Analysis
-
max time kernel
110s -
max time network
111s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 17:24
Static task
static1
Behavioral task
behavioral1
Sample
f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c.vbs
Resource
win7-en-20211208
General
-
Target
f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c.vbs
-
Size
12KB
-
MD5
fb20b1b1d48d96bacde2fd6caaeb42e7
-
SHA1
49d5aab4e2611b8ba10e11b7de5e9eeb3d56e35a
-
SHA256
f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c
-
SHA512
dfbc923b992f059546c35e8adeb97594de0fd97640dbd21f291bb727371239d2c9a9028c740ebb3a8467de99e3399524b2bd5b09bc1d5872f4b9db80134d4e40
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 5 1508 WScript.exe 7 1508 WScript.exe 9 1508 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uovjbwufudw.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 1384 wscript.exe Token: SeShutdownPrivilege 1384 wscript.exe Token: SeShutdownPrivilege 1384 wscript.exe Token: SeShutdownPrivilege 1384 wscript.exe Token: SeShutdownPrivilege 1384 wscript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1508 wrote to memory of 1384 1508 WScript.exe wscript.exe PID 1508 wrote to memory of 1384 1508 WScript.exe wscript.exe PID 1508 wrote to memory of 1384 1508 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\uovjbwufudw.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\55633305490016\ewivmzezxfihbamki44441717028617.exeMD5
e33bd14d7aeec17c77b2bbcd12f4b815
SHA1f18b5b59f424bab80bcda6ffb4661084408fe885
SHA25649eee13f8cdaf094dce3515baa7c0cfb4d3b12048d773114ed73e0ab6ea065b5
SHA5127291b86ae230d0dbe202781fa28568f282120bae561d1e8f08174a02fb7b776ab9fc4f62f741df6a01d2b2dad08edb3edf556fae0b8e3a4bfa3ed4b03c56d979
-
C:\Users\Admin\AppData\Roaming\uovjbwufudw.vbsMD5
02b52d2139d9c641d01680f809f95f7f
SHA1bb4ed150f03c1f6fb611f21d5c30c0f7b2e9df85
SHA2562f530bdafa6b30f0e2e658bb60b8b8574db474aa9c475ac2095a8b771957236b
SHA512e25d1813e832afff613d2fc63567bbb19e245069d1e6752d9b81e2b741dd3cfebf7486b6132e5a2b7d734c5a19a30bcd080d0f3ee1e4d0081bcf7fb05dce3458
-
memory/956-61-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB
-
memory/1508-54-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmpFilesize
8KB
-
memory/1728-59-0x0000000002910000-0x0000000002911000-memory.dmpFilesize
4KB