3cdadd4d8492cfe342f9f74529566ed6c1b451ba669509b59ffaf2965bce0750

Resubmissions

09-08-2024 08:38

240809-kjxr2sycnr 10

27-07-2020 18:35

200727-l5jrnfh3sx 8

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7
submitted
27-07-2020 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACCORD POUR COMMISSION A PRELEVER.PDF.vbs
Size

246KB
MD5

6b23cda6ddc86713d63e5b6bb853a909
SHA1

7c12556e23a5b283846572fc9a1d70b01d306c1d
SHA256

3cdadd4d8492cfe342f9f74529566ed6c1b451ba669509b59ffaf2965bce0750
SHA512

9bd88a406202b539ec6cfb271c7c02b0ac2659d3c925aed20d1680d919f841fbef89566d33f29cca2fd1ebd5641b5a7ee17562eaa5dce447f89256cc470f1eeb

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1520	1152	WScript.exe	24
PID 1152 wrote to memory of 1520	1152	WScript.exe	24
PID 1152 wrote to memory of 1520	1152	WScript.exe	24
PID 1152 wrote to memory of 1296	1152	WScript.exe	25
PID 1152 wrote to memory of 1296	1152	WScript.exe	25
PID 1152 wrote to memory of 1296	1152	WScript.exe	25
PID 1296 wrote to memory of 1896	1296	cmd.exe	27
PID 1296 wrote to memory of 1896	1296	cmd.exe	27
PID 1296 wrote to memory of 1896	1296	cmd.exe	27
PID 1152 wrote to memory of 1868	1152	WScript.exe	29
PID 1152 wrote to memory of 1868	1152	WScript.exe	29
PID 1152 wrote to memory of 1868	1152	WScript.exe	29

Blacklisted process makes network request 27 IoCs

flow	pid	Process
11	1520	WScript.exe
16	1520	WScript.exe
21	1520	WScript.exe
27	1520	WScript.exe
32	1520	WScript.exe
37	1520	WScript.exe
44	1520	WScript.exe
49	1520	WScript.exe
54	1520	WScript.exe
63	1520	WScript.exe
70	1520	WScript.exe
76	1520	WScript.exe
83	1520	WScript.exe
89	1520	WScript.exe
94	1520	WScript.exe
100	1520	WScript.exe
105	1520	WScript.exe
111	1520	WScript.exe
117	1520	WScript.exe
125	1520	WScript.exe
130	1520	WScript.exe
136	1520	WScript.exe
142	1520	WScript.exe
148	1520	WScript.exe
154	1520	WScript.exe
159	1520	WScript.exe
164	1520	WScript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\mZIHvZJhYf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\mZIHvZJhYf.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mZIHvZJhYf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\mZIHvZJhYf.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mZIHvZJhYf.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mZIHvZJhYf.vbs	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ACCORD POUR COMMISSION A PRELEVER.PDF.vbs"
1⤵
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
PID:1152
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mZIHvZJhYf.vbs"
  2⤵
  - Blacklisted process makes network request
  - Adds Run key to start application
  - Drops startup file
  PID:1520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -version
    3⤵
    PID:1896
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
  2⤵
  PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-7-0x00000000024F0000-0x00000000024F4000-memory.dmp

Filesize
16KB

Download