Analysis
-
max time kernel
86s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 20:28
Static task
static1
Behavioral task
behavioral1
Sample
d8773d75709112de3dba7648f8df36584450d5157d440b98cb5185659a70742b.vbs
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
d8773d75709112de3dba7648f8df36584450d5157d440b98cb5185659a70742b.vbs
Resource
win10v2004-20220722-en
General
-
Target
d8773d75709112de3dba7648f8df36584450d5157d440b98cb5185659a70742b.vbs
-
Size
21KB
-
MD5
fc8c88072a8669793e988c241fdc7e59
-
SHA1
119a1e27fb2897e55fb5d3cd9218733b85b6e6cc
-
SHA256
d8773d75709112de3dba7648f8df36584450d5157d440b98cb5185659a70742b
-
SHA512
f035edc8cee8009be4fbd37073816281ea2e303f90d89cbb1a2d43844adb3b487bccc4e91756ff804ed9264818ea2f9ddf2c73c58d4ce2cf5f1a8895514496f1
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
WScript.exeflow pid process 13 4924 WScript.exe 15 4924 WScript.exe 17 4924 WScript.exe 19 4924 WScript.exe 21 4924 WScript.exe 23 4924 WScript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbntohsxlda.lnk wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "213" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
wscript.exedescription pid process Token: SeShutdownPrivilege 1388 wscript.exe Token: SeShutdownPrivilege 1388 wscript.exe Token: SeShutdownPrivilege 1388 wscript.exe Token: SeShutdownPrivilege 1388 wscript.exe Token: SeShutdownPrivilege 1388 wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 1432 LogonUI.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 4924 wrote to memory of 1388 4924 WScript.exe wscript.exe PID 4924 wrote to memory of 1388 4924 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8773d75709112de3dba7648f8df36584450d5157d440b98cb5185659a70742b.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exewscript.exe C:\Users\Admin\AppData\Roaming\gbntohsxlda.vbs2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39f3855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\9752751290797\rjafzkcrofmhraooo65922735095023.exeFilesize
321B
MD5b0e162f8f5ee7a65e53c5a164ebf8599
SHA1960399826938995f1fa4936b7f57b77ab964d7d1
SHA256bdcc5b1954c278735eac189bee9d73e8eb55d617c1988b2cac96e6b27612720b
SHA5127fa8aa6ac6f28d4778e9de1e457916944dd546c1d6136a363f65cf2d4b5084f6bb3a3902bcbf016202ddc104b889d042c2746a8da0478bc73d75d7c2788943ae
-
C:\Users\Admin\AppData\Roaming\gbntohsxlda.vbsFilesize
652B
MD5d19c54c02d0941c30715c51cc58c0e58
SHA14d525bdd0b596b5bd8cfd1ce83e22200e8b01681
SHA256781b0e0ccab03975d03ec59b1152a960c3f5669a8f4e36cae06fcbe37d766b2a
SHA512f6b9431be1ff20b2d06b1916764cd1b7307d4cd0771f0b7bb450270155c2842eb796ffd95d9775bacd7d51d764bd65a6bd3e794f9c6f4510f52c7746ef38706e
-
memory/1388-132-0x0000000000000000-mapping.dmp