Analysis
-
max time kernel
119s -
max time network
175s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 20:15
Static task
static1
Behavioral task
behavioral1
Sample
73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d.vbs
Resource
win7-en-20211208
General
-
Target
73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d.vbs
-
Size
28KB
-
MD5
814fb0a1cc7a7cf376f3a302449fd2bd
-
SHA1
4b481d5b6a046f583ae5330e71b1f1f427c798ae
-
SHA256
73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d
-
SHA512
d1e3f73e4ad416691edffbb181cbf382e077d3a22fd8ada80aa1f1a2592e94c013b39b062c76c25b67ab7acaa8c5a9c49bdde3ff3ed379642b8a612b0c856992
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 23 2736 WScript.exe 25 2736 WScript.exe 27 2736 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwwreldsoao.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 1096 wscript.exe Token: SeShutdownPrivilege 1096 wscript.exe Token: SeShutdownPrivilege 1096 wscript.exe Token: SeShutdownPrivilege 1096 wscript.exe Token: SeShutdownPrivilege 1096 wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 3952 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 2736 wrote to memory of 1096 2736 WScript.exe wscript.exe PID 2736 wrote to memory of 1096 2736 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\pwwreldsoao.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\14938710153102\zeicpoomrcbajnofq21397207140921.exeMD5
43bbe2756663160ade86c3d09f4673ab
SHA136e17020faead9ab5144f8a53c03e385426ac49f
SHA256d3038c47d193f15bf0566f394744bbdc1df67facd020ed55e15444490717412b
SHA512f46e1dcfca045d77acef8ea99c486104c098fd9a935fda25cb69675d0d4a12eec19c23216bad9e7b686d4af38ebc55c043d94d7f74e5ba58a4a7369d1d8f8855
-
C:\Users\Admin\AppData\Roaming\pwwreldsoao.vbsMD5
80548b9189c37b3442faf5dacc33808e
SHA121f599d3e710801395847be15ee5d52c34a11599
SHA256925495ff4eb421e27f714e77aa955bb8733bbaf23d2d77f64c7145d23417f0ec
SHA5128df6f09c7c6a86f739274c272a1d71f8937f99bea9faf783f67f797ff6e57083f4e152efb71a121c9ca51b9db3d22c32a220a6a3c721a59e7db0580ed682b892