Overview

overview

10

Static

static

2298b7ee6a...a8.vbs

windows7_x64

10

2298b7ee6a...a8.vbs

windows10_x64

8

Analysis

  • max time kernel
    113s
  • max time network
    109s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2298b7ee6aeb19cd6c9e2f3ae6377e1cf5aab0d2d3f3102d4d51683c79a91da8.vbs

  • Size

    20KB

  • MD5

    591a3ed820a2528a2e382e7d08aba957

  • SHA1

    d1cb1ccc7ebabdb8ba1575eee9b7f9e546664763

  • SHA256

    2298b7ee6aeb19cd6c9e2f3ae6377e1cf5aab0d2d3f3102d4d51683c79a91da8

  • SHA512

    010a8e54da686d211354879ea6d9d020a9ca4403592242c9d85dc9447ffb474ded90b5ab0d0f782250838fa3c6885b2693b19fc737b5e5d94b0c66f296b27a10

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2298b7ee6aeb19cd6c9e2f3ae6377e1cf5aab0d2d3f3102d4d51683c79a91da8.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\mlabdclzcgj.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:448
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad0855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\97749394357204\jyewltyialrxganwa1528020739554.exe
    MD5

    a8f9c497e1465d8795550bb22cfc2aed

    SHA1

    3708db7b52a03201fd1f49fb1058d069878b474d

    SHA256

    f7544ff7b71c283c209fcd4d9207acaedc1830c569d9a173f3ef52a4db0c6b1f

    SHA512

    6fed4502741dfed51df2a22fad5a0d69a72286e6f1fc65db4041d8a2505611828f35b8a0edb35b57b2121dd9e462d4adb0e8bd7eecf9fc578c225da056acf961

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mlabdclzcgj.vbs
    MD5

    ce7f61f180ac42136d8ad6019bca3b3a

    SHA1

    db01295566b6a7fa5fe9bc19b2861c9e36630b50

    SHA256

    15596b881cf362351ac2821607bc422c4e4c986cb8227ea30268dba4d2112c6e

    SHA512

    c68844fdef727a011cf927b2a3725d3602352980582bc7d77818b1bf1da35a2f7b3754cf63838a150705313729755a8c61db8e042fb0aa7456b9a729aea9b39a

    Download Submit