Analysis
-
max time kernel
111s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 17:37
Static task
static1
Behavioral task
behavioral1
Sample
edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1.vbs
Resource
win7-en-20211208
General
-
Target
edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1.vbs
-
Size
16KB
-
MD5
ae5fd104186c3551b922492de895edf1
-
SHA1
8022a8078be2a8f96cc5d12e3fe5575a70c88c72
-
SHA256
edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1
-
SHA512
ffb411fb4bf7fdaaea50e2c1fb5f65fd7702b09b6640ae4266f4412101b3910efc156f349af48b060501db45d20ca96f609d9612eab5e55e2b4578f3fe548e5b
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 5 944 WScript.exe 7 944 WScript.exe 9 944 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ductrxerrwp.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 912 wscript.exe Token: SeShutdownPrivilege 912 wscript.exe Token: SeShutdownPrivilege 912 wscript.exe Token: SeShutdownPrivilege 912 wscript.exe Token: SeShutdownPrivilege 912 wscript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 944 wrote to memory of 912 944 WScript.exe wscript.exe PID 944 wrote to memory of 912 944 WScript.exe wscript.exe PID 944 wrote to memory of 912 944 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\ductrxerrwp.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\12764927804469\ocoeczoltybebuqmh90699926257133.exeMD5
37a8a4d42990e77156a8e4977589d146
SHA1c5e3126599fb95f2b356f932845227ef2731a0f0
SHA256f07aaf0620120be715bae06fa5e387a82558c2fc3870ac7532c8deb01988fcda
SHA512bd366bcb5b483d68cd59a5df0cea6ec04df2f073241307bed9714a2a1f1d73349f166becad4ad4b19d92bc9e174836de25a4cddfc0a2e0f280c22f36a3e3ff6d
-
C:\Users\Admin\AppData\Roaming\ductrxerrwp.vbsMD5
64e9b27668cee58fb62f75c2bb4497d7
SHA183e72c8444b4430ed70be681e6a027544ec4ad0f
SHA256620ae013cc1d3dd5ff68246a880ca20298fa139ba53c8d627531cd412087ffca
SHA512877b123ed259cde650b8b072cad8d5c23032b237d1141efc8e3ee6fdb03780ae5643f4635928b566caec8b17e699a47cd4c66766863a9d2fd5ee13ede42d3bed
-
memory/268-63-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB
-
memory/944-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmpFilesize
8KB
-
memory/1716-61-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB