9ca9f83803ab008fbedc3ce11690190720d5d700f40129be6187aec13084419f

General

Target

fasdfdf-c622789sb.vbs
Size

8KB
MD5

102b99a1526857fb40dafee9b0f7b7dc
SHA1

a21304e8c5d20e867b9f55b079ad89d4c81e4fe8
SHA256

e0ad1addf863b85a4a3e51794a86f3a665eaa39de8ef9ac9b1a67023fdad6479
SHA512

7f13e29929cd48993a45c4faddd0ad97def49a2b86063cca3a45d2f7c56136001219afab7accf7c93c1b5c106a563a596f65946c762c987c9ffa9d10dc340f14

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 628 regsvr32.exe
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

5 772 WScript.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1720 regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	628	regsvr32.exe

flow	pid	process
5	772	WScript.exe

pid	process
1720	regsvr32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1680 wrote to memory of 1720	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1720	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1720	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1720	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1720	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1720	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 1720	1680	regsvr32.exe	regsvr32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fasdfdf-c622789sb.vbs"
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:772

C:\Windows\system32\regsvr32.exe
regsvr32 -s C:\ProgramData\data.bin
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\regsvr32.exe
-s C:\ProgramData\data.bin
2⤵
- Loads dropped DLL
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\data.bin
MD5
7c2c0d0c38ea776a3930e623e08f9578

SHA1
f9954ad849c90e43f4dc515207e0e9d2d1522c49

SHA256
fe3338e47ce7fb0ca32def1eb015c1ce10e1232c5361db0105ea53327ab35b2d

SHA512
bbc114581515fa9a8baa52c2aff990768f81edc2c5a6bd72555d21f039b90524ccd02684d01dd5fa2e048403d9a18943abba5984796137c49e7b1a8c6c54cd77

Download Submit
\ProgramData\data.bin
MD5
7c2c0d0c38ea776a3930e623e08f9578

SHA1
f9954ad849c90e43f4dc515207e0e9d2d1522c49

SHA256
fe3338e47ce7fb0ca32def1eb015c1ce10e1232c5361db0105ea53327ab35b2d

SHA512
bbc114581515fa9a8baa52c2aff990768f81edc2c5a6bd72555d21f039b90524ccd02684d01dd5fa2e048403d9a18943abba5984796137c49e7b1a8c6c54cd77

Download Submit
memory/1680-60-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1720-62-0x0000000000000000-mapping.dmp

Download
memory/1720-63-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing