Analysis
-
max time kernel
1620s -
max time network
1624s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 04:39
Static task
static1
Behavioral task
behavioral1
Sample
a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0.vbs
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0.vbs
Resource
win10v2004-20220414-en
General
-
Target
a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0.vbs
-
Size
7KB
-
MD5
dfb14599941880b99894df47efb1f16a
-
SHA1
7a825416de64b45bc9e553f6aff9c4ddc098d6db
-
SHA256
a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0
-
SHA512
e909cd980d8d319db04e1c550bf09e9618ba0e5e81b30b9acefec28bb89683eb90349472074bb4c409ac1091e3adcb708b56d5d4a87ad38402aff3b6a7274286
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_tcp
186.95.209.178:4545
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
AcgwroNrzrb.exepid process 1996 AcgwroNrzrb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WScript.exedescription pid process target process PID 1624 wrote to memory of 1996 1624 WScript.exe AcgwroNrzrb.exe PID 1624 wrote to memory of 1996 1624 WScript.exe AcgwroNrzrb.exe PID 1624 wrote to memory of 1996 1624 WScript.exe AcgwroNrzrb.exe PID 1624 wrote to memory of 1996 1624 WScript.exe AcgwroNrzrb.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\radB5875.tmp\AcgwroNrzrb.exe"C:\Users\Admin\AppData\Local\Temp\radB5875.tmp\AcgwroNrzrb.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\radB5875.tmp\AcgwroNrzrb.exeFilesize
4KB
MD5175a9304c628824c24827c464d24fab3
SHA1b3022defd71196172a5bbdb2e902fc9bb7fa9133
SHA256fe25fafe0fbf8afa5139996108bcf40e87add4b2b15e2321c17756dceb18f159
SHA512de4b0c98d0cd1ead7b20bbde368cd5f8246d9e9267d9382567a2391b429df18aa5345aa06e099f1bd45c371adddc28e6e9e8f1207447f91d886d5d322a45b726
-
memory/1624-54-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmpFilesize
8KB
-
memory/1996-55-0x0000000000000000-mapping.dmp
-
memory/1996-57-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB