Analysis
-
max time kernel
103s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 17:24
Static task
static1
Behavioral task
behavioral1
Sample
f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c.vbs
Resource
win7-en-20211208
General
-
Target
f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c.vbs
-
Size
12KB
-
MD5
fb20b1b1d48d96bacde2fd6caaeb42e7
-
SHA1
49d5aab4e2611b8ba10e11b7de5e9eeb3d56e35a
-
SHA256
f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c
-
SHA512
dfbc923b992f059546c35e8adeb97594de0fd97640dbd21f291bb727371239d2c9a9028c740ebb3a8467de99e3399524b2bd5b09bc1d5872f4b9db80134d4e40
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 17 2580 WScript.exe 19 2580 WScript.exe 21 2580 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\twaiqxhrite.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 2716 wscript.exe Token: SeShutdownPrivilege 2716 wscript.exe Token: SeShutdownPrivilege 2716 wscript.exe Token: SeShutdownPrivilege 2716 wscript.exe Token: SeShutdownPrivilege 2716 wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 1724 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 2580 wrote to memory of 2716 2580 WScript.exe wscript.exe PID 2580 wrote to memory of 2716 2580 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\twaiqxhrite.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad0855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\49291722238063\bydgmecqtjxnooign47586828112601.exeMD5
ea1690e3f85b74ff1945f8e8d3940980
SHA169b717da26aa78f94839b0adf37158585b071d65
SHA256e9db57709d31e10e2b9cf2c1bea24ab86dd9f4dd16425c7700916d01570a0996
SHA5123ba74c42ac8403e975ec1afb0752552318ecf17f76fc05ff651da9f6a4bdf7637e3eb7e6895ada16fea3cf384174b870b9fac8da47b5fb2b5123f1660967c2d6
-
C:\Users\Admin\AppData\Roaming\twaiqxhrite.vbsMD5
b23b87d7263da42fbfd7be7e1e92a0aa
SHA1b2ab691a9be8e88250b7a18d5fc98086430076f8
SHA256765e305be8ce5bb289cc901ff776fe4aea30a4a81e2abb2192b7c9b01c8fc34c
SHA5121760eee2c66a9b3ea7263ec99513953a76c946f47a8afffad1240d210448cf590cf942429050e2019f298f1ed94cb31ec24cc26c0614aff0b2139287cdf9060b