Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
49d24056a61b688a35c1c486f2f11787446a71f425e935084f2cca79245c1838.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
49d24056a61b688a35c1c486f2f11787446a71f425e935084f2cca79245c1838.vbs
Resource
win10v2004-20221111-en
General
-
Target
49d24056a61b688a35c1c486f2f11787446a71f425e935084f2cca79245c1838.vbs
-
Size
137KB
-
MD5
8a766b081dc4e3a60d8aa9fef5b25b65
-
SHA1
8e47fcbf4d4e1452959c88ab3ff385ba1c349a1b
-
SHA256
49d24056a61b688a35c1c486f2f11787446a71f425e935084f2cca79245c1838
-
SHA512
511c91cdbf931c063daa97da1b0d8b9f802f008dd390503720a40ff8579eafbfb3de4710f174acd7bb6627f49f55026a254345c5a269124563fb0026ab2428be
-
SSDEEP
192:EmdL+vn03wunMNfNbP3vx9vu8vwyydvNFMj4X0z9bqwlw5v0wQFmixqY+vwv0yra:vmRmuqzkkeo
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
WScript.exeflow pid process 27 1036 WScript.exe 46 1036 WScript.exe 75 1036 WScript.exe 83 1036 WScript.exe 104 1036 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\49d24056a61b688a35c1c486f2f11787446a71f425e935084f2cca79245c1838.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\49d24056a61b688a35c1c486f2f11787446a71f425e935084f2cca79245c1838.vbs WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\49d24056a61b688a35c1c486f2f11787446a71f425e935084f2cca79245c1838 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\49d24056a61b688a35c1c486f2f11787446a71f425e935084f2cca79245c1838.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\49d24056a61b688a35c1c486f2f11787446a71f425e935084f2cca79245c1838 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\49d24056a61b688a35c1c486f2f11787446a71f425e935084f2cca79245c1838.vbs\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.