYIZFiFx.exeHYIZFiFx.exepid process 3220 HYIZFiFx.exe 840 HYIZFiFx.exe 1168 HYIZFiFx.exe 4856 HYIZFiFx.exe 3212 HYIZFiFx.exe 1168 HYIZFiFx.exe 2124 HYIZFiFx.exe 3512 HYIZFiFx.exe 4092 HYIZFiFx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.exedescription pid process target process PID 3364 wrote to memory of 3220 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 3220 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 840 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 840 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 1168 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 1168 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 4856 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 4856 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 3212 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 3212 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 1168 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 1168 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 2124 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 2124 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 3512 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 3512 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 4092 3364 WScript.exe HYIZFiFx.exe PID 3364 wrote to memory of 4092 3364 WScript.exe HYIZFiFx.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nDqOiSmU.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rad07C0E.tmp\HYIZFiFx.exe"C:\Users\Admin\AppData\Local\Temp\rad07C0E.tmp\HYIZFiFx.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\rad7F5C6.tmp\HYIZFiFx.exe"C:\Users\Admin\AppData\Local\Temp\rad7F5C6.tmp\HYIZFiFx.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\rad1D7BD.tmp\HYIZFiFx.exe"C:\Users\Admin\AppData\Local\Temp\rad1D7BD.tmp\HYIZFiFx.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\radCD3FF.tmp\HYIZFiFx.exe"C:\Users\Admin\AppData\Local\Temp\radCD3FF.tmp\HYIZFiFx.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\rad31C37.tmp\HYIZFiFx.exe"C:\Users\Admin\AppData\Local\Temp\rad31C37.tmp\HYIZFiFx.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\radEF116.tmp\HYIZFiFx.exe"C:\Users\Admin\AppData\Local\Temp\radEF116.tmp\HYIZFiFx.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\radD520C.tmp\HYIZFiFx.exe"C:\Users\Admin\AppData\Local\Temp\radD520C.tmp\HYIZFiFx.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\rad5F34F.tmp\HYIZFiFx.exe"C:\Users\Admin\AppData\Local\Temp\rad5F34F.tmp\HYIZFiFx.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\rad2153E.tmp\HYIZFiFx.exe"C:\Users\Admin\AppData\Local\Temp\rad2153E.tmp\HYIZFiFx.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rad07C0E.tmp\HYIZFiFx.exeFilesize
7KB
MD5d63f891159c2acc02c59d0585ed9df3f
SHA1d7d752250189198e88279b8917f4e24973d55c0a
SHA256ff3b6d8bd5f018c067bfded4c20729487eda1897e01c78a5731252100eb9a569
SHA5121b0e043bc33e634844dae94cf8e27f0b351a347e148b4fb4c3f2d0f47256e071ec77d9b697b6c1a72d4c2667852b0f8589d9610cc0147c51b4b9f8f7b4816dbb
-
memory/3220-7-0x0000000140000000-0x0000000140004240-memory.dmpFilesize
16KB
-
memory/3220-9-0x0000000140000000-0x0000000140004240-memory.dmpFilesize
16KB