Analysis
-
max time kernel
1562s -
max time network
1602s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 04:39
Static task
static1
Behavioral task
behavioral1
Sample
a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0.vbs
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0.vbs
Resource
win10v2004-20220414-en
General
-
Target
a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0.vbs
-
Size
7KB
-
MD5
dfb14599941880b99894df47efb1f16a
-
SHA1
7a825416de64b45bc9e553f6aff9c4ddc098d6db
-
SHA256
a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0
-
SHA512
e909cd980d8d319db04e1c550bf09e9618ba0e5e81b30b9acefec28bb89683eb90349472074bb4c409ac1091e3adcb708b56d5d4a87ad38402aff3b6a7274286
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_tcp
186.95.209.178:4545
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
AcgwroNrzrb.exepid process 2084 AcgwroNrzrb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 2064 wrote to memory of 2084 2064 WScript.exe AcgwroNrzrb.exe PID 2064 wrote to memory of 2084 2064 WScript.exe AcgwroNrzrb.exe PID 2064 wrote to memory of 2084 2064 WScript.exe AcgwroNrzrb.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0ec45e5a2ac6e61515c4e57b096fac59ae78f0849efabad7ab973cd15cbe9b0.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rad6CD33.tmp\AcgwroNrzrb.exe"C:\Users\Admin\AppData\Local\Temp\rad6CD33.tmp\AcgwroNrzrb.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rad6CD33.tmp\AcgwroNrzrb.exeFilesize
4KB
MD5175a9304c628824c24827c464d24fab3
SHA1b3022defd71196172a5bbdb2e902fc9bb7fa9133
SHA256fe25fafe0fbf8afa5139996108bcf40e87add4b2b15e2321c17756dceb18f159
SHA512de4b0c98d0cd1ead7b20bbde368cd5f8246d9e9267d9382567a2391b429df18aa5345aa06e099f1bd45c371adddc28e6e9e8f1207447f91d886d5d322a45b726
-
C:\Users\Admin\AppData\Local\Temp\rad6CD33.tmp\AcgwroNrzrb.exeFilesize
4KB
MD5175a9304c628824c24827c464d24fab3
SHA1b3022defd71196172a5bbdb2e902fc9bb7fa9133
SHA256fe25fafe0fbf8afa5139996108bcf40e87add4b2b15e2321c17756dceb18f159
SHA512de4b0c98d0cd1ead7b20bbde368cd5f8246d9e9267d9382567a2391b429df18aa5345aa06e099f1bd45c371adddc28e6e9e8f1207447f91d886d5d322a45b726
-
memory/2084-130-0x0000000000000000-mapping.dmp
-
memory/2084-133-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB