Analysis
-
max time kernel
8s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
05-02-2022 16:55
Static task
static1
Behavioral task
behavioral1
Sample
3707ad9488f65a2425dc524d7a496e4458410d31b576348487993272505018f5.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3707ad9488f65a2425dc524d7a496e4458410d31b576348487993272505018f5.vbs
Resource
win10v2004-en-20220113
General
-
Target
3707ad9488f65a2425dc524d7a496e4458410d31b576348487993272505018f5.vbs
-
Size
1.1MB
-
MD5
88cb1b3a2c58a40c6ecbd2897465337d
-
SHA1
2e866fde78317929b59ed9cf63806116b38a0602
-
SHA256
3707ad9488f65a2425dc524d7a496e4458410d31b576348487993272505018f5
-
SHA512
08450aaefbe3cce898ac8c6dcb5b065b773fdd2b0f66a630711b85d5510f8553f8d19fa6e634d42a6508deb46c10162b2ed74fd3a433f727799a56bbe4cc1bbc
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 1968 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 396 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WScript.exepid process 1532 WScript.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2460 wrote to memory of 396 2460 rundll32.exe rundll32.exe PID 2460 wrote to memory of 396 2460 rundll32.exe rundll32.exe PID 2460 wrote to memory of 396 2460 rundll32.exe rundll32.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3707ad9488f65a2425dc524d7a496e4458410d31b576348487993272505018f5.vbs"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\sRjbEZvCFOESXQJ.exe,DllRegisterServer1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\sRjbEZvCFOESXQJ.exe,DllRegisterServer2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sRjbEZvCFOESXQJ.exeMD5
fcb76558dbf86a26c4bdd2811d5d06b6
SHA1dabfb88a8dea9c8c258be021a3d190e145a65847
SHA25681a9eb444ffc7c5a700d4da6198c2f929d0e312d38667b9d3e29740eccabca3f
SHA51201f4f2457a7660fed51afb1b99f856eaae1398d4e8291c91adf1fdd7343f68e16a18d6e3054f2c6d063b785b51ccc3da4da6aae3544a697902aa70716ad96471
-
C:\Users\Admin\AppData\Local\Temp\sRjbEZvCFOESXQJ.exeMD5
fcb76558dbf86a26c4bdd2811d5d06b6
SHA1dabfb88a8dea9c8c258be021a3d190e145a65847
SHA25681a9eb444ffc7c5a700d4da6198c2f929d0e312d38667b9d3e29740eccabca3f
SHA51201f4f2457a7660fed51afb1b99f856eaae1398d4e8291c91adf1fdd7343f68e16a18d6e3054f2c6d063b785b51ccc3da4da6aae3544a697902aa70716ad96471