99e0bf9359e01c3d542938ca8730c3016fd7c1556e84571e1e2633934d292710

General

Target

99e0bf9359e01c3d542938ca8730c3016fd7c1556e84571e1e2633934d292710.vbs
Size

148KB
MD5

b8f2dd5cfd84eb8a4706b08ecd1da938
SHA1

091994d1c7331c46ad6088593160b47df3b917e7
SHA256

99e0bf9359e01c3d542938ca8730c3016fd7c1556e84571e1e2633934d292710
SHA512

7cc3321fda1fc26b69bf44df906f5d017db86ef49199277089c8a814fc865797a7475971498f97cc7b81e27f9536b47385ec86f06f806fbb36d382f1d968a22b
SSDEEP

1536:D1PdOp9lfum/0e249mSmYmimomYmWmMeDpE6ZkEP5/YRLlhdc0jrMRbNdWhdiSAy:OBqh0P

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	wscript.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSShell32 = "wscript //E:vbscript \"C:\\Users\\Admin\\AppData\\Roaming\\MSShell32\" c4bbf69c54"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSShell32 = "wscript //E:vbscript \"C:\\Users\\Admin\\AppData\\Roaming\\MSShell32\" c4bbf69c54"	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
520	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2004	1660	WScript.exe	28
PID 1660 wrote to memory of 2004	1660	WScript.exe	28
PID 1660 wrote to memory of 2004	1660	WScript.exe	28
PID 2004 wrote to memory of 520	2004	wscript.exe	29
PID 2004 wrote to memory of 520	2004	wscript.exe	29
PID 2004 wrote to memory of 520	2004	wscript.exe	29
PID 520 wrote to memory of 852	520	powershell.exe	31
PID 520 wrote to memory of 852	520	powershell.exe	31
PID 520 wrote to memory of 852	520	powershell.exe	31
PID 852 wrote to memory of 848	852	csc.exe	32
PID 852 wrote to memory of 848	852	csc.exe	32
PID 852 wrote to memory of 848	852	csc.exe	32
PID 2004 wrote to memory of 1952	2004	wscript.exe	33
PID 2004 wrote to memory of 1952	2004	wscript.exe	33
PID 2004 wrote to memory of 1952	2004	wscript.exe	33
PID 1068 wrote to memory of 772	1068	taskeng.exe	36
PID 1068 wrote to memory of 772	1068	taskeng.exe	36
PID 1068 wrote to memory of 772	1068	taskeng.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99e0bf9359e01c3d542938ca8730c3016fd7c1556e84571e1e2633934d292710.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //E:vbscript "C:\Users\Admin\AppData\Local\Temp\99e0bf9359e01c3d542938ca8730c3016fd7c1556e84571e1e2633934d292710.vbs" c4bbf69c54
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "$MethodDefinition=[Text.Encoding]::Default.GetString([Convert]::FromBase64String('W0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSwgU2V0TGFzdEVycm9yID0gdHJ1ZSldW3JldHVybjogTWFyc2hhbEFzKFVubWFuYWdlZFR5cGUuQm9vbCldcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBEZWxldGVGaWxlKHN0cmluZyBuYW1lKTtwdWJsaWMgc3RhdGljIGJvb2wgRGVsZXRlWm9uZUlkZW50aWZpZXIoc3RyaW5nIGZpbGVQYXRoKXtyZXR1cm4gRGVsZXRlRmlsZShmaWxlUGF0aCArICI6Wm9uZS5JZGVudGlmaWVyIik7fQ=='));$Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -Namespace 'Win32' -PassThru;$Kernel32::DeleteZoneIdentifier('C:\Users\Admin\AppData\Roaming\MSShell32')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwohpydc.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC33BE.tmp"
        5⤵
        
        PID:848
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn MSShell32 /tr "wscript //E:vbscript 'C:\Users\Admin\AppData\Roaming\MSShell32' c4bbf69c54"
    3⤵
    - Creates scheduled task(s)
    PID:1952

C:\Windows\system32\taskeng.exe
taskeng.exe {92C018C6-5838-4425-830A-E7E70B1FB89F} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE //E:vbscript "C:\Users\Admin\AppData\Roaming\MSShell32" c4bbf69c54
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES33CF.tmp

Filesize
1KB

MD5
2a01e307b423e6942de7b6fff72daf25

SHA1
3864251b4315574593f3ba7835a7229043d3da4c

SHA256
2ecd3e397aec2f4bb8864a54dbc6909b6045628bb6586deb47c8ff91cf405ef7

SHA512
aa88b297276969523388a624d9867a47bc445a042cb9c52e81e40436bae394ed7ca3ca2b0141cfeb98335b61d454cda14e10aa4f2e5611cc6670c1d73ec56234

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwohpydc.dll

Filesize
3KB

MD5
3470599a3bdf0ea779e7257a1457ce73

SHA1
eb38fb9fcb6417a5207b6499f3a40f1079408452

SHA256
be154af1aadc37a5e62af259419104c2b18290abc3cb8407704a04ddc16a0e48

SHA512
c5893f039383e4fffe0a46a39fb38b8dbe85a648cd127106eacd13de51da9f8a1e7e3ab025c3f57ccdd965e10f77a15c4c3628b65c7b52c5a728d1fda48305bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwohpydc.pdb

Filesize
11KB

MD5
4394e9dd1123021bbdbfa13b804b8fd1

SHA1
d7f5acdecf609fcf0edc541941d447bc9b4e1ad0

SHA256
81c419b7ad08e993291f0853c6fd9ebb8f3ded14b27eb32d87667288fc59db62

SHA512
8194c4b4a3b28f632dbd5ea3f6f8cacfd6c2000ae5027a54ecbcaa79ff5772ccdd364dcff6d72cfcda705d4b0eaa815b34ca5b4501958940969653e912572b26

Download Submit
C:\Users\Admin\AppData\Roaming\MSShell32

Filesize
148KB

MD5
b8f2dd5cfd84eb8a4706b08ecd1da938

SHA1
091994d1c7331c46ad6088593160b47df3b917e7

SHA256
99e0bf9359e01c3d542938ca8730c3016fd7c1556e84571e1e2633934d292710

SHA512
7cc3321fda1fc26b69bf44df906f5d017db86ef49199277089c8a814fc865797a7475971498f97cc7b81e27f9536b47385ec86f06f806fbb36d382f1d968a22b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC33BE.tmp

Filesize
652B

MD5
2e0a72f255901f4ac861b254df488d9f

SHA1
b383ee89eb188a71ce80e78b7620e38b6b4210c2

SHA256
da0b3c205a5c7187a373a7c3380b4c695e80ef3eec72565e9b72b99aa78a03ac

SHA512
5d472f56eb3067a920195c78d156fdddd3dc70794a881efbf2b4b07e80cc8836864d37ccdf19c5b76451feb06e163a95eddb56b8049627e425748d239ab85257

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwohpydc.0.cs

Filesize
392B

MD5
65b2ab9f703b79fe4539e16b50d87054

SHA1
7872d5a2eae5200873c29e748fea5a16438f8ebd

SHA256
c968adc982b035cb1e8f10f1a1e5929e8bba0471556652346393b79e6f95a663

SHA512
bb1c00d7e4926edb2075ac846de0be8013fc07094ca5a284a230b640e4ff8c1d11674cdec38e274aa2d2a30fc689b5135e3256cd627828e6a8ed500d33b8fa6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwohpydc.cmdline

Filesize
309B

MD5
d66b849252518fab87c4f0573be6694e

SHA1
452e0e51bf80496b7d12cbfac615c932eab2e42d

SHA256
22a94067ea86887fbad4cbd609ac69e30da2cf08ce08918462b33acb2c2b2ef7

SHA512
5e2e14c8968d68dd1b27f14fbb8b479d42c9b51172bdf239659f2b3326102c769d4b285bb99c88060009db8a2492a7aea3b48d5b16f45b49282e2a6e246b0e88

Download Submit
memory/520-61-0x000007FEF27D0000-0x000007FEF332D000-memory.dmp

Filesize
11.4MB

Download
memory/520-73-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/520-63-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/520-72-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/520-62-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/520-60-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/520-59-0x000007FEF3330000-0x000007FEF3D53000-memory.dmp

Filesize
10.1MB

Download
memory/1660-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads