Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:18
Static task
static1
Behavioral task
behavioral1
Sample
fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe
Resource
win10v2004-20220414-en
General
-
Target
fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe
-
Size
115KB
-
MD5
7103f17d8ef1883e893a9a10333feec2
-
SHA1
46f722fc1af5cba5cf322a8c3af20f58cfce47e9
-
SHA256
fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478
-
SHA512
8b177b6128b78756b3a75f22ef4f62d9b5bf189c7e53dc4cc7871dc24bc93a5677f27ac2064e483cb09a55f2b4825148da8499373708046645c425508f5f8fb0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wscript.exepid process 1060 wscript.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\247f78ab72096ae9469980cb6ed2519a.exe wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\247f78ab72096ae9469980cb6ed2519a.exe wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\247f78ab72096ae9469980cb6ed2519a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wscript.exe\" .." wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\247f78ab72096ae9469980cb6ed2519a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wscript.exe\" .." wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
wscript.exedescription pid process Token: SeDebugPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe Token: 33 1060 wscript.exe Token: SeIncBasePriorityPrivilege 1060 wscript.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exewscript.exedescription pid process target process PID 1948 wrote to memory of 1060 1948 fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe wscript.exe PID 1948 wrote to memory of 1060 1948 fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe wscript.exe PID 1948 wrote to memory of 1060 1948 fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe wscript.exe PID 1060 wrote to memory of 940 1060 wscript.exe netsh.exe PID 1060 wrote to memory of 940 1060 wscript.exe netsh.exe PID 1060 wrote to memory of 940 1060 wscript.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe"C:\Users\Admin\AppData\Local\Temp\fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wscript.exe"C:\Users\Admin\AppData\Local\Temp\wscript.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\wscript.exe" "wscript.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wscript.exeFilesize
115KB
MD57103f17d8ef1883e893a9a10333feec2
SHA146f722fc1af5cba5cf322a8c3af20f58cfce47e9
SHA256fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478
SHA5128b177b6128b78756b3a75f22ef4f62d9b5bf189c7e53dc4cc7871dc24bc93a5677f27ac2064e483cb09a55f2b4825148da8499373708046645c425508f5f8fb0
-
C:\Users\Admin\AppData\Local\Temp\wscript.exeFilesize
115KB
MD57103f17d8ef1883e893a9a10333feec2
SHA146f722fc1af5cba5cf322a8c3af20f58cfce47e9
SHA256fb9367fc01d62c07a617373ecdc5d6e703c91b4455560965fcb253cafab13478
SHA5128b177b6128b78756b3a75f22ef4f62d9b5bf189c7e53dc4cc7871dc24bc93a5677f27ac2064e483cb09a55f2b4825148da8499373708046645c425508f5f8fb0
-
memory/940-60-0x0000000000000000-mapping.dmp
-
memory/1060-56-0x0000000000000000-mapping.dmp
-
memory/1060-59-0x000007FEF2B50000-0x000007FEF3BE6000-memory.dmpFilesize
16.6MB
-
memory/1060-62-0x0000000002056000-0x0000000002075000-memory.dmpFilesize
124KB
-
memory/1948-54-0x000007FEF2D90000-0x000007FEF3E26000-memory.dmpFilesize
16.6MB
-
memory/1948-55-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmpFilesize
8KB