Analysis
-
max time kernel
121s -
max time network
167s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 21:20
Static task
static1
Behavioral task
behavioral1
Sample
4494da2105572a5ad07bd08110e35045c34967306f12a7ea7c91fffc0f79f599.vbs
Resource
win7-en-20211208
General
-
Target
4494da2105572a5ad07bd08110e35045c34967306f12a7ea7c91fffc0f79f599.vbs
-
Size
15KB
-
MD5
3c36b6fdd3bafc16376dd2bc68fec317
-
SHA1
92729855a8cb8399e02190b17e807c0536e764f3
-
SHA256
4494da2105572a5ad07bd08110e35045c34967306f12a7ea7c91fffc0f79f599
-
SHA512
65897f7de6e2e7df85f3410d145907f42da49927ec961311901bb950a23c4a610282953f964d4cc8a910db573321a64d3a343de59b66db89f8508cacc5918639
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 26 2812 WScript.exe 28 2812 WScript.exe 30 2812 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jjpkyghnicd.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 1120 wscript.exe Token: SeShutdownPrivilege 1120 wscript.exe Token: SeShutdownPrivilege 1120 wscript.exe Token: SeShutdownPrivilege 1120 wscript.exe Token: SeShutdownPrivilege 1120 wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 3068 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 2812 wrote to memory of 1120 2812 WScript.exe wscript.exe PID 2812 wrote to memory of 1120 2812 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4494da2105572a5ad07bd08110e35045c34967306f12a7ea7c91fffc0f79f599.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\jjpkyghnicd.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\81413548409938\iigdbqykrtzmyrgsk12129552721976.exeMD5
f5fcf71847e23a56c488b1af1448fc6d
SHA11fc456b5d4891973d3b9180cbc8106649a294dc0
SHA2561c79eb3f391b30771f42746badb2ace7c0e1c9fb850a0c308951280e1a2124f6
SHA5129c4601c38e54b0732ba80bf55ed8374113872e9b322863881bd4e2b59889c6bc06fda52ba3ec84783f99dbca4f3847bada162f6d5ec9d7285468a11367fc3a2f
-
C:\Users\Admin\AppData\Roaming\jjpkyghnicd.vbsMD5
a047a515f7034780ce15fcb04d0fdf70
SHA175c4e29b00231611c23871c405141d33d60c7b1e
SHA2568fabdc34d49a09558100e46763b4deee9d9f6c4c471fe0faa1ed50f1186f8eb6
SHA512fa3db3e9d14a6cd38e5abad3cc7f7f3719de37ec5976ae9fb8faf0d9c69ba37fc5181b387ba05c8c28600fb1d7eb6849c9a67a41a0272762fbdbb1ba2837afb2