Analysis
-
max time kernel
143s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 09:05
Static task
static1
Behavioral task
behavioral1
Sample
d1840a5a846f8799b6b28fd3ece9125a4ac9bf94de13010573723ec3546944c1.vbs
Resource
win7-20220414-en
General
-
Target
d1840a5a846f8799b6b28fd3ece9125a4ac9bf94de13010573723ec3546944c1.vbs
-
Size
10KB
-
MD5
d7a54b62097678df7ad6a0d2871dc342
-
SHA1
0a0ff21cc2c81d4a7de738d944445e48ed9ef314
-
SHA256
d1840a5a846f8799b6b28fd3ece9125a4ac9bf94de13010573723ec3546944c1
-
SHA512
813a82139954ec7669829b8d0cf270657ce64a2d8294a1b35e3d9a6212af3af7905f9e386ad3dff03ba9fddf595c25388620cf01ea29e9ae22798aa7e01b2637
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
WScript.exeflow pid process 25 1140 WScript.exe 27 1140 WScript.exe 29 1140 WScript.exe 31 1140 WScript.exe 41 1140 WScript.exe 43 1140 WScript.exe 48 1140 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsddvmfcqyd.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "33" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 4976 wscript.exe Token: SeShutdownPrivilege 4976 wscript.exe Token: SeShutdownPrivilege 4976 wscript.exe Token: SeShutdownPrivilege 4976 wscript.exe Token: SeShutdownPrivilege 4976 wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4864 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 1140 wrote to memory of 4976 1140 WScript.exe wscript.exe PID 1140 wrote to memory of 4976 1140 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1840a5a846f8799b6b28fd3ece9125a4ac9bf94de13010573723ec3546944c1.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\wsddvmfcqyd.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a09855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\20553685128688\gaqogppwtapdnllqc48916173815726.exeFilesize
321B
MD549a863cf917e135403bba7e2c7c37792
SHA1e077fa08e233bead25b18687d15096a91097277a
SHA256a61f2d652a9c23ece25a50482f250b54a2902cfc382f218ed28e8d243ba56b14
SHA5122d46628e0161a409bcb91c36e3596dfe188c080647b133f87bf769cbc1198b0f2d277b42d818b634165ccfa027a8802e35103b94b9bb8ba719dcccbf9f52ee71
-
C:\Users\Admin\AppData\Roaming\wsddvmfcqyd.vbsFilesize
653B
MD5f6efdef43917d150051c7e8d3daf0d68
SHA106e954617645877f4f66c56743414e74ccfbebdd
SHA256a977f563d131b0db6bb80779b9bfd30ac5de79152e1190d0b2ee5762c12752c2
SHA51248d94a7c99668085c5e80304a4c131dc4ffc618546dfe26e33d3c285c63b89160692579fe3ccd4195264384bac6a0632dbc9e0cb94191144520006dbad7a7f17
-
memory/4976-130-0x0000000000000000-mapping.dmp