Analysis
-
max time kernel
115s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 21:39
Static task
static1
Behavioral task
behavioral1
Sample
33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58.vbs
Resource
win7-en-20211208
General
-
Target
33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58.vbs
-
Size
24KB
-
MD5
2e98d98e8a55a16ad16cdc1130e5d729
-
SHA1
84bce822d684af2425115292ae930dea77e8a5b0
-
SHA256
33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58
-
SHA512
e6662e8120b5d148a3f6a68c6c5045c17fa40400b90461e9c4ec2e2870e3ee1e6e4caf356af6e6758c165b335a4672e3324929658fb0853ca70c375183a9cc3d
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 5 792 WScript.exe 7 792 WScript.exe 9 792 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npzbqcbfgmo.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 992 wscript.exe Token: SeShutdownPrivilege 992 wscript.exe Token: SeShutdownPrivilege 992 wscript.exe Token: SeShutdownPrivilege 992 wscript.exe Token: SeShutdownPrivilege 992 wscript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 792 wrote to memory of 992 792 WScript.exe wscript.exe PID 792 wrote to memory of 992 792 WScript.exe wscript.exe PID 792 wrote to memory of 992 792 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\npzbqcbfgmo.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\53251057565211\xxlnbfmzjoavpwnrj55032674670218.exeMD5
888a916ac4bfe9d21264a4fb5c90d1b8
SHA1f7553c87162c2d5921887d73101ad855aeb7cc1f
SHA256b3c8e8bc565146ad62d55d85d3f2018430c794f82867471c3f0fad0b4c3e7cae
SHA51213a97d398cbd1d6692d501725c41977455900eeaf21261995940e00339528a42851a07c042f2c9e1c5198ee5138e1b5e6023d5fb6207c52340b1490462d5bb6b
-
C:\Users\Admin\AppData\Roaming\npzbqcbfgmo.vbsMD5
5a669f2b328b72b70f2c4f2b23d430cc
SHA10d02ccd7d6fd99a3f4779c09e31253209d429d6f
SHA256167f675c06dc46ba8d4682f7588e4cc7fb83be9ef873e976c0dfd759715a58a2
SHA512f9334ecd3b7c5b0ef877b756d4988185ea3a81683d17caf228dd3ed7344d7be188f07a3c0ee7b9180425329b7e8b8414a7b7354ef4611766005110967d63083e
-
memory/792-54-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmpFilesize
8KB
-
memory/1708-61-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/1892-59-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB