Analysis
-
max time kernel
160s -
max time network
184s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 22:37
Static task
static1
Behavioral task
behavioral1
Sample
0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c.vbs
Resource
win7-en-20211208
General
-
Target
0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c.vbs
-
Size
38KB
-
MD5
2135d5e3d9eedbdb324af6331d6c6bea
-
SHA1
0c4c364c85126b6e808e9edaef21d8d1e22e3c41
-
SHA256
0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c
-
SHA512
3430151be33ac2e312c3427613bca72e6853498a9ced76ad1ff30fbaa04fb8b071fbe9a75a5906957cba5047373452ee7f61a783a1803b723f94b813e7735ebf
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exeflow pid process 18 504 WScript.exe 20 504 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ltxhyjxyecp.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 1664 wscript.exe Token: SeShutdownPrivilege 1664 wscript.exe Token: SeShutdownPrivilege 1664 wscript.exe Token: SeShutdownPrivilege 1664 wscript.exe Token: SeShutdownPrivilege 1664 wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 392 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 504 wrote to memory of 1664 504 WScript.exe wscript.exe PID 504 wrote to memory of 1664 504 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\ltxhyjxyecp.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad0855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\94607304513454\lebthquiokikhkxfl19075384020804.exeMD5
e37bbd3f2b9d61006ff7e43ec0826025
SHA11dabbec6504454c48e2a43b796a526f6e4625576
SHA256c9205b71be3ad59dc5455c913eb9d943a2bca2815d03b46c56d73efd0316b120
SHA512d68eedd1719d4c9585b311c8e2f595099e2d40fc4a1cd3d19890105234fb1e858bb9f712edc681811371619fe36315ae2cc7c04d8ea3d8de238433350929c9bd
-
C:\Users\Admin\AppData\Roaming\ltxhyjxyecp.vbsMD5
b517929f202bb31318844e6f9a1b3887
SHA1b183ce4ede39587ac8150431dc218d28e1507081
SHA256f947ef801247c1d0d289f36c871fde1a8c54238b6246701d3957fc1d1c37117f
SHA5128e523701b63070feab43b3136f701745fe149de292efa8e555aa5d34df72f2e9c12b6565faf63646f851118474584e8d370d67ab3726bddd369c11cc2762f523