Analysis
-
max time kernel
16s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-11-2020 15:12
Static task
static1
Behavioral task
behavioral1
Sample
22D1F555S00DF22S1F44AAA5D1S.vbs
Resource
win7v20201028
Behavioral task
behavioral2
Sample
22D1F555S00DF22S1F44AAA5D1S.vbs
Resource
win10v20201028
Behavioral task
behavioral3
Sample
~.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
~.exe
Resource
win10v20201028
General
-
Target
22D1F555S00DF22S1F44AAA5D1S.vbs
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 6 2488 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings WScript.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 508 wrote to memory of 2488 508 WScript.exe WScript.exe PID 508 wrote to memory of 2488 508 WScript.exe WScript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22D1F555S00DF22S1F44AAA5D1S.vbs"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\M77.vbs"2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\M77.vbsMD5
5aec3639f28abb4748a5677d23d5e9e6
SHA18c2aaf57bfa5235c2e45f44f04fc387ef2b1abd9
SHA2560714fac09f397831033f871b24b9850a72e6833a231e4f207c82c13c59d93945
SHA5128c6d28e0402acaa40ea762ab6e5763e5994ae8b57f063650e9aa882aa4afdb030102701d45698908022fdf036e2e668075dd9fc6852d1936be469bc3ae38d075
-
memory/2488-0-0x0000000000000000-mapping.dmp