Overview

overview

10

Static

static

ec17f950f6...51.vbs

windows7_x64

10

ec17f950f6...51.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    182s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-05-2022 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51.vbs

  • Size

    46KB

  • MD5

    99ec3237394257cb0b5c24affe458f48

  • SHA1

    5300e68423da9712280e601b51622c4b567a23a4

  • SHA256

    ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51

  • SHA512

    af2394d18f672def6d5d7081def759093759205aac0390ca03591c58c15a02e463a68b583b6fc28ef1368922b4bd5f9072d570ee97a955250a478cdb093500cb

Score
10/10
discoveryevasionexploitpersistenceransomwaretrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Blocklisted process makes network request 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 11 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 23 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 22 IoCs
    evasion

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51.vbs" /elevated
      2⤵
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1224
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
          4⤵
            PID:1892
          • C:\Windows\system32\reg.exe
            reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f
            4⤵
              PID:1164
            • C:\Windows\system32\reg.exe
              reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f
              4⤵
                PID:360
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im explorer.exe
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:848
              • C:\Windows\explorer.exe
                explorer.exe
                4⤵
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1592
              • C:\Windows\system32\takeown.exe
                takeown /f C:\Windows\System32\
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:904
              • C:\Windows\system32\icacls.exe
                icacls C:\Windows\System32 /Grant Users:F
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:1352
              • C:\Windows\system32\takeown.exe
                takeown /f C:\Windows\
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:1720
              • C:\Windows\system32\icacls.exe
                icacls C:\Windows\ /Grant Users:F
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:1604
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x48c
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1784

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Defense Evasion

        Bypass User Account Control

        1
        T1088

        Disabling Security Tools

        1
        T1089

        Modify Registry

        6
        T1112

        File Permissions Modification

        1
        T1222

        Install Root Certificate

        1
        T1130

        Credential Access

        Discovery

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\Bolbi.txt
          Filesize

          29B

          MD5

          b37ed35ef479e43f406429bc36e68ec4

          SHA1

          5e3ec88d9d13d136af28dea0d3c2529f5b6e3b82

          SHA256

          cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c

          SHA512

          d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7

          Download Submit
        • C:\Users\Public\Ghostroot\KillDora.bat
          Filesize

          482B

          MD5

          4f08159f1d70d41bf975e23230033a0f

          SHA1

          ea88d6fbdcf218e0e04a650d947250d8a3dfad40

          SHA256

          d6e7530e3879225bc21fc17859e5b5c71414375baac27bb361fd9162f4b49e0e

          SHA512

          958ac467e54d35c4ca5459853d661e49ea81efaa1ce3044114d577fcb757343a40ddb30b9f540cf9c100f05958a843bf312fa879c43bda7513643c824b318d6a

          Download Submit
        • C:\Users\Public\ghostroot\8ydfdsE.jpg
          Filesize

          59KB

          MD5

          1e8cd861c7919b862a9c47abae3dcce3

          SHA1

          4d44512ae2da33a9355463231184bbbfdc4396f2

          SHA256

          cba3db7504d0b98a3bc5bebc7d4479360f4535378a9ee113c2269811d0a8d6d9

          SHA512

          ee06887355aeff3fe2865bcde6050d8d139668e78bb352a6a0f32b36446887dab78e50a88c0762e3b3d36dd3288546a6283e2f19a7873f01733666046be60e48

          Download Submit
        • memory/360-62-0x0000000000000000-mapping.dmp
          Download
        • memory/848-63-0x0000000000000000-mapping.dmp
          Download
        • memory/904-65-0x0000000000000000-mapping.dmp
          Download
        • memory/1164-61-0x0000000000000000-mapping.dmp
          Download
        • memory/1224-55-0x0000000000000000-mapping.dmp
          Download
        • memory/1352-67-0x0000000000000000-mapping.dmp
          Download
        • memory/1496-57-0x0000000000000000-mapping.dmp
          Download
        • memory/1592-64-0x0000000000000000-mapping.dmp
          Download
        • memory/1604-70-0x0000000000000000-mapping.dmp
          Download
        • memory/1720-69-0x0000000000000000-mapping.dmp
          Download
        • memory/1776-54-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1892-59-0x0000000000000000-mapping.dmp
          Download