7a4972d52dc90802c975c5ecb8f451450772170efe6b7c447cb396d5b0027059

Analysis

max time kernel
55s
max time network
67s
platform
windows7_x64
resource
win7
submitted
10/07/2020, 11:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HJN.VBS
Size

35KB
MD5

0a6cbbb50a759ba9029241c28f29489b
SHA1

7bce93167ad2fb200c1a9e8563a29fe9351eabfd
SHA256

7a4972d52dc90802c975c5ecb8f451450772170efe6b7c447cb396d5b0027059
SHA512

2fe56c0ed6e5c427c50ff270b24a9fe4e376c98c4e0ce502bc55accb6dc19ef958a210f147857403bdf57a40c514ba7c3cf4bfa5b7e79d48fedfeab3e5bc6b45

Score

8^/10

persistence

Malware Config

Signatures

Modifies the visibility of hidden or system files 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WScript.exe

Deletes itself 1 IoCs

pid	Process
112	WScript.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1524	112	WScript.exe	25
PID 112 wrote to memory of 1524	112	WScript.exe	25
PID 112 wrote to memory of 1524	112	WScript.exe	25

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\HJN = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HJN.VBS\""	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HJN = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HJN.VBS\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJN.VBS	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJN.VBS	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HJN.VBS"
1⤵
- Modifies the visibility of hidden or system files
- Deletes itself
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Drops startup file
PID:112
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\HJN.VBS"
  2⤵
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-1-0x0000000002630000-0x0000000002634000-memory.dmp

Filesize
16KB

Download