Analysis
-
max time kernel
127s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 22:37
Static task
static1
Behavioral task
behavioral1
Sample
0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c.vbs
Resource
win7-en-20211208
General
-
Target
0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c.vbs
-
Size
38KB
-
MD5
2135d5e3d9eedbdb324af6331d6c6bea
-
SHA1
0c4c364c85126b6e808e9edaef21d8d1e22e3c41
-
SHA256
0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c
-
SHA512
3430151be33ac2e312c3427613bca72e6853498a9ced76ad1ff30fbaa04fb8b071fbe9a75a5906957cba5047373452ee7f61a783a1803b723f94b813e7735ebf
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exeflow pid process 5 1680 WScript.exe 7 1680 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ztwibeazvtr.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 1052 wscript.exe Token: SeShutdownPrivilege 1052 wscript.exe Token: SeShutdownPrivilege 1052 wscript.exe Token: SeShutdownPrivilege 1052 wscript.exe Token: SeShutdownPrivilege 1052 wscript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1680 wrote to memory of 1052 1680 WScript.exe wscript.exe PID 1680 wrote to memory of 1052 1680 WScript.exe wscript.exe PID 1680 wrote to memory of 1052 1680 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\ztwibeazvtr.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\91069432199001\jciumgltyvdxbhubu87285924792289.exeMD5
10628587d7abeb26a69582600e7ebb55
SHA16275a74a5d743f2339429f28bb038cf6413f8163
SHA2565bbe23bdfac10a749556e44dd3f9e88ff3c954e6dce279f00a81ebfbdc2c8fb1
SHA512295a06718862bf8248a59d2bf699e0d7ab98c82e929842e927ca0b0a5bd378178978eaf845582f7b41c91cdd4bfbaf1d827f745fb17d7e02e2c448a63941f3be
-
C:\Users\Admin\AppData\Roaming\ztwibeazvtr.vbsMD5
39135c07b23784c350b222bfa9214caa
SHA167bcf4c7fd933c81f141db9cea11c505ad40214e
SHA25613bfc0b207b10ee2b82c59396b94fa2977e6e4040454f855596eef449583688d
SHA5121539b52a888b58fa5fdf909543b37875ba6bed67885c4bbe00b7d9f4a990621d1a9bb1b9463828f866374191e292d2bd125b90d31bd93a2106dc5377621d5b2c
-
memory/896-60-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/1216-62-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB
-
memory/1680-55-0x000007FEFB791000-0x000007FEFB793000-memory.dmpFilesize
8KB