df6093cc8395612fbbd4363266ff5c78ce332367b4230866380f722296a9cdec

Analysis

max time kernel
142s
max time network
170s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 17:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

df6093cc8395612fbbd4363266ff5c78ce332367b4230866380f722296a9cdec.vbs
Size

4KB
MD5

21dea128e711313098d82c5c5be4f0e0
SHA1

396275c129f66afa3f17a7b71a4ef6c20e9b2d7a
SHA256

df6093cc8395612fbbd4363266ff5c78ce332367b4230866380f722296a9cdec
SHA512

51773370565ca927e0416287bbac87774aa93781c2c0556b3b7ef128fa09365d6d62a24c2da276c1693ce0ab0679850a9b46488b23fea24a29532d45b34a7bfe
SSDEEP

96:ffJwI7iv7wAbiPtb5UQG4OmDp/otZRvxDEAfExD9TQuDGm59QyPv+J/PEmZeAeiB:fBx7ivcAbAwJcV/otZMAcxDXDjT/P2Jr

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
2	980	WScript.exe
3	980	WScript.exe
4	980	WScript.exe
5	980	WScript.exe
6	980	WScript.exe
7	980	WScript.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AUTORUN.INF	WScript.exe
File opened for modification	C:\AUTORUN.INF	WScript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\sYSinFO.reG	WScript.exe
File created	C:\Windows\System32\SysInfo.reg	WScript.exe
File opened for modification	C:\Windows\System32\SysInfo.reg	WScript.exe
File created	C:\Windows\System32\prncfg.vbs	WScript.exe
File opened for modification	C:\Windows\System32\prncfg.vbs	WScript.exe
File created	C:\Windows\System32\sYSinFO.reG	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 62 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "50"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000006b55837c1100557365727300600008000400efbeee3a851a6b55837c2a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000006b55837c122041707044617461003c0008000400efbe6b55837c6b55837c2a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000006b55c881100041646d696e00380008000400efbe6b55837c6b55c8812a00000031000000000003000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000006b55537e10204c6f63616c00380008000400efbe6b55837c6b55537e2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "650"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a0031000000000075550b90102054656d700000360008000400efbe6b55837c75550b902a000000ff010000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	explorer.exe

Runs .reg file with regedit 2 IoCs

pid	Process
564	regedit.exe
1800	regedit.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	1452	cmd.exe
Token: SeSystemtimePrivilege	1452	cmd.exe
Token: SeSystemtimePrivilege	1724	cmd.exe
Token: SeSystemtimePrivilege	1724	cmd.exe
Token: SeSystemtimePrivilege	1700	cmd.exe
Token: SeSystemtimePrivilege	1700	cmd.exe
Token: SeSystemtimePrivilege	780	cmd.exe
Token: SeSystemtimePrivilege	780	cmd.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 952	1984	WScript.exe	28
PID 1984 wrote to memory of 952	1984	WScript.exe	28
PID 1984 wrote to memory of 952	1984	WScript.exe	28
PID 1984 wrote to memory of 564	1984	WScript.exe	30
PID 1984 wrote to memory of 564	1984	WScript.exe	30
PID 1984 wrote to memory of 564	1984	WScript.exe	30
PID 952 wrote to memory of 1468	952	net.exe	31
PID 952 wrote to memory of 1468	952	net.exe	31
PID 952 wrote to memory of 1468	952	net.exe	31
PID 1984 wrote to memory of 524	1984	WScript.exe	32
PID 1984 wrote to memory of 524	1984	WScript.exe	32
PID 1984 wrote to memory of 524	1984	WScript.exe	32
PID 1984 wrote to memory of 1452	1984	WScript.exe	35
PID 1984 wrote to memory of 1452	1984	WScript.exe	35
PID 1984 wrote to memory of 1452	1984	WScript.exe	35
PID 1984 wrote to memory of 1724	1984	WScript.exe	37
PID 1984 wrote to memory of 1724	1984	WScript.exe	37
PID 1984 wrote to memory of 1724	1984	WScript.exe	37
PID 1984 wrote to memory of 980	1984	WScript.exe	39
PID 1984 wrote to memory of 980	1984	WScript.exe	39
PID 1984 wrote to memory of 980	1984	WScript.exe	39
PID 980 wrote to memory of 648	980	WScript.exe	40
PID 980 wrote to memory of 648	980	WScript.exe	40
PID 980 wrote to memory of 648	980	WScript.exe	40
PID 980 wrote to memory of 1800	980	WScript.exe	42
PID 980 wrote to memory of 1800	980	WScript.exe	42
PID 980 wrote to memory of 1800	980	WScript.exe	42
PID 648 wrote to memory of 1680	648	net.exe	43
PID 648 wrote to memory of 1680	648	net.exe	43
PID 648 wrote to memory of 1680	648	net.exe	43
PID 980 wrote to memory of 1700	980	WScript.exe	44
PID 980 wrote to memory of 1700	980	WScript.exe	44
PID 980 wrote to memory of 1700	980	WScript.exe	44
PID 980 wrote to memory of 780	980	WScript.exe	46
PID 980 wrote to memory of 780	980	WScript.exe	46
PID 980 wrote to memory of 780	980	WScript.exe	46

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df6093cc8395612fbbd4363266ff5c78ce332367b4230866380f722296a9cdec.vbs"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stoP SHAredAccESS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stoP SHAredAccESS
    3⤵
    PID:1468
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe" /S sYSINFO.Reg
  2⤵
  - Runs .reg file with regedit
  PID:564
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" .\
  2⤵
  PID:524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C dAtE 7/14/2009
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c dAte 11/21/2022
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\PRNcfg.VBs"
  2⤵
  - Blocklisted process makes network request
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" STOp SHArEdAcCEsS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 STOp SHArEdAcCEsS
      4⤵
      PID:1680
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe" /s sySinFo.REG
    3⤵
    - Runs .reg file with regedit
    PID:1800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c daTe 11/11/2022
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c DAte 11/21/2022
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:780

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\PRNcfg.VBs

Filesize
4KB

MD5
fb7624667540dfa7277a4aba6df8e121

SHA1
b128c529d35fa22181f60998f299391969db40fa

SHA256
57fe15a48c10354f2aba5f30ace709ba25a9ea39496d865af97328d69123dee4

SHA512
d89cf11a31423e067b8b71cf66145b4ff14454cb5c5d7a5d1713f6d555cc903248f7a38b49fe8245edafb484ab2bbbca087e4f0da800f4607340b43a690fe99b

Download Submit
C:\Windows\system32\sYSINFO.Reg

Filesize
497B

MD5
1fca1f6483e39feb3f2769ec9680b151

SHA1
1294b13e913928624aa8b341fae933eb73a771b8

SHA256
6fac50eeb6342a2071d3fd8cca4b44a1db170063d157e7e54e8c995e70a7a31f

SHA512
4eb0ff47b918dac8af538f5beca9e4f574f10685f96d41a0a5ac4c818ec5bbd5168139e140f8a50e3bd82ea5ca5410863d0d06ea4d4ce44e6e8c71e34114d817

Download Submit
C:\Windows\system32\sySinFo.REG

Filesize
497B

MD5
66b824b2500c1c09c29565874cf06f74

SHA1
c33fb5fb0c6c6e199f0cd60b3650e72f9e79318b

SHA256
96a4e5301dee4708d27440a01ff2efd37a4198df5d6fd4e20fe04be34cc67096

SHA512
83d75f751099a51fddd1f65a57264b6731b6487135658f777edbb142237b1d4c39a55e00081ddc474ceb076195fcc45f95beb09aeab318cafef8d6d8c6f7e585

Download Submit
memory/1296-63-0x00000000039C0000-0x00000000039D0000-memory.dmp

Filesize
64KB

Download
memory/1984-54-0x000007FEFC201000-0x000007FEFC203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads