Overview

overview

10

Static

static

d8773d7570...2b.vbs

windows7-x64

10

d8773d7570...2b.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    86s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8773d75709112de3dba7648f8df36584450d5157d440b98cb5185659a70742b.vbs

  • Size

    21KB

  • MD5

    fc8c88072a8669793e988c241fdc7e59

  • SHA1

    119a1e27fb2897e55fb5d3cd9218733b85b6e6cc

  • SHA256

    d8773d75709112de3dba7648f8df36584450d5157d440b98cb5185659a70742b

  • SHA512

    f035edc8cee8009be4fbd37073816281ea2e303f90d89cbb1a2d43844adb3b487bccc4e91756ff804ed9264818ea2f9ddf2c73c58d4ce2cf5f1a8895514496f1

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8773d75709112de3dba7648f8df36584450d5157d440b98cb5185659a70742b.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\gbntohsxlda.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:1388
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39f3855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\9752751290797\rjafzkcrofmhraooo65922735095023.exe
    Filesize

    321B

    MD5

    b0e162f8f5ee7a65e53c5a164ebf8599

    SHA1

    960399826938995f1fa4936b7f57b77ab964d7d1

    SHA256

    bdcc5b1954c278735eac189bee9d73e8eb55d617c1988b2cac96e6b27612720b

    SHA512

    7fa8aa6ac6f28d4778e9de1e457916944dd546c1d6136a363f65cf2d4b5084f6bb3a3902bcbf016202ddc104b889d042c2746a8da0478bc73d75d7c2788943ae

    Download Submit
  • C:\Users\Admin\AppData\Roaming\gbntohsxlda.vbs
    Filesize

    652B

    MD5

    d19c54c02d0941c30715c51cc58c0e58

    SHA1

    4d525bdd0b596b5bd8cfd1ce83e22200e8b01681

    SHA256

    781b0e0ccab03975d03ec59b1152a960c3f5669a8f4e36cae06fcbe37d766b2a

    SHA512

    f6b9431be1ff20b2d06b1916764cd1b7307d4cd0771f0b7bb450270155c2842eb796ffd95d9775bacd7d51d764bd65a6bd3e794f9c6f4510f52c7746ef38706e

    Download Submit
  • memory/1388-132-0x0000000000000000-mapping.dmp
    Download