Analysis
-
max time kernel
11s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25-06-2021 17:58
Static task
static1
Behavioral task
behavioral1
Sample
_.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
_.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
fasdfdf-c622789sb.vbs
Resource
win7v20210410
Behavioral task
behavioral4
Sample
fasdfdf-c622789sb.vbs
Resource
win10v20210408
General
-
Target
fasdfdf-c622789sb.vbs
-
Size
8KB
-
MD5
102b99a1526857fb40dafee9b0f7b7dc
-
SHA1
a21304e8c5d20e867b9f55b079ad89d4c81e4fe8
-
SHA256
e0ad1addf863b85a4a3e51794a86f3a665eaa39de8ef9ac9b1a67023fdad6479
-
SHA512
7f13e29929cd48993a45c4faddd0ad97def49a2b86063cca3a45d2f7c56136001219afab7accf7c93c1b5c106a563a596f65946c762c987c9ffa9d10dc340f14
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 628 regsvr32.exe -
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 5 772 WScript.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1720 regsvr32.exe -
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 WScript.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1680 wrote to memory of 1720 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1720 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1720 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1720 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1720 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1720 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1720 1680 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fasdfdf-c622789sb.vbs"1⤵
- Blocklisted process makes network request
- Modifies system certificate store
-
C:\Windows\system32\regsvr32.exeregsvr32 -s C:\ProgramData\data.bin1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\ProgramData\data.bin2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\data.binMD5
7c2c0d0c38ea776a3930e623e08f9578
SHA1f9954ad849c90e43f4dc515207e0e9d2d1522c49
SHA256fe3338e47ce7fb0ca32def1eb015c1ce10e1232c5361db0105ea53327ab35b2d
SHA512bbc114581515fa9a8baa52c2aff990768f81edc2c5a6bd72555d21f039b90524ccd02684d01dd5fa2e048403d9a18943abba5984796137c49e7b1a8c6c54cd77
-
\ProgramData\data.binMD5
7c2c0d0c38ea776a3930e623e08f9578
SHA1f9954ad849c90e43f4dc515207e0e9d2d1522c49
SHA256fe3338e47ce7fb0ca32def1eb015c1ce10e1232c5361db0105ea53327ab35b2d
SHA512bbc114581515fa9a8baa52c2aff990768f81edc2c5a6bd72555d21f039b90524ccd02684d01dd5fa2e048403d9a18943abba5984796137c49e7b1a8c6c54cd77
-
memory/1680-60-0x000007FEFC181000-0x000007FEFC183000-memory.dmpFilesize
8KB
-
memory/1720-62-0x0000000000000000-mapping.dmp
-
memory/1720-63-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB