161ef8d489aa4af60893cbf531e4760fc25db74b0afa5e3056bb8a52f532824a

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
09-06-2022 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tracking#1912257252583.vbs
Size

602KB
MD5

02782c8c2739ebc98df5b5bcfb758ead
SHA1

409d28546f0589ba6f8af73c8cbb7328be717aba
SHA256

aa14013aab2ff7beea20c14c710dafde5f4bd79d8e125f63ed38e788c6e4aa18
SHA512

3907e36f23dea3337fee11696066c3f738f2c4587de39374267105c8fc8abeee6ffd761251478bab9d31bbed09d6c8c1495b4d4fb9c2cc782e0e9df542f7db9d

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	2500	regsvr32.exe	46

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
1596	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid	Process
2176	WScript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	Process	procid_target
PID 3340 wrote to memory of 1596	3340	regsvr32.exe	82
PID 3340 wrote to memory of 1596	3340	regsvr32.exe	82
PID 3340 wrote to memory of 1596	3340	regsvr32.exe	82

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Tracking#1912257252583.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2176

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\qWpXetKdDZgdAo.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\qWpXetKdDZgdAo.txt
  2⤵
  - Loads dropped DLL
  PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qWpXetKdDZgdAo.txt

Filesize
138KB

MD5
ea193f350cbcdd48d5bd55e7ea934838

SHA1
b22ca46d1da866f4675916580cf2e8cb690f984b

SHA256
c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b

SHA512
b84dec2a5a9f01d051021018e3f67fc545c11b1d3aec329e95495d411fa7d761feac66034eeea33974260b8c9974111897a51fb50bd68ec71e507d4bcdc22e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\qWpXetKdDZgdAo.txt

Filesize
138KB

MD5
ea193f350cbcdd48d5bd55e7ea934838

SHA1
b22ca46d1da866f4675916580cf2e8cb690f984b

SHA256
c1cbc33ffd320ea7657a732db883c989370e501fd902dcabfc8a1924b9e4d16b

SHA512
b84dec2a5a9f01d051021018e3f67fc545c11b1d3aec329e95495d411fa7d761feac66034eeea33974260b8c9974111897a51fb50bd68ec71e507d4bcdc22e65

Download Submit
memory/1596-131-0x0000000000000000-mapping.dmp

Download