Analysis
-
max time kernel
110s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 21:39
Static task
static1
Behavioral task
behavioral1
Sample
33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58.vbs
Resource
win7-en-20211208
General
-
Target
33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58.vbs
-
Size
24KB
-
MD5
2e98d98e8a55a16ad16cdc1130e5d729
-
SHA1
84bce822d684af2425115292ae930dea77e8a5b0
-
SHA256
33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58
-
SHA512
e6662e8120b5d148a3f6a68c6c5045c17fa40400b90461e9c4ec2e2870e3ee1e6e4caf356af6e6758c165b335a4672e3324929658fb0853ca70c375183a9cc3d
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 17 2464 WScript.exe 19 2464 WScript.exe 21 2464 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hrjeswygxzr.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 812 wscript.exe Token: SeShutdownPrivilege 812 wscript.exe Token: SeShutdownPrivilege 812 wscript.exe Token: SeShutdownPrivilege 812 wscript.exe Token: SeShutdownPrivilege 812 wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 1300 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 2464 wrote to memory of 812 2464 WScript.exe wscript.exe PID 2464 wrote to memory of 812 2464 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\hrjeswygxzr.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\89575428903102\szvpdyjaabeqnbaxp29518300890921.exeMD5
9b1f99f5653f46ed5bbb3c91a1dd14b2
SHA180d650696f5cffac8b01486e6662f6119af82871
SHA2567219bb635a8adcfa5842dacafa9f8b6307d9fbd67402cb5cc8ba9694f5f8f4b9
SHA512de922b9127f561045603aa5f3739575674babfc13807d30fcb931a8cc01f976bd356348ba8c1ee04e025421b7c99adb8bd26ed59f93af32dc130569b54b3fe7f
-
C:\Users\Admin\AppData\Roaming\hrjeswygxzr.vbsMD5
1b28acf5988464298da2358ddf533839
SHA1f9def5b23c29921c5c1cd8b430acf7aa5ef13c84
SHA2561740e7637c9ac7c7fb81fa5e47b87bba7ad65bd49d422d658a34ac32ee55244b
SHA5121c3de15faa4e9de8c822dfc04a67cf1885f5f4c4ad860f5d3d442446da8847891a22ed6fab89c5ef09655885ec7a86328197e68a958114f5276aca7b6a337077