Analysis
-
max time kernel
43s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 20:41
Static task
static1
Behavioral task
behavioral1
Sample
1be00304d3b47ee886ab38c9ffa831a5dcbd0d087d7951462be7e3e0bbb24c9a.vbs
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1be00304d3b47ee886ab38c9ffa831a5dcbd0d087d7951462be7e3e0bbb24c9a.vbs
Resource
win10v2004-20220414-en
General
-
Target
1be00304d3b47ee886ab38c9ffa831a5dcbd0d087d7951462be7e3e0bbb24c9a.vbs
-
Size
30KB
-
MD5
1f99155b3e9e1aac1673e6a80424d956
-
SHA1
ab70b90e6018c2d59aa4c8e48dabe28f94993c51
-
SHA256
1be00304d3b47ee886ab38c9ffa831a5dcbd0d087d7951462be7e3e0bbb24c9a
-
SHA512
bbbf9a93ac243d745eb7963a5829c500dbc41340f2333da4f8a40850dd43f1c353442a6d7613df0aafc62c3194050bdd3754c778a95c42bd410d2418f1a768fd
Malware Config
Extracted
metasploit
windows/download_exec
http://ctfd.top:8080/2nyC
- headers User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: ctfd.top
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
shell.exepid process 1696 shell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WScript.exedescription pid process target process PID 1968 wrote to memory of 1696 1968 WScript.exe shell.exe PID 1968 wrote to memory of 1696 1968 WScript.exe shell.exe PID 1968 wrote to memory of 1696 1968 WScript.exe shell.exe PID 1968 wrote to memory of 1696 1968 WScript.exe shell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1be00304d3b47ee886ab38c9ffa831a5dcbd0d087d7951462be7e3e0bbb24c9a.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shell.exe"C:\Users\Admin\AppData\Local\Temp\shell.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\shell.exeFilesize
21KB
MD5ec68de05630fb6a784838671dba2d7f1
SHA1e3dff2f3ec95a53f51d4ac00f8a4ea244489df0f
SHA25686ee25986f8a5ac50ed96d55c5fcde99383da615ef79289485ff6cc959c31c97
SHA5123fe5912b9cb5adadee46da044349ff13e4bb8e47a5b380287200d7f0a3dd65acf388f27ad4f363b0575fbe2b576686f78a33b29f2184c2ebc77e1779bdf36890
-
memory/1696-55-0x0000000000000000-mapping.dmp
-
memory/1696-57-0x0000000001030000-0x000000000103B000-memory.dmpFilesize
44KB
-
memory/1968-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmpFilesize
8KB