Analysis
-
max time kernel
11s -
max time network
12s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-02-2022 04:10
Static task
static1
Behavioral task
behavioral1
Sample
be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb.vbs
Resource
win10v2004-en-20220113
General
-
Target
be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb.vbs
-
Size
1.0MB
-
MD5
7e8c741445cde9246b96c96a9cb89cd1
-
SHA1
93409daece5165c0916e4e45d4c62292f57b34db
-
SHA256
be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb
-
SHA512
6d27fefa6c01fc07cd5d7ea2d69f9a061ac6438327dec2b1474316c0601ed3f7baeeb37b1fcfac0128274bec9d50f27e5006364006f419927de499cd159a411a
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 2320 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4300 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WScript.exepid process 4056 WScript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4864 wrote to memory of 4300 4864 rundll32.exe rundll32.exe PID 4864 wrote to memory of 4300 4864 rundll32.exe rundll32.exe PID 4864 wrote to memory of 4300 4864 rundll32.exe rundll32.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb.vbs"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\VrSiekwRtfHPpfg.exe,DllRegisterServer1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\VrSiekwRtfHPpfg.exe,DllRegisterServer2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VrSiekwRtfHPpfg.exeMD5
24f98dee17042e0bd3f723f7bbfa839f
SHA110123cbacb225b078c8e0a847da9e020bc0119e1
SHA2568542bf1c3c7532f11fc39b4b6a20a08ef5bd0c8d42e3262028d4ffdbc5aa88f8
SHA5120db0794e2547015695e40db1d419c944f1d955aa3f3ae3b673900f995b9a45126097f4a6a6029dbe7bfb87ed694bc024f720b05172332b1f41a8600a8bfd3b6f
-
C:\Users\Admin\AppData\Local\Temp\VrSiekwRtfHPpfg.exeMD5
f3eda7e9a937677a8c56a1f3c52fc817
SHA193de3e0ed5f1479071a900b0ee4719df7a60ded4
SHA2564807c24d60a84b5b9dc39aa275d6512814b78a66b157a6214306dbc9fc3cff49
SHA5121dd2270a56ce64f12a77c916698b9cbe3e49ac64f7377ee66ea7c3e07c9269c1e481ef11eb6ab1178372230d40256d8c3a72aae83f298c1b3d8a81340aa28810