Overview

overview

7

Static

static

7722_083_pdf.vbs

windows7-x64

3

7722_083_pdf.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    104s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2022, 11:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7722_083_pdf.vbs

  • Size

    2KB

  • MD5

    aa3c2348fd238e40dcad0ae4b9b1141a

  • SHA1

    f2fb2ed0997089ca534b20596f4bda902541f87f

  • SHA256

    ec739af83a7f960def1b1a2e8226d0f7338c3e76972e9e338ddced77a5f8c6b0

  • SHA512

    3ebd91d8770ba4bfe7887d65542e0c27e1dd8dd453941dec138fa8de54296a2851479268d58c6594aec0f69507f322126c765b6ff58312dad71258d2f0476a5f

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7722_083_pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" This page can’t be displayed This page can’t be displayed Make sure the web address http://46.183.223.105 is correct. Look for the page with your search engine. Refresh the page in a few minutes. Check that all network cables are plugged in. Verify that airplane mode is turned off. Make sure your wireless switch is turned on. See if you can connect to mobile broadband. Restart your router. Fix connection problems
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\7722_083_pdf.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7722_083_pdf.vbs'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:1000
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1356

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          dc045ae29bfd585ab6ed8fd67975e4a9

          SHA1

          ca8a1ad26998ec3bf7a12796b7d7b503a40be633

          SHA256

          0728e3129cfcbba8b05eb409c9998e013b7af9cc974b538a904160b378bd4c13

          SHA512

          bcc997e30f66a8acbb909a3c73ce5b68d7062d29ada1325e58596ff0f4ca5c8e6e40232ea13819a7f40d8e9f786892bb56b7f61625d4c0fb7d7747f5807135c5

          Download Submit

        • memory/288-55-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

          Filesize

          8KB

          Download

        • memory/288-54-0x0000000000120000-0x0000000000130000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1000-66-0x0000000002724000-0x0000000002727000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1000-62-0x000007FEF41B0000-0x000007FEF4BD3000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1000-64-0x000007FEF3650000-0x000007FEF41AD000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1000-68-0x0000000002724000-0x0000000002727000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1000-69-0x000000000272B000-0x000000000274A000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1924-61-0x000007FEF41B0000-0x000007FEF4BD3000-memory.dmp

          Filesize

          10.1MB

          Download

        • memory/1924-65-0x0000000002524000-0x0000000002527000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1924-63-0x000007FEF3650000-0x000007FEF41AD000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/1924-67-0x000000001B750000-0x000000001BA4F000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1924-70-0x0000000002524000-0x0000000002527000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1924-71-0x000000000252B000-0x000000000254A000-memory.dmp

          Filesize

          124KB

          Download