Analysis
-
max time kernel
7s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-11-2020 23:24
Static task
static1
Behavioral task
behavioral1
Sample
22VVBN0D55D8GF7000DS1S4S8A5.vbs
Resource
win10v20201028
Behavioral task
behavioral2
Sample
~.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
22VVBN0D55D8GF7000DS1S4S8A5.vbs
Resource
win7v20201028
Behavioral task
behavioral4
Sample
~.exe
Resource
win7v20201028
General
-
Target
22VVBN0D55D8GF7000DS1S4S8A5.vbs
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 4 1416 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1936 wrote to memory of 1416 1936 WScript.exe WScript.exe PID 1936 wrote to memory of 1416 1936 WScript.exe WScript.exe PID 1936 wrote to memory of 1416 1936 WScript.exe WScript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22VVBN0D55D8GF7000DS1S4S8A5.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\E69.vbs"2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\E69.vbsMD5
acf4e26d5fa1883fb7f851aa9eee8a56
SHA101fcfecd96b50823f247f6de0efcecb5ace304a8
SHA2569402ff9c33fccb25615d69c04a1982498054266b2d20173d5df47643f1bf720d
SHA51265f91dc79519dfd34bc73a34755eaa0547a10eec6b1b56b275559e9f6b640f42a0d492985b0c5c62e5d97935d61bf035e4f784f29a35ef83bd0d2de0ed63c8ac
-
memory/1416-2-0x0000000000000000-mapping.dmp
-
memory/1416-5-0x0000000002680000-0x0000000002684000-memory.dmpFilesize
16KB
-
memory/1656-4-0x000007FEF5BC0000-0x000007FEF5E3A000-memory.dmpFilesize
2.5MB