Analysis
-
max time kernel
81s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 18:15
Static task
static1
Behavioral task
behavioral1
Sample
ce53debed7256fb71532e0348214356383070d24cc86ac59e94395225761f765.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ce53debed7256fb71532e0348214356383070d24cc86ac59e94395225761f765.vbs
Resource
win10-en-20211208
General
-
Target
ce53debed7256fb71532e0348214356383070d24cc86ac59e94395225761f765.vbs
-
Size
27KB
-
MD5
6d4c57b3600d896553e1a4aa0419dfec
-
SHA1
ae960f8bcb5401e756a4074ca9fdfe6d4b303b23
-
SHA256
ce53debed7256fb71532e0348214356383070d24cc86ac59e94395225761f765
-
SHA512
183f4178aa5ff56a7a27f4e6ef70c1a3e9b1fd098a624511053833f0cd310d6dbfc4235f764be204994409a871dce92fbb8559c18750f505f3fcd7cd650d91fa
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 5 1588 WScript.exe 7 1588 WScript.exe 9 1588 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mzczczsnnxo.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 1560 wscript.exe Token: SeShutdownPrivilege 1560 wscript.exe Token: SeShutdownPrivilege 1560 wscript.exe Token: SeShutdownPrivilege 1560 wscript.exe Token: SeShutdownPrivilege 1560 wscript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1588 wrote to memory of 1560 1588 WScript.exe wscript.exe PID 1588 wrote to memory of 1560 1588 WScript.exe wscript.exe PID 1588 wrote to memory of 1560 1588 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce53debed7256fb71532e0348214356383070d24cc86ac59e94395225761f765.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\mzczczsnnxo.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\65360188424586\wholncdhqzaczwqmf26246297717093.exeMD5
2f1d0920834f364df684b19b5b11bc0b
SHA1b389ec2c0688a2e16d4f08fb96a7f3b216de693d
SHA2569db95c28faa1d1fc37cf569059e745b008ef6a50aaeb7fc66ec22e75f5b2718c
SHA5122bd1b85f15a604abbfae1d8b67ef57e75a9b4833515bbc74a2bb2fd535918d2b602c3014845f4b8147c0fa43396e9bcdcc1e97e05c3cc17205cf222d18fe18e5
-
C:\Users\Admin\AppData\Roaming\mzczczsnnxo.vbsMD5
2ff4424eacaec05692a8cf937bb01c1d
SHA10beabe198f17ee33a4c357578c0d512d2c9f0565
SHA256d13afd1689a369795d1cd2e8775f9c32164a3d35bf709f0f4c9a0faf26a45627
SHA512d60b4c7cf25333c9b32c3eb4427c50a140d8a44eedcd6c7393f1c800fa501d11884ca3ec8cfc3afd9fd8c7be9ea9c5ef590cb136b7de99ae2a4074a26f56bad5
-
memory/1536-60-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/1548-62-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB
-
memory/1588-55-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmpFilesize
8KB