Analysis
-
max time kernel
115s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 20:15
Static task
static1
Behavioral task
behavioral1
Sample
73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d.vbs
Resource
win7-en-20211208
General
-
Target
73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d.vbs
-
Size
28KB
-
MD5
814fb0a1cc7a7cf376f3a302449fd2bd
-
SHA1
4b481d5b6a046f583ae5330e71b1f1f427c798ae
-
SHA256
73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d
-
SHA512
d1e3f73e4ad416691edffbb181cbf382e077d3a22fd8ada80aa1f1a2592e94c013b39b062c76c25b67ab7acaa8c5a9c49bdde3ff3ed379642b8a612b0c856992
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 5 1220 WScript.exe 7 1220 WScript.exe 9 1220 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfjnpllynee.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 1944 wscript.exe Token: SeShutdownPrivilege 1944 wscript.exe Token: SeShutdownPrivilege 1944 wscript.exe Token: SeShutdownPrivilege 1944 wscript.exe Token: SeShutdownPrivilege 1944 wscript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1220 wrote to memory of 1944 1220 WScript.exe wscript.exe PID 1220 wrote to memory of 1944 1220 WScript.exe wscript.exe PID 1220 wrote to memory of 1944 1220 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\hfjnpllynee.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\87894108712673\snvyaovsqfrzwsuey81125615954398.exeMD5
35fe7fe4f6b5e51002bf724b586adb42
SHA14f693c4c3660b42729e4c5c595164a5174cba10b
SHA25645a6fd212f8f83419abf7810d56f2a5e1285b106879fb230a9d9d233e8629839
SHA512f20ad9e677ca98a6f63e402101a52d80a033b39093c37471c3d3a81be42375da673f472406e994835309ce27ee04ecea944a0bc3e8daf4cd29f2e2c66dcdf907
-
C:\Users\Admin\AppData\Roaming\hfjnpllynee.vbsMD5
afba27a3628d57f1b19ae5fcde93bed5
SHA110dbdfb65a5a94ce039530a29bbd9ab27bd39567
SHA256e416df27567b11e8c87c082e52d3214050b94dd728a42c6f59485ed55f610d7d
SHA512f59af5e866585a2de51b36b97dd5c6ad4ff77fe36ec8b8496d6bb74c7e2e46251cb4acaa595bc09285e7f514293266a806d50fe4f315f1c1e0439752544c9973
-
memory/960-61-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/1068-59-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/1220-54-0x000007FEFC321000-0x000007FEFC323000-memory.dmpFilesize
8KB