Analysis
-
max time kernel
111s -
max time network
108s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 21:51
Static task
static1
Behavioral task
behavioral1
Sample
29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a.vbs
Resource
win7-en-20211208
General
-
Target
29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a.vbs
-
Size
16KB
-
MD5
8796bfe9c4735fe01a04125c25e67ed8
-
SHA1
3c3b3f0ae2617ce7e240e9ae35c023d91addbd0c
-
SHA256
29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a
-
SHA512
80c103adb21dee293201edb0d7d7047c05b34b8fae666a147f660b3041a606d2ef9a1f8cbf162b41b595d42d7b13ec32ef3478c81bf8d1934db07dde85b66211
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 5 780 WScript.exe 7 780 WScript.exe 9 780 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ueexzkbobmm.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 972 wscript.exe Token: SeShutdownPrivilege 972 wscript.exe Token: SeShutdownPrivilege 972 wscript.exe Token: SeShutdownPrivilege 972 wscript.exe Token: SeShutdownPrivilege 972 wscript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 780 wrote to memory of 972 780 WScript.exe wscript.exe PID 780 wrote to memory of 972 780 WScript.exe wscript.exe PID 780 wrote to memory of 972 780 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\ueexzkbobmm.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\57831257760524\emqjlnmieoykrzytb82380941271781.exeMD5
b571729b40f9a5c331e2b4caab4bce0c
SHA14ef7f04826145a0673955231343a430150bf0010
SHA256d17d0b10aea65d745b5208b889ddbe83d752ec03e7e6bd1dc56a885ebe47035c
SHA5129ef5a7518587496a3f84352d319bd620632de95de9346b213c699ec27c3627dc7e425912d468af3c1b74446897e23ab4262c36690bae1ac93d137323d96a316d
-
C:\Users\Admin\AppData\Roaming\ueexzkbobmm.vbsMD5
398288220bfcc65746b56d3b96f83f8a
SHA18036ddc4d1569314612ab5e9e490da438f2b02ab
SHA256c2c56eb2aeaa9779f87ba32eb27394a0f3b6f10b941685a9722ca3581b1c8ede
SHA512277d7b3bba9f84126a5a2b0d61263ee894c3d2c1ff74376e1297e23bad8401d798ca3c972551064fd40597b3f973432ba0df832c1b3b299c9f8bdf415aa286d3
-
memory/780-55-0x000007FEFC2A1000-0x000007FEFC2A3000-memory.dmpFilesize
8KB
-
memory/1708-63-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/1880-61-0x0000000002880000-0x0000000002881000-memory.dmpFilesize
4KB