Overview

overview

10

Static

static

HAV_388323...16.vbs

windows7-x64

10

HAV_388323...16.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HAV_388323793314316.vbs

  • Size

    823KB

  • MD5

    d1adedc9554d952db4e8277ded9070f1

  • SHA1

    71d96853e7a7ac197cf9930ecae348e91bebcfbf

  • SHA256

    8c077bb379c38ab73289605c3d36a8b23df04fc785754ad03efd1c3cd02c1ed2

  • SHA512

    cfcf1e91357a7e6d73329bc28fb217189b88dde386ee6a1c9d0cf8e9ab79774b4d72b4294b77c430db84d1e6d77126d4823a190b10375a049e834595c4f9c3c3

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HAV_388323793314316.vbs"
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3040
  • C:\Windows\system32\regsvr32.exe
    regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\regsvr32.exe
      -s C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
      2⤵
      • Loads dropped DLL
      PID:2268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
    Filesize

    122KB

    MD5

    c296bbf9e01451686f9aaf2b1570d592

    SHA1

    dc79c263fb5b99e7cde75c1c6b6f40e6354150c2

    SHA256

    696c1bcc74a4d081244c47530f48aa91d34513a97a1a415c96fafe7672d22c2d

    SHA512

    9b6b8dd52bade30c7f735196ce10bb5b3c225fb58f4711968567b77594864a8d4ab006ea312f3f97ec52c80dbf933a057ee236b4d2c87b69b1457aef69badcad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
    Filesize

    122KB

    MD5

    c296bbf9e01451686f9aaf2b1570d592

    SHA1

    dc79c263fb5b99e7cde75c1c6b6f40e6354150c2

    SHA256

    696c1bcc74a4d081244c47530f48aa91d34513a97a1a415c96fafe7672d22c2d

    SHA512

    9b6b8dd52bade30c7f735196ce10bb5b3c225fb58f4711968567b77594864a8d4ab006ea312f3f97ec52c80dbf933a057ee236b4d2c87b69b1457aef69badcad

    Download Submit

  • memory/2268-131-0x0000000000000000-mapping.dmp

    Download